Regression in signatures with the new Java HTTP implementation #263
Comments
|
I just ran an experiment with the following code: (defmethod a.signers/sign-http-request "s3"
[service endpoint credentials http-request]
(a.signers/v4-sign-http-request service
endpoint
credentials
(-> http-request
(assoc-in [:headers "host"] (str (get-in http-request [:headers "host"]) ":3900")))
:content-sha256-header?
true))
This fixes my authentication issues for s3. I'll be using this until a more permanent solution is identified. |
|
I ran into this issue as well. Here's @JJ-Atkinson's code, generalizing the port: (require '[[cognitect.aws.signers :as signers])
(defmethod signers/sign-http-request "s3"
[service endpoint credentials http-request]
(signers/v4-sign-http-request service
endpoint
credentials
(-> http-request
(assoc-in [:headers "host"] (str (get-in http-request [:headers "host"]) ":" (:server-port http-request))))
:content-sha256-header?
true)) |
|
Just noticed that I'm getting HTTP 403 with I assume it's the same error as reported, given that the hotfix also worked for me. Mentioning just to help others find this issue via GitHub search. |
|
Thanks for reporting. Could you confirm:
|
|
Also: how do you create your client? I assume you are using |
(1) Yes, I only see this when connecting to MinIO, which is on a different port than S3.
(defn unwrap-endpoint [endpoint]
(let [url ^URL (io/as-url endpoint)
port (.getPort url)
path (.getPath url)]
(cond-> {:protocol (.getProtocol url)
:hostname (.getHost url)}
(not= port -1) (assoc :port port)
(not (s/blank? path)) (assoc :path path))))
(defn make-s3-client [{:strs [endpoint] :as connection-configs}]
(let [opts (cond-> {:api :s3}
endpoint (assoc :endpoint-override (unwrap-endpoint endpoint)))]
(aws/client opts))) |
|
I just encountered the error again, but this time with AWS S3 and after implementing the workaround. (Hmm, maybe the workaround is only suitable for MinIO that I was also using when I first saw the issue?) I guess I'll downgrade the library for now. The client was created in the simplest way, by just passing this map to {:api :s3
:region region
:credentials-provider (credentials/basic-credentials-provider
{:access-key-id access-key-id
:secret-access-key secret-access-key})} |
|
Ended up not downgrading but using this version of the workaround instead, that uses it only if the hostname is (let [orig-sign-fn (get-method signers/sign-http-request "s3")]
(defmethod signers/sign-http-request "s3"
[service endpoint credentials http-request]
(if (= (:hostname endpoint) "localhost")
(signers/v4-sign-http-request service
endpoint
credentials
(-> http-request
(assoc-in [:headers "host"] (str (get-in http-request [:headers "host"]) ":" (:server-port http-request))))
:content-sha256-header?
true)
(orig-sign-fn service endpoint credentials http-request)))) |
Hi,
I've recently upgraded from a prior version where jetty was the default http client to the latest
0.8.723, and I'm now using the default java builtin http client. It appears that there's a regression in signatures with this new version. If I'm not very much mistaken, the port number is being attached to thehostheader (implicitly controlled by java http - not much aws-api can do about that) but that wasn't expected behavior before. I'm using wireshark to capture packets, and I see the following http request:Note the host header in particular. With some careful repl manipulation, I was able to get the
aws.signers/canonical-requestfor this particular request:Note the lack of a port number on the host.
When using the standard aws cli v2 in debug mode, I can see the canonical string also contains a port number:
The port number is also visible in the wireguard capture of the aws cli v2 requests.
I'm not familiar enough with the intention behind the signing code to provide a good suggestion about where to place a modified
hostheader, but I'm quite sure that's what's wrong with my requests.The text was updated successfully, but these errors were encountered: