Ensure raw query isn't reordered

make.paws/R/custom/rds.R

@@ -13,10 +13,10 @@ NULL
 #'
 #' @param endpoint [required] Hostname and port needed to connect
 #' to the database: `<host>:<port>`.
-#' @param region &#91;required&#93; AWS region the database is located in.
 #' @param user &#91;required&#93; User account within the database to sign in
 #' with.
 #' @param creds Credentials to be signed with.
+#' @param region AWS region the database is located in.
 #'
 #' @section Request syntax:
 #' ```
@@ -55,7 +55,50 @@ NULL
 #' }
 #'
 #' @keywords internal
-#'
+#' @seealso \link[paws.database:rds_build_auth_token_v2]{rds_build_auth_token_v2}
 #' @rdname rds_build_auth_token
 rds_build_auth_token <- utils::getFromNamespace("rds_build_auth_token", "paws.common")
 .rds$operations$build_auth_token <- rds_build_auth_token
+
+
+#' Generates an auth token used to connect to a db with IAM credentials.
+#'
+#' See [*IAM Database Authentication for MySQL and PostgreSQL*](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)
+#' for more information on using IAM database authentication with RDS.
+#'
+#' @usage
+#' rds_build_auth_token_v2(DBHostname, Port, DBUsername, Region)
+#'
+#' @param DBHostname &#91;required&#93; The hostname of the database to connect to.
+#' @param Port &#91;required&#93; The port number the database is listening on.
+#' @param DBUsername &#91;required&#93; The username to log in as.
+#' @param Region The region the database is in. If \code{NULL}, the client
+#' region will be used.
+#' @return A presigned url which can be used as an auth token.
+#' @examples
+#' \dontrun{
+#' # This example gets an authentication token for an RDS database, then
+#' # connects to the database using the token.
+#' host <- "database-1.cluster-abcdef123456.us-east-1.rds.amazonaws.com"
+#' port <- 3306
+#' user <- "jane_doe"
+#' token <- svc$build_auth_token_v2(
+#'   DBHostname = host,
+#'   Port = port,
+#'   user = user
+#' )
+#' conn <- DBI::dbConnect(
+#'   drv = RMariaDB::MariaDB(),
+#'   user = user,
+#'   password = token,
+#'   host = host,
+#'   port = port,
+#'   client.flag = RMariaDB::CLIENT_SSL
+#' )
+#' }
+#'
+#' @keywords internal
+#' @seealso \link[paws.database:rds_build_auth_token]{rds_build_auth_token}
+#' @rdname rds_build_auth_token_v2
+rds_build_auth_token_v2 <- utils::getFromNamespace("rds_build_auth_token_v2", "paws.common")
+.rds$operations$_build_auth_token_v2 <- rds_build_auth_token_v2

paws.common/R/signer_v4.R

@@ -285,7 +285,9 @@ build_context <- function(ctx, disable_header_hoisting) {
   # log_debug("Signature:\n%s", ctx$signature)
   if (ctx$is_presigned) {
     query <- ctx$request$url$raw_query
-    ctx$request$url$raw_query <- update_query_string(query, list("X-Amz-Signature" = ctx$signature))
+    ctx$request$url$raw_query <- sprintf(
+      "%s&X-Amz-Signature=%s", query, ctx$signature
+    )
   } else {
     authorization <- paste(
       paste0(AUTH_HEADER_PREFIX, " Credential=", ctx$cred_values$access_key_id, "/", ctx$credential_string),

paws.common/tests/testthat/test_custom_rds.R

@@ -8,8 +8,7 @@ test_that("check rds_build_auth_token", {
     ))),
     .package = "paws.common"
   )
-  expected <- "prod-instance.us-east-1.rds.amazonaws.com:3306/?Action=connect&DBUser=mysqlUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA%2F20250101%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20250101T000001Z&X-Amz-Expires=900&X-Amz-Security-Token=SESSION&X-Amz-Signature=4e4ce10c7b3710decae757df60ba2519348dcb4db802f15646dce1bf5e17c3ed&X-Amz-SignedHeaders=host"
-  expected_signature <- "X-Amz-Signature=4e4ce10c7b3710decae757df60ba2519348dcb4db802f15646dce1bf5e17c3ed"
+  expected <- "prod-instance.us-east-1.rds.amazonaws.com:3306/?Action=connect&DBUser=mysqlUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA%2F20250101%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20250101T000001Z&X-Amz-Expires=900&X-Amz-Security-Token=SESSION&X-Amz-SignedHeaders=host&X-Amz-Signature=4e4ce10c7b3710decae757df60ba2519348dcb4db802f15646dce1bf5e17c3ed"
 
   client <- list(
     build_auth_token = paws.common:::rds_build_auth_token,
@@ -34,8 +33,6 @@ test_that("check rds_build_auth_token", {
   )
   expect_equal(actual_v1, expected)
   expect_equal(actual_v2, expected)
-  expect_match(actual_v1, expected_signature)
-  expect_match(actual_v2, expected_signature)
 })
 
 test_that("check rds_build_auth_token upper case host", {
@@ -49,8 +46,7 @@ test_that("check rds_build_auth_token upper case host", {
     .package = "paws.common"
   )
 
-  expected <- "XXXXX.US-EAST-2.RDS.AMAZONAWS.COM:3306/?Action=connect&DBUser=user1&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA%2F20250101%2Fus-east-2%2Frds-db%2Faws4_request&X-Amz-Date=20250101T000001Z&X-Amz-Expires=900&X-Amz-Security-Token=SESSION&X-Amz-Signature=c57093ec8c5c9a668ceab511fe2d72df1794936673fec2418744f71496eed913&X-Amz-SignedHeaders=host"
-  expected_signature <- "X-Amz-Signature=c57093ec8c5c9a668ceab511fe2d72df1794936673fec2418744f71496eed913"
+  expected <- "XXXXX.US-EAST-2.RDS.AMAZONAWS.COM:3306/?Action=connect&DBUser=user1&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA%2F20250101%2Fus-east-2%2Frds-db%2Faws4_request&X-Amz-Date=20250101T000001Z&X-Amz-Expires=900&X-Amz-Security-Token=SESSION&X-Amz-SignedHeaders=host&X-Amz-Signature=c57093ec8c5c9a668ceab511fe2d72df1794936673fec2418744f71496eed913"
 
   client <- list(
     build_auth_token = paws.common:::rds_build_auth_token,
@@ -76,6 +72,4 @@ test_that("check rds_build_auth_token upper case host", {
   )
   expect_equal(actual_v1, expected)
   expect_equal(actual_v2, expected)
-  expect_match(actual_v1, expected_signature)
-  expect_match(actual_v2, expected_signature)
 })