[FEATURE] Support for AWS OpenSearch Serverless Request Signing

[wrynnhall]

Is your feature request related to a problem?

I would like to leverage the ease of management with the AWS Open Search Serverless service for our project without writing my own client/request signing implementation; however, this client currently does not seem to support signing requests for this new service yet.

What solution would you like?

The main issue seems to lay here, in this bit of code:

var canonicalRequest = await CanonicalRequest.From(request, credentials, signingTime).ConfigureAwait(false);

var signature = AWS4Signer.ComputeSignature(credentials, region.SystemName, signingTime, "es", canonicalRequest.SignedHeaders,
canonicalRequest.ToString());

request.Headers.TryAddWithoutValidation("x-amz-date", canonicalRequest.XAmzDate);
request.Headers.TryAddWithoutValidation("authorization", signature.ForAuthorizationHeader);
if (!string.IsNullOrEmpty(canonicalRequest.XAmzSecurityToken)) request.Headers.TryAddWithoutValidation("x-amz-security-token", canonicalRequest.XAmzSecurityToken);

SignRequests and/or anything that invokes SignRequests, could potentially be overloaded to either be configurable or to explicitly handle requests and signing for OpenSearch Serverless. Otherwise, different handler/connection logic could potentially be created just for the Serverless service (e.g. OpenSearch.Net.Serverless.Auth.AwsSigV4)

The key changes required to allow for OpenSearch Serverless requests seem to be:

1. The Service Name ("es") in this line needs to be "aoss":

var signature = AWS4Signer.ComputeSignature(credentials, region.SystemName, signingTime, "es", canonicalRequest.SignedHeaders, canonicalRequest.ToString());

2. Before the request is signed here, the 'content-length' header needs to be removed or disallowed from being set in CanonicalRequest.SignedHeaders
3. The X-Amz-Content-SHA256 needs to be added to the request somewhere around here

What alternatives have you considered?

Signing requests for this service is also unsupported in all other dotnet clients that handle signing with Signature V4 for one reason or another, so I am currently creating my own request signing logic that allows me to work around these issues in the meantime.

Do you have any additional context?

The current requirements for signing requests to the OpenSearch Serverless service can be found here and are as follows:

• You must specify the service name as aoss.
• You can't include Content-Length as a signed header, otherwise you'll get an invalid signature error.
• The x-amz-content-sha256 header is required for all AWS Signature Version 4 requests. It provides a hash of the request payload. For OpenSearch Serverless, include it with one of the following + "/" + id values when you build the canonical request for signing:
  • If there's a request payload, set the value to its Secure Hash Algorithm (SHA) cryptographic hash (SHA256).
  • If there's no request payload, set the value to e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, which is the hash of an empty string.
  • In either of the above two cases, you can also use the literal string UNSIGNED-PAYLOAD as the value of the x-amz-content-sha256 header.

[dblock]

Beyond signing there are other problems such as info API that doesn't exist. We need to document support, limitations, and add integration tests.

[dblock]

Closed via #133