Fixed Sigv4 Signing for Managed Service (opensearch-project#279)

nhtruong · web-flow · commit 58aa041db325 · 2023-01-23T18:38:31.000-08:00
Fixed SigV4 Signing for Async Requests with QueryStrings

Signed-off-by: Theo Truong &lt;theotr@amazon.com&gt;

Signed-off-by: Theo Truong &lt;theotr@amazon.com&gt;
diff --git a/.github/workflows/unified-release.yml b/.github/workflows/unified-release.yml
@@ -9,7 +9,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        stack_version: ['2.1.0']
+        stack_version: ['2.1.1']
 
     steps:
       - name: Checkout
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,15 +1,23 @@
 # CHANGELOG
 Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
-## [Unreleased]
+## [2.1.1]
 ### Added
 ### Changed
 ### Deprecated
-
 ### Removed
-
 ### Fixed
+- Fixed SigV4 Signing for Managed Service ([#279](https://github.com/opensearch-project/opensearch-py/pull/279))
+- Fixed SigV4 Signing for Async Requests with QueryStrings ([#272](https://github.com/opensearch-project/opensearch-py/pull/279))
+### Security
 
+## [2.1.0]
+### Added
+- Added Support for AOSS ([#268](https://github.com/opensearch-project/opensearch-py/pull/268))
+### Changed
+### Deprecated
+### Removed
+### Fixed
 ### Security
 
 ## [2.0.1]
diff --git a/opensearchpy/_version.py b/opensearchpy/_version.py
@@ -24,4 +24,4 @@
 #  specific language governing permissions and limitations
 #  under the License.
 
-__versionstr__ = "2.1.0"
+__versionstr__ = "2.1.1"
diff --git a/opensearchpy/helpers/asyncsigner.py b/opensearchpy/helpers/asyncsigner.py
@@ -46,11 +46,13 @@ def _sign_request(self, method, url, query_string, body):
         # create an AWS request object and sign it using SigV4Auth
         aws_request = AWSRequest(
             method=method,
-            url="".join([url, query_string]),
+            url=url,
+            data=body,
         )
 
         sig_v4_auth = SigV4Auth(self.credentials, self.service, self.region)
         sig_v4_auth.add_auth(aws_request)
+        aws_request.headers["X-Amz-Content-SHA256"] = sig_v4_auth.payload(aws_request)
 
         # copy the headers from AWS request object into the prepared_request
         return dict(aws_request.headers.items())
diff --git a/opensearchpy/helpers/signer.py b/opensearchpy/helpers/signer.py
@@ -80,12 +80,16 @@ def _sign_request(self, prepared_request):  # type: ignore
         aws_request = AWSRequest(
             method=prepared_request.method.upper(),
             url=url,
+            data=prepared_request.body,
         )
 
         sig_v4_auth = SigV4Auth(self.credentials, self.service, self.region)
         sig_v4_auth.add_auth(aws_request)
 
         # copy the headers from AWS request object into the prepared_request
         prepared_request.headers.update(dict(aws_request.headers.items()))
+        prepared_request.headers["X-Amz-Content-SHA256"] = sig_v4_auth.payload(
+            aws_request
+        )
 
         return prepared_request
diff --git a/test_opensearchpy/test_async/test_asyncsigner.py b/test_opensearchpy/test_async/test_asyncsigner.py
@@ -78,3 +78,4 @@ async def test_aws_signer_async_when_service_is_specified(self):
         self.assertIn("Authorization", headers)
         self.assertIn("X-Amz-Date", headers)
         self.assertIn("X-Amz-Security-Token", headers)
+        self.assertIn("X-Amz-Content-SHA256", headers)
diff --git a/test_opensearchpy/test_connection.py b/test_opensearchpy/test_connection.py
@@ -332,6 +332,7 @@ def test_aws_signer_as_http_auth(self):
         self.assertIn("Authorization", prepared_request.headers)
         self.assertIn("X-Amz-Date", prepared_request.headers)
         self.assertIn("X-Amz-Security-Token", prepared_request.headers)
+        self.assertIn("X-Amz-Content-SHA256", prepared_request.headers)
 
     @pytest.mark.skipif(
         sys.version_info < (3, 6), reason="AWSV4SignerAuth requires python3.6+"
