Fix signature mismatch exception generated when signing query parameters with empty-value keys. (#3369)

Author: millems

.changes/next-release/bugfix-AWSSDKforJavav2-317e23a.json

@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "Fix signature mismatch exception generated when signing query parameters with empty-value keys."
+}

core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAwsSigner.java

@@ -238,7 +238,13 @@ protected void addCanonicalizedQueryString(StringBuilder result, SdkHttpRequest.
          * encoding in addition to sorted parameter names.
          */
         httpRequest.forEachRawQueryParameter((key, values) -> {
+            if (StringUtils.isEmpty(key)) {
+                // Do not sign empty keys.
+                return;
+            }
+
             String encodedParamName = SdkHttpUtils.urlEncode(key);
+
             List<String> encodedValues = new ArrayList<>(values.size());
             for (String value : values) {
                 String encodedValue = SdkHttpUtils.urlEncode(value);

core/auth/src/test/java/software/amazon/awssdk/auth/signer/Aws4SignerTest.java

@@ -217,6 +217,23 @@ public void canonicalizedHeaderString_valuesWithExtraWhitespace_areTrimmed() thr
                       + "Signature=6d3520e3397e7aba593d8ebd8361fc4405e90aed71bc4c7a09dcacb6f72460b9");
     }
 
+    /**
+     * Query strings with empty keys should not be included in the canonical string.
+     */
+    @Test
+    public void canonicalizedQueryString_keyWithEmptyNames_doNotGetSigned() throws Exception {
+        AwsBasicCredentials credentials = AwsBasicCredentials.create("akid", "skid");
+        SdkHttpFullRequest.Builder request = generateBasicRequest();
+        request.putRawQueryParameter("", (String) null);
+
+        SdkHttpFullRequest actual = SignerTestUtils.signRequest(signer, request.build(), credentials, "demo", signingOverrideClock, "us-east-1");
+
+        assertThat(actual.firstMatchingHeader("Authorization"))
+            .hasValue("AWS4-HMAC-SHA256 Credential=akid/19810216/us-east-1/demo/aws4_request, "
+                      + "SignedHeaders=host;x-amz-archive-description;x-amz-date, "
+                      + "Signature=581d0042389009a28d461124138f1fe8eeb8daed87611d2a2b47fd3d68d81d73");
+    }
+
     private SdkHttpFullRequest.Builder generateBasicRequest() {
         return SdkHttpFullRequest.builder()
                                  .contentStreamProvider(() -> new ByteArrayInputStream("{\"TableName\": \"foo\"}".getBytes()))

services/s3/src/it/java/software/amazon/awssdk/services/s3/EmptyQueryStringSignerIntegrationTest.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.s3;
+
+import org.junit.Test;
+
+public class EmptyQueryStringSignerIntegrationTest extends S3IntegrationTestBase {
+    @Test
+    public void emptyQueryStringsDoNotThrowSignatureMismatch() {
+        s3.listBuckets(r -> r.overrideConfiguration(c -> c.putRawQueryParameter("", (String) null)));
+        s3.listBuckets(r -> r.overrideConfiguration(c -> c.putRawQueryParameter("", "foo")));
+        s3.listBuckets(r -> r.overrideConfiguration(c -> c.putRawQueryParameter("", "")));
+    }
+}