fix but encountering 400 and 403 for running rex explainIT

Signed-off-by: Jialiang Liang <jiallian@amazon.com>

Author: RyanL1997

integ-test/src/test/java/org/opensearch/sql/AwsHttpRequestInterceptor.java

@@ -10,7 +10,6 @@
 import com.amazonaws.auth.AWS4Signer;
 import com.amazonaws.auth.BasicSessionCredentials;
 import com.amazonaws.http.HttpMethodName;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
@@ -36,13 +35,17 @@ public class AwsHttpRequestInterceptor implements HttpRequestInterceptor {
 
   // Hardcoded AWS credentials for AOSS (temporary approach)
   // TODO : Replace the following values
-  private static final String ACCESS_KEY = "<access_key>";
-  private static final String SECRET_KEY = "<secret_key>";
-  private static final String SESSION_TOKEN = "<session_token>";
+  private static final String ACCESS_KEY = "";
+  private static final String SECRET_KEY = "";
+  private static final String SESSION_TOKEN = "";
 
   private static final String REGION = "us-east-1";
   private static final String SERVICE = "aoss";
-  private static final String AOSS_ENDPOINT = "<aoss_endpoint>";
+  private static final String AOSS_ENDPOINT = "";
+
+  // AOSS-specific headers
+  private static final String AOSS_ACCOUNT_ID = "";
+  private static final String AOSS_COLLECTION_ID = ""; // Extracted from endpoint
 
   private final AWS4Signer signer;
   private final BasicSessionCredentials credentials;
@@ -60,25 +63,111 @@ public void process(HttpRequest request, EntityDetails entity, HttpContext conte
       throws HttpException, IOException {
 
     try {
-      // Create AWS request from Apache HttpClient request
-      Request<Void> awsRequest = createAwsRequest(request, entity);
+      // Create AWS request for signing without touching the original request entity
+      Request<Void> awsRequest = createSigningRequest(request);
 
       // Sign the request
       signer.sign(awsRequest, credentials);
 
-      // Copy signed headers back to the original request
-      awsRequest
-          .getHeaders()
-          .forEach(
-              (name, value) -> {
-                request.setHeader(name, value);
-              });
+      // Copy only the AWS authentication headers - never touch request body
+      String authorization = awsRequest.getHeaders().get("Authorization");
+      String amzDate = awsRequest.getHeaders().get("x-amz-date");
+      String amzSecurityToken = awsRequest.getHeaders().get("x-amz-security-token");
+
+      if (authorization != null) {
+        request.setHeader("Authorization", authorization);
+      }
+      if (amzDate != null) {
+        request.setHeader("x-amz-date", amzDate);
+      }
+      if (amzSecurityToken != null) {
+        request.setHeader("x-amz-security-token", amzSecurityToken);
+      }
+
+      // Add AOSS-specific headers required for AOSS APIs
+      request.setHeader("X-Amzn-Aoss-Account-Id", AOSS_ACCOUNT_ID);
+      request.setHeader("X-Amzn-Aoss-Collection-Id", AOSS_COLLECTION_ID);
 
     } catch (Exception e) {
       throw new HttpException("Failed to sign AWS request", e);
     }
   }
 
+  /**
+   * Create AWS request for signing that never touches the original request entity. This completely
+   * avoids HTTP encoding conflicts by using empty body SHA256.
+   */
+  private Request<Void> createSigningRequest(HttpRequest httpRequest) throws IOException {
+    String requestPath = httpRequest.getRequestUri();
+    URI fullEndpoint = URI.create("https://" + AOSS_ENDPOINT + ":443");
+
+    Request<Void> awsRequest = new DefaultRequest<>(SERVICE);
+    awsRequest.setHttpMethod(HttpMethodName.fromValue(httpRequest.getMethod()));
+    awsRequest.setEndpoint(fullEndpoint);
+    awsRequest.setResourcePath(requestPath);
+
+    // Required headers for signing
+    awsRequest.addHeader("host", fullEndpoint.getHost());
+
+    // Always use empty body SHA256 to avoid any entity interference
+    awsRequest.addHeader("x-amz-content-sha256", sha256Hex("".getBytes(StandardCharsets.UTF_8)));
+
+    // Add timestamp
+    String timestamp =
+        DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'")
+            .withZone(ZoneOffset.UTC)
+            .format(Instant.now());
+    awsRequest.addHeader("x-amz-date", timestamp);
+
+    // Add session token
+    awsRequest.addHeader("x-amz-security-token", SESSION_TOKEN);
+
+    // Add AOSS-specific headers before signing so they're included in the signature
+    awsRequest.addHeader("X-Amzn-Aoss-Account-Id", AOSS_ACCOUNT_ID);
+    awsRequest.addHeader("X-Amzn-Aoss-Collection-Id", AOSS_COLLECTION_ID);
+
+    return awsRequest;
+  }
+
+  private Request<Void> createMinimalAwsRequest(HttpRequest httpRequest) throws IOException {
+    // Create a minimal AWS request for signing without copying problematic headers
+    String requestPath = httpRequest.getRequestUri();
+    URI fullEndpoint = URI.create("https://" + AOSS_ENDPOINT + ":443");
+
+    Request<Void> awsRequest = new DefaultRequest<>(SERVICE);
+    awsRequest.setHttpMethod(HttpMethodName.fromValue(httpRequest.getMethod()));
+    awsRequest.setEndpoint(fullEndpoint);
+    awsRequest.setResourcePath(requestPath);
+
+    // Add only essential headers for signing - avoid content headers that cause conflicts
+    awsRequest.addHeader("host", fullEndpoint.getHost());
+
+    // Don't add x-amz-content-sha256 for GET requests - AOSS doesn't expect it
+    // Only add it for POST/PUT requests that have actual content
+
+    // Add timestamp
+    String timestamp =
+        DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'")
+            .withZone(ZoneOffset.UTC)
+            .format(Instant.now());
+    awsRequest.addHeader("x-amz-date", timestamp);
+
+    // Add session token
+    awsRequest.addHeader("x-amz-security-token", SESSION_TOKEN);
+
+    // Add AOSS-specific headers before signing so they're included in the signature
+    awsRequest.addHeader("X-Amzn-Aoss-Account-Id", AOSS_ACCOUNT_ID);
+    awsRequest.addHeader("X-Amzn-Aoss-Collection-Id", AOSS_COLLECTION_ID);
+
+    // Debug logging to see what's in the AWS request before signing
+    System.out.println("=== AWS REQUEST BEFORE SIGNING ===");
+    System.out.println("AWS Request Path: " + awsRequest.getResourcePath());
+    System.out.println("AWS Request Headers: " + awsRequest.getHeaders());
+    System.out.println("==================================");
+
+    return awsRequest;
+  }
+
   private Request<Void> createAwsRequest(HttpRequest httpRequest, EntityDetails entity)
       throws IOException {
     // The httpRequest.getRequestUri() only contains the path, we need to construct the full URL
@@ -94,23 +183,25 @@ private Request<Void> createAwsRequest(HttpRequest httpRequest, EntityDetails en
     awsRequest.setResourcePath(requestPath);
 
     // Copy headers from HttpClient request to AWS request
+    // Skip content-related headers that might interfere with encoding
     Arrays.stream(httpRequest.getHeaders())
+        .filter(
+            header ->
+                !header.getName().equalsIgnoreCase("Content-Length")
+                    && !header.getName().equalsIgnoreCase("Content-Type")
+                    && !header.getName().equalsIgnoreCase("Content-Encoding"))
         .forEach(
             header -> {
               awsRequest.addHeader(header.getName(), header.getValue());
             });
 
     // Handle request body - for POST requests, we need to provide content hash
-    // For AWS signing, we need the content SHA256, but we don't want to interfere with the actual
-    // request
+    // We ONLY set the content hash header, not the actual content to avoid encoding conflicts
     if ("POST".equals(httpRequest.getMethod()) || "PUT".equals(httpRequest.getMethod())) {
-      // For PPL queries, typical body is JSON. Since we can't safely read the actual body,
-      // we'll use a common pattern for the content hash. This is a simplification.
-      String commonJsonBody = "{\"query\": \"source=accounts | head 10\"}";
-      byte[] bodyBytes = commonJsonBody.getBytes(StandardCharsets.UTF_8);
+      // For now, use empty content hash to avoid reading entity which would interfere with encoding
+      byte[] bodyBytes = getActualEntityContent(entity);
 
-      awsRequest.setContent(new ByteArrayInputStream(bodyBytes));
-      awsRequest.addHeader("Content-Length", String.valueOf(bodyBytes.length));
+      // Only set the SHA256 hash header - do NOT set content or Content-Length on AWS request
       awsRequest.addHeader("x-amz-content-sha256", sha256Hex(bodyBytes));
     } else {
       // Empty body SHA256 for GET requests
@@ -133,12 +224,10 @@ private Request<Void> createAwsRequest(HttpRequest httpRequest, EntityDetails en
     return awsRequest;
   }
 
-  private byte[] getEntityContent(EntityDetails entity) throws IOException {
-    // For now, assume most content is relatively small (typical for API calls)
-    // In a full implementation, we'd handle streaming properly
-    if (entity != null) {
-      return "{}".getBytes(StandardCharsets.UTF_8); // Default empty JSON
-    }
+  private byte[] getActualEntityContent(EntityDetails entity) throws IOException {
+    // For AWS signing we need the actual content hash, but reading the entity here
+    // would interfere with the request encoding. For now, use empty content
+    // This is a limitation - ideally we'd compute hash from actual request body
     return new byte[0];
   }
 

integ-test/src/test/java/org/opensearch/sql/legacy/OpenSearchSQLRestTestCase.java

@@ -41,7 +41,6 @@
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
 import org.opensearch.client.RestClientBuilder;
-import org.opensearch.common.settings.Settings;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.util.io.IOUtils;
@@ -87,10 +86,17 @@ public abstract class OpenSearchSQLRestTestCase extends OpenSearchRestTestCase {
   private static RestClient remoteAdminClient;
 
   protected boolean isHttps() {
+    String httpsProperty = System.getProperty("https");
     boolean isHttps =
-        Optional.ofNullable(System.getProperty("https"))
-            .map("true"::equalsIgnoreCase)
-            .orElse(false);
+        Optional.ofNullable(httpsProperty).map("true"::equalsIgnoreCase).orElse(false);
+
+    // Debug logging
+    System.out.println("=== HTTPS DETECTION DEBUG ===");
+    System.out.println("https property: " + httpsProperty);
+    System.out.println("isHttps: " + isHttps);
+    System.out.println("tests.rest.cluster: " + System.getProperty("tests.rest.cluster"));
+    System.out.println("=============================");
+
     if (isHttps) {
       // currently only external cluster is supported for security enabled testing
       if (!Optional.ofNullable(System.getProperty("tests.rest.cluster")).isPresent()) {
@@ -125,7 +131,13 @@ protected static RestClient remoteAdminClient() {
     return remoteAdminClient;
   }
 
-  protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
+  @Override
+  protected RestClient buildClient(
+      org.opensearch.common.settings.Settings settings, HttpHost[] hosts) throws IOException {
+    System.out.println("CUSTOM buildClient() called for AOSS integration!");
+    System.out.println("Hosts: " + java.util.Arrays.toString(hosts));
+
+    // Build the client directly with AOSS/HTTPS detection
     RestClientBuilder builder = RestClient.builder(hosts);
     if (isHttps()) {
       configureHttpsClient(builder, settings, hosts[0]);
@@ -155,7 +167,8 @@ public RestClient initClient(String clusterName) throws IOException {
       int port = Integer.parseInt(stringUrl.substring(portSeparator + 1));
       hosts.add(buildHttpHost(host, port));
     }
-    Settings.Builder builder = Settings.builder();
+    org.opensearch.common.settings.Settings.Builder builder =
+        org.opensearch.common.settings.Settings.builder();
     if (System.getProperty("tests.rest.client_path_prefix") != null) {
       builder.put(CLIENT_PATH_PREFIX, System.getProperty("tests.rest.client_path_prefix"));
     }
@@ -241,7 +254,8 @@ protected static void wipeAllOpenSearchIndices(RestClient client) throws IOExcep
    * Configure authentication and pass <b>builder</b> to superclass to configure other stuff.<br>
    * By default, auth is configure when <b>https</b> is set only.
    */
-  protected static void configureClient(RestClientBuilder builder, Settings settings)
+  protected static void configureClient(
+      RestClientBuilder builder, org.opensearch.common.settings.Settings settings)
       throws IOException {
     String userName = System.getProperty("user");
     String password = System.getProperty("password");
@@ -259,7 +273,10 @@ protected static void configureClient(RestClientBuilder builder, Settings settin
   }
 
   protected static void configureHttpsClient(
-      RestClientBuilder builder, Settings settings, HttpHost httpHost) throws IOException {
+      RestClientBuilder builder,
+      org.opensearch.common.settings.Settings settings,
+      HttpHost httpHost)
+      throws IOException {
     Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings);
     Header[] defaultHeaders = new Header[headers.size()];
     int i = 0;
@@ -291,7 +308,10 @@ protected static void configureHttpsClient(
    * authentication.
    */
   private static void configureAwsClient(
-      RestClientBuilder builder, Settings settings, HttpHost httpHost) throws IOException {
+      RestClientBuilder builder,
+      org.opensearch.common.settings.Settings settings,
+      HttpHost httpHost)
+      throws IOException {
     builder.setHttpClientConfigCallback(
         httpClientBuilder -> {
           try {
@@ -331,7 +351,10 @@ private static void configureAwsClient(
 
   /** Configure HTTP client for regular OpenSearch using basic authentication. */
   private static void configureBasicAuthClient(
-      RestClientBuilder builder, Settings settings, HttpHost httpHost) throws IOException {
+      RestClientBuilder builder,
+      org.opensearch.common.settings.Settings settings,
+      HttpHost httpHost)
+      throws IOException {
     builder.setHttpClientConfigCallback(
         httpClientBuilder -> {
           String userName =

integ-test/src/test/java/org/opensearch/sql/legacy/SQLIntegTestCase.java

@@ -405,7 +405,15 @@ protected static JSONObject updateClusterSettings(ClusterSetting setting, RestCl
     String clusterUrl = System.getProperty("tests.rest.cluster");
     boolean isAoss = clusterUrl != null && clusterUrl.contains(".aoss.amazonaws.com");
 
+    // Debug logging
+    System.out.println("=== CLUSTER SETTINGS DEBUG ===");
+    System.out.println("Cluster URL: " + clusterUrl);
+    System.out.println("Is AOSS: " + isAoss);
+    System.out.println("Setting: " + setting.toString());
+    System.out.println("==============================");
+
     if (isAoss) {
+      System.out.println("🔄 SKIPPING cluster settings for AOSS");
       return new JSONObject("{}"); // Return empty JSON for AOSS
     }