Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SignatureDoesNotMatch for presigned URL when access key contains special character (+) #7931

Closed
guymguym opened this issue Mar 29, 2024 · 3 comments · Fixed by #8008
Closed

SignatureDoesNotMatch for presigned URL when access key contains special character (+) #7931

guymguym opened this issue Mar 29, 2024 · 3 comments · Fixed by #8008
Labels
S3-Compatibility S3 Compatibility and Namespace over AWS
Milestone
5.15.3

Comments

@guymguym
Copy link
Member

Environment info

  • NooBaa Version: noobaa-core-5.16.0-20240310.el8.x86_64
  • Platform: rhel-8

Actual behavior

  1. Created an account, set the access key manually to abc+abc.
  2. NOTICE - this happens when manually setting the access key, because when we generate access keys we only pick alphanumeric chars.
  3. Used aws cli and cyberduck with that access key and secret without any issues (uses sigv4 in authentication header).
  4. Tried to create a presigned URL with aws s3 presign s3://bucket/key but getting the URL failed with SignatureDoesNotMatch error.
  5. Changed the access key to contain no +, and presign works too.
  6. Tried also to get signed URL with cyberduck - the duck did not encode the + sign in the url and it messed up even before getting to the server.

Expected behavior

  1. Either block using access keys with invalid chars, or make it work ok also for presigned URL.

Steps to reproduce

  1. See above.

More information - Screenshots / Logs / Other output
@guymguym guymguym added the S3-Compatibility S3 Compatibility and Namespace over AWS label Mar 29, 2024
@guymguym guymguym added this to the 5.15.3 milestone Apr 21, 2024
@guymguym
Copy link
Member Author

@nimrod-becker @dannyzaken didn't we fix this already?

@guymguym
Copy link
Member Author

ok, so no we didn't handle this one yet. I was mixing it up with #7829.

@guymguym guymguym modified the milestones: 5.15.3, 5.16.0 Apr 25, 2024
@guymguym
Copy link
Member Author

@romayalon since we will probably not fix this one, lets just make sure that for now we do not allow accepting access keys with unsupported symbols from our CLI, when keys are provided as arguments and not generated.

@guymguym guymguym modified the milestones: 5.16.z, 5.15.3 May 1, 2024
@romayalon romayalon mentioned this issue May 5, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
S3-Compatibility S3 Compatibility and Namespace over AWS
Projects
None yet
Milestone
5.15.3
Development

Successfully merging a pull request may close this issue.

NC | CLI | Restrict Access Keys chars + performance improvement romayalon/noobaa-core
1 participant
@guymguym