Uploaded image for project: 'jclouds'
  1. jclouds
  2. JCLOUDS-1476

AWS4 double authentication: query string and headers

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.1.1
    • Fix Version/s: None
    • Component/s: jclouds-blobstore
    • Labels:
      None

      Description

      Hi,

      There is a problem when using AWSS3BlobRequestSignerV4.java signPutBLob(...) method as it turns out that the request which is returned is double signed(with query string, concatenated to the endpoint and also with headers). This happens when the blob object is created with payload(InputStream). It does not happen when the blob is with payload(File). I have examined it and it looks like when filtering the request in filter(HttpRequest request) method in RequestAuthorizeSignatureV4.java, as the payload is InputStream it is not repeatable by default so the filter(HttpRequest request) method goes for signForChunkedUpload(request) instead of signForAuthorizationHeader(request). And in this case the request returned is double signed. It has authorization headers and also authorization query string. It fails with:

      Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx HTTP/1.1 failed with code 400, error: AWSError{requestId='xxx', requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified', context='

      {ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=xxx, HostId=xxx, ArgumentName=Authorization}'}

       

      Here is also stack trace:

       

      Caused by: org.jclouds.aws.AWSResponseException: request PUT https://xxx.xxx.xxx.xxx.s3.eu-central-1.amazonaws.com/upload/a1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx/20181218/eu-central-1/s3/aws4_request&X-Amz-Date=20181218T115649Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=xxx HTTP/1.1 failed with code 400, error: AWSError{requestId='6D61670538525FB9', requestToken='xxx', code='InvalidArgument', message='Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified', context='{ArgumentValue=AWS4-HMAC-SHA256 Credential=xxx/20181218/eu-central-1/s3/aws4_request, SignedHeaders=content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=xxx, HostId=xxx, ArgumentName=Authorization}

      '}
      at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:75)
      at org.jclouds.http.handlers.DelegatingErrorHandler.handleError(DelegatingErrorHandler.java:65)
      at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.shouldContinue(CustomJavaUrlHttpCommandExecutorService.java:125)
      at com.xxx.xxx.xxx.xxx.s3.xxx.jclouds.ssl.CustomJavaUrlHttpCommandExecutorService.invoke(CustomJavaUrlHttpCommandExecutorService.java:94)
      at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:91)
      at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:74)
      at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:45)
      at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)
      at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)
      at com.sun.proxy.$Proxy174.invoke(Unknown Source)

       

      It fails on invoke when trying to get a response from this request. But the problem is why the request is left to be double signed?

       

      Best Regards,

      Blago

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              blagolaj Blagoi Anastasov
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: