[object-storage] Creating Temporary URL with slash (/) returns invalid URL

[Lirt]

When creating swift temporary URL using function CreateTempURL and objectName contains slash (/), generated link is invalid.

To reproduce issue create bucket with object containing slash and run simple go snippet below:

# Create bucket with object containing slash
swift post my-container
echo "this is my grandma" > grandma.png
swift upload my-container grandma.png --object-name "pictures/grandma.png"

package main

import (
    "fmt"
    "net/http"

    "github.com/gophercloud/gophercloud"
    "github.com/gophercloud/gophercloud/openstack"
    "github.com/gophercloud/gophercloud/openstack/objectstorage/v1/objects"
)

func main() () {
    authOpts, _ := openstack.AuthOptionsFromEnv()
    pc, _ := openstack.AuthenticatedClient(authOpts)
    client, _ := openstack.NewObjectStorageV1(pc, gophercloud.EndpointOpts{
		Region: "default",
    })

    bucket := "my-container"
    key := "pictures/grandma.png"

    objUrl, _ := objects.CreateTempURL(client, bucket, key, objects.CreateTempURLOpts{
		Method: http.MethodGet,
		TTL:    3600,
    })
    fmt.Printf("%v\n", objUrl)
}

Then curl the URL and you get 401 Unauthorized: Temp URL invalid.

The issue lies in encoding/escaping the URL before generating SHA1 hash (https://github.com/gophercloud/gophercloud/blob/master/openstack/objectstorage/v1/objects/requests.go#L482).

Swift middleware documentation says:

Do not URL-encode the path when you generate the HMAC-SHA1 signature. However, when you make the actual HTTP request, you should properly URL-encode the URL. [1]

[1] https://docs.openstack.org/swift/latest/api/temporary_url_middleware.html

[kayrus]

@Lirt thanks for the bug report, especially to the TempURL API note. Can you confirm that temp url generation works fine in 0.10.0?
For some reason swift packages don't contain unit tests for tempurl, we will add them.

[Lirt]

Yes, 0.10 works.

I can see that you refactored all urls to encoded in e547035.

But I don't understand what is the reason to encode container name and object name before generating hash url := getURL(c, url.QueryEscape(containerName), url.QueryEscape(objectName)).

Can I submit PR for this? I think we need to only remove this query escape. Can it break some functionality?

[Lirt]

I think the change was related to #1051

[kayrus]

@Lirt you can submit the PR, but please submit the unit tests as well, so this bug won't occur again.

[Lirt]

@kayrus We can probably close this. Are you planning to release this as patch version or in next minor release?

[jtopjian]

@Lirt Thank you for your help on this. As for a release, we don't have too many features/fixes queued for release. With go package management, it's possible to pin at a specific release. I'd recommend doing this for the time being.