Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix pre-signed url issues #8493

Merged
merged 1 commit into from
Nov 3, 2024
Merged

Fix pre-signed url issues #8493

merged 1 commit into from
Nov 3, 2024

Conversation

romayalon
Copy link
Contributor

@romayalon romayalon commented Oct 31, 2024
edited
Loading

Explain the changes

  1. Fixed a bug in _check_expiry_query_v4(), new Date(request_date) is an InvalidDate because requestDate is an amz format and needs to be converted to ISO string before converting to a Date, this issue caused (new Date(request_date).getTime()) always NaN - therefore, we never checked correctly the expiry of the presigned URL, URLs where never expired on this flow.
  2. Added a correct S3 error when presigned URL expired - RequestExpired.
  3. Fixed a bug that caused us to throw TimeTooSkewed on presigned URLs that were signed more than 15 minutes ago.
  4. Added Request is not yet valid error when request time is bigger than now.
  5. Added _check_expiry_limit() that checks if the expiry is more than 7 days, throws AuthorizationQueryParametersError if true.

Issues: Fixed #xxx / Gap #xxx

  1. Fixed pre signed url is not accessible after 15 mins, throws clock skew error #8490
  2. Gap - Automtic tests
  3. Future request Gap
    aws s3 presign s3://bucket1/obj1.txt --expires-in 120 --endpoint-url https://127.0.0.1:6443
    change date to be in 2 hours +
    curl --insecure ''
    Curl Output ->
    we have a different internal error currently 'Mismatching date in X-Amz-Credential and X-Amz-Date

Testing Instructions:

  1. Tested manually -
    Pre-requisites - create account and a bucket, start noobaa service, upload an object to the bucket.
## Case 1 - expiry > 7 days
aws s3 presign s3://bucket1/obj1.txt --expires-in 12000000000000 --endpoint-url https://127.0.0.1:6443
curl --insecure '<url-recieved>'

# Curl Output
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AuthorizationQueryParametersError</Code><Message>X-Amz-Expires must be less than a week (in seconds); that is, the given X-Amz-Expires must be less than 604800 seconds</Message><Resource>/bucket1/obj1.txt...</RequestId></Error>

## Case 2 - request expired
aws s3 presign s3://bucket1/obj1.txt --expires-in 1 --endpoint-url https://127.0.0.1:6443
curl --insecure '<url-recieved>'
# Curl Output
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Request has expired</Message>...</Error>

## Case 3 - Future request 
aws s3 presign s3://bucket1/obj1.txt --expires-in 120 --endpoint-url https://127.0.0.1:6443
# change date to be in 15 minutes
curl --insecure '<url-recieved>'
# Curl Output
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>request is no valid yet</Message><Resource>...</RequestId></Error>
// notice on 2 hours move we have a different internal error currently 'Mismatching date in X-Amz-Credential and X-Amz-Date' 

## Case 4 - Time Too Skewed on presigned URLs
aws s3 presign s3://bucket1/obj1.txt --expires-in 604800 --endpoint-url https://127.0.0.1:6443
wait 20 minutes
curl --insecure '<url-recieved>'
# Curl Output
expect the content of the file instead of TimeTooSkewed error
  • Doc added/updated
  • Tests added

@romayalon romayalon force-pushed the romy-remove-skew-from-presigned-url branch 2 times, most recently from 5424518 to a4156b1 Compare October 31, 2024 11:19
nimrod-becker
nimrod-becker approved these changes Oct 31, 2024
View reviewed changes
src/endpoint/s3/s3_errors.js Outdated Show resolved Hide resolved
src/util/http_utils.js Outdated Show resolved Hide resolved
@romayalon romayalon force-pushed the romy-remove-skew-from-presigned-url branch from a4156b1 to 8fbad1a Compare October 31, 2024 14:14
@romayalon romayalon force-pushed the romy-remove-skew-from-presigned-url branch from a7cbf43 to 6bb95dc Compare November 3, 2024 13:20
@romayalon romayalon merged commit 9f8b097 into noobaa:master Nov 3, 2024
10 checks passed
This was referenced Nov 3, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nimrod-becker nimrod-becker nimrod-becker approved these changes

@guymguym guymguym Awaiting requested review from guymguym

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pre signed url is not accessible after 15 mins, throws clock skew error
2 participants
@romayalon @nimrod-becker