Regression in storage url signing of objects with slashes in names fixed (#1346)

Author: ostronom

google-cloud-storage/src/main/java/com/google/cloud/storage/StorageImpl.java

@@ -525,7 +525,7 @@ public URL signUrl(BlobInfo blobInfo, long duration, TimeUnit unit, SignUrlOptio
     if (blobInfo.name().startsWith("/")) {
       path.setLength(path.length() - 1);
     }
-    path.append(UrlEscapers.urlPathSegmentEscaper().escape(blobInfo.name()));
+    path.append(UrlEscapers.urlFragmentEscaper().escape(blobInfo.name()));
     stBuilder.append(path);
     try {
       byte[] signatureBytes = authCredentials.sign(stBuilder.toString().getBytes(UTF_8));

google-cloud-storage/src/test/java/com/google/cloud/storage/StorageImplTest.java

@@ -1253,7 +1253,7 @@ public void testSignUrlLeadingSlash() throws NoSuchAlgorithmException, InvalidKe
         ServiceAccountAuthCredentials.createFor(ACCOUNT, privateKey);
     storage = options.toBuilder().authCredentials(authCredentials).build().service();
     URL url = storage.signUrl(BlobInfo.builder(BUCKET_NAME1, blobName).build(), 14, TimeUnit.DAYS);
-    String escapedBlobName = UrlEscapers.urlPathSegmentEscaper().escape(blobName);
+    String escapedBlobName = UrlEscapers.urlFragmentEscaper().escape(blobName);
     String stringUrl = url.toString();
     String expectedUrl = new StringBuilder("https://storage.googleapis.com/").append(BUCKET_NAME1)
         .append(escapedBlobName).append("?GoogleAccessId=").append(ACCOUNT).append("&Expires=")
@@ -1317,7 +1317,7 @@ public void testSignUrlForBlobWithSpecialChars() throws NoSuchAlgorithmException
       String blobName = "/a" + specialChar + "b";
       URL url =
           storage.signUrl(BlobInfo.builder(BUCKET_NAME1, blobName).build(), 14, TimeUnit.DAYS);
-      String escapedBlobName = UrlEscapers.urlPathSegmentEscaper().escape(blobName);
+      String escapedBlobName = UrlEscapers.urlFragmentEscaper().escape(blobName);
       String stringUrl = url.toString();
       String expectedUrl = new StringBuilder("https://storage.googleapis.com/").append(BUCKET_NAME1)
           .append(escapedBlobName).append("?GoogleAccessId=").append(ACCOUNT).append("&Expires=")
@@ -1337,6 +1337,37 @@ public void testSignUrlForBlobWithSpecialChars() throws NoSuchAlgorithmException
     }
   }
 
+  @Test
+  public void testSignUrlForBlobWithSlashes() throws NoSuchAlgorithmException,
+          InvalidKeyException, SignatureException, UnsupportedEncodingException {
+    EasyMock.replay(storageRpcMock);
+    ServiceAccountAuthCredentials authCredentials =
+        ServiceAccountAuthCredentials.createFor(ACCOUNT, privateKey);
+    storage = options.toBuilder().authCredentials(authCredentials).build().service();
+
+    String blobName = "/foo/bar/baz #%20other cool stuff.txt";
+    URL url =
+      storage.signUrl(BlobInfo.builder(BUCKET_NAME1, blobName).build(), 14, TimeUnit.DAYS);
+
+    String escapedBlobName = UrlEscapers.urlFragmentEscaper().escape(blobName);
+    String stringUrl = url.toString();
+    String expectedUrl = new StringBuilder("https://storage.googleapis.com/").append(BUCKET_NAME1)
+        .append(escapedBlobName).append("?GoogleAccessId=").append(ACCOUNT).append("&Expires=")
+        .append(42L + 1209600).append("&Signature=").toString();
+    assertTrue(stringUrl.startsWith(expectedUrl));
+    String signature = stringUrl.substring(expectedUrl.length());
+
+    StringBuilder signedMessageBuilder = new StringBuilder();
+    signedMessageBuilder.append(HttpMethod.GET).append("\n\n\n").append(42L + 1209600)
+        .append("\n/").append(BUCKET_NAME1).append(escapedBlobName);
+
+    Signature signer = Signature.getInstance("SHA256withRSA");
+    signer.initVerify(publicKey);
+    signer.update(signedMessageBuilder.toString().getBytes(UTF_8));
+    assertTrue(signer.verify(BaseEncoding.base64().decode(
+        URLDecoder.decode(signature, UTF_8.name()))));
+  }
+
   @Test
   public void testGetAllArray() {
     BlobId blobId1 = BlobId.of(BUCKET_NAME1, BLOB_NAME1);