SignatureDoesNotMatch error when sending optional parameters to AWS S3 - amazon-s3

I’m trying to use getBucketObjectVersions operation with signature v4 to get the bucket object versions. If I don’t add any request parameters as mentioned in the sample request below, I am able to get the response successfully.
GET /signv4testq23a1/?versions
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=fe3d26c4sdasdasd7fa15324XXXXX563dsf148df58d131b4cede6
x-amz-content-sha256: UNSIGNED-PAYLOAD
x-amz-date: Wed, 20 Dec 2017 07:22:14 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.com
If I add any request parameters as mentioned in the sample request below I’m getting the SignatureDoesNotMatch error. Please note that the canonical request which is generated when calculating the signature is same as the canonical request expected by the backend service. But getting different hashed canonical request value expected in StringToSign value from backend service.
What could be the reason?
Sample request with request parameter:
GET /signv4testq23a1/?versions&delimiter=/
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=192ce5f5e6b661bd5aXXXXXXXXXXXEAe5f50fbe8efda5a3e967d4f27972e
x-amz-date: Wed, 20 Dec 2017 08:53:17 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.com
Cannonical request:
GET
/signv4testq23a1/
delimiter=%2F&versions=
content-type:application/xml
host:s3.us-east-2.amazonaws.com
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:Wed, 20 Dec 2017 08:53:17 GMT
content-type;host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD
enter link description here

This is a problem:
delimiter=%2F&versions=
The keys and values should be url-escaped (encoded), but the & between parameters should not be escaped as &... it should just be &. You need to encode each key and value on its own, rather than the entire string once sorted and assembled.
CanonicalQueryString
specifies the URI-encoded query string parameters. You URI-encode name and values individually.
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html

Related

SAPUI5 OData v4 Batch Requests Header Parsing

I'm trying to implement a UI5 service using an OData v4 backend.
In general my bindings seem to work, however, there seems to be a problem parsing the headers of the batch requests. Parsing the batch parts by skipping the code in the debugger works fine.
In the console I get the following error:
2022-10-11 13:14:09.584899 $batch failed - Error: Expected 'OData-Version' header with value '4.0' but received value 'null' in response for http://localhost:8080/odata/$batch
at h.doCheckVersionHeader (http://localhost:1337/resources/sap/ui/core/library-preload.js:4753:314)
at Object.<anonymous> (http://localhost:1337/resources/sap/ui/core/library-preload.js:4786:415)
at Object.<anonymous> (http://localhost:1337/resources/sap-ui-core.js:2099:9272)
at p (http://localhost:1337/resources/sap-ui-core.js:2219:26833)
at Object.fireWith [as resolveWith] (http://localhost:1337/resources/sap-ui-core.js:2219:27676)
at y3 (http://localhost:1337/resources/sap-ui-core.js:2219:84906)
at XMLHttpRequest.<anonymous> (http://localhost:1337/resources/sap-ui-core.js:2219:87536) sap.ui.model.odata.v4.ODataModel`
However, inspecting the headers in the developer tools the OData-Version header seems to be set
HTTP/1.1 202
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
OData-Version: 4.0
Content-Type: multipart/mixed;boundary=batch_63059dbf-3e96-4650-b6b9-c6237b7e3b9e
Content-Length: 3848
Date: Tue, 11 Oct 2022 11:14:06 GMT
Keep-Alive: timeout=60
Connection: keep-alive
In the function h.doCheckVersionHeader only the Content-Type and Content-Length are aviable.
I start my project via ui5 serve and seem to be using version 1.102.1.
Does anyone know how I can get the requests to work?
I have resolved the issue by adding the
Access-Control-Expose-Headers header to the response: https://github.com/SAP/openui5/issues/3613#issuecomment-1274609280
The section "Response Headers" from the documentation topic "Model Instantiation and Data Access" now lists headers that need to be added to the Access-Control-Expose-Headers response header:
The OData model processes some of the response headers, namely:
DataServiceVersion (only when consuming an OData V2 service),
Date,
ETag,
OData-Version,
Preference-Applied,
Retry-After,
SAP-Messages,
X-CSRF-Token.
Some SAP applications will also require the processing of SAP-ContextId, SAP-Err-Id, and SAP-Http-Session-Timeout. When using cross-origin resource sharing (CORS), it is important to add all these headers to the Access-Control-Expose-Headers response header.
Also, make sure that values assigned to the headers are syntactically valid. E.g. no dangling characters: OData-Version: 4.0; → OData-Version: 4.0.

GET Bucket op response + AWS S3 + Content-Length header

Just wanted to know if the GET Bucket op response ever skips the Content-Length header. I tested this and i saw that there was no Content-Length header in the response for GET Bucket op.
How does an application reading the response understand where the body of the response ends if the response doesn't contain Content-Length header?
Request-Response Snippet:
GET /?max-keys=1000&prefix&delimiter=%2F HTTP/1.1
Date: Sat, 09 Apr 2016 18:27:23 GMT
x-amz-request-payer: requester
Authorization: AWS AKIAIP3KAUILC4GG7A2A:UG3bGvIjayrxrkxEX1mfrvETy/M=
Connection: Keep-Alive
User-Agent: Cyberduck/4.9.19632 (Mac OS X/10.10.5) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: yg76HSq5j0mi0oR6dXF8ZfGq722kHBWiMQmNvXPqiLxr1S4nGj5GVn1RVrPQrOUfNynxxaMSYEY=
x-amz-request-id: B4468E68E10B6AEF
Date: Sat, 09 Apr 2016 18:27:25 GMT
x-amz-bucket-region: us-east-1
Content-Type: application/xml
Server: AmazonS3
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">......</ListBucketResult>
Thanks!
The Content-Length header is optional in response. And it may not reflect the real content-length even if it presents. Think about gzipped response. So to answer the question: When no Content-Length is received, the client keeps reading until the server closes the connection.
In Java, keep calling InputStream.read() until it returns -1.
Is the Content-Length header required for a HTTP/1.0 response?

URL encoding of the state parameter for Google oauth2 gets decoded during redirect

I'm doing the initial authorization for Google Drive access. I want to pass a full URL in the "state" parameter so I can do an additional redirect from the page name I send over in "redirect_uri". So my request URL looks like this...
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=000000000000.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fmy.server.com%2Fx%2Fws-catch.php&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&access_type=offline&state=https%3a%2f%2fmy.server.com%2fRoot%2fDirectory%2fGoogle.php%3fpid%3dc907a55c-87f8-4ba8-8a16-478a9e6cba70%26prov%3dsrv50758c7a0cfcd6.527662862
Notice the "state" parameter is URL encoded. The Google documentation says that this parameter is round tripped so that I get the value I passed in. However, the state parameter appears to get partially decoded by the time it reaches the page specified in "redirect_uri". Here is where the browser goes when I deny the auth request...
https://my.server.com/x/ws-catch.php?error=access_denied&state=https://my.server.com/Root/Directory/Google.php?pid%3Dc907a55c-87f8-4ba8-8a16-478a9e6cba70%26prov%3Dsrv50758c7a0cfcd6.527662862
Notice the unencoded "?" character now in the "state" parameter. Is this a problem with Google when it redirects? I read one post that suggested base64 encoding the parameter which I can do but I wanted to understand why it wasn't working with URL encoding.
***edit
Here is the raw 302 from Google. Should be the same URL as pasted above.
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 14 Feb 2013 16:23:37 GMT
Location: https://my.server.com/x/ws-catch.php?error=access_denied&state=https://my.server.com/Root/Directory/Google.php?pid%3Dc907a55c-87f8-4ba8-8a16-478a9e6cba70%26prov%3Dsrv50758c7a0cfcd6.527662862
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 325
Server: GSE
URL encoding does not require encoding of '?' or ':' or '/' when appearing as query parameter values. So the responses generated by Google are correctly encoded and should not result in any parse errors on your server.
Base64 encoding the entire state parameter is the safe way to get it back exactly as you sent it.

RabbitMQ HTTP API call to aliveness-test returns 404 but other calls work

When using the HTTP API I am trying to make a call to the aliveness-test for monitoring purposes. At the moment I am testing using curl and the following command:
curl -i http://guest:guest#localhost:55672/api/aliveness-test/
And I get the following response:
HTTP/1.1 404 Object Not Found
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
Date: Mon, 05 Nov 2012 17:18:58 GMT
Content-Type: text/html
Content-Length: 193
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested document was not found on this server.<P><HR><ADDRESS>mochiweb+webmachine web server</ADDRESS></BODY></HTML>
When making a request just to list the users or vhosts, the requests returns successfully:
$ curl -I http://guest:guest#localhost:55672/api/users
HTTP/1.1 200 OK
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
Date: Mon, 05 Nov 2012 17:51:44 GMT
Content-Type: application/json
Content-Length: 11210
Cache-Control: no-cache
I'm using the latest stable version (2.8.7) of RabbitMQ and obviously have the management plugin installed for the API to work with the users call (the response is left out due to it containing company data but is just regular JSON as expected).
There isn't much on the internet about this call failing so I am wondering if anyone has seen this before?
Thanks,
Kristian
Turns out that the '/' at the beginning of the vhosts names is not implicit, even when as part of a URL. To get this to work I simply changed my request from:
curl -i http://guest:guest#localhost:55672/api/aliveness-test/
To
curl -i http://guest:guest#localhost:55672/api/aliveness-test/%2F
As %2F is '/' HTTP encoded, my request now queries the vhost named '/' and returns a 200 response which looks like:
{"status":"ok"}

Reading a SOAP response with bad HTTP header

I am using a SOAP interface that is developed by a 3rd party, but is returning an invalid HTTP header as shown below.
HTTP/1.0 200 OK
Server: SMBDK_1/2.3.0
Date: Thu, 09 Aug 2012 18:59:14 GMT
Connection: close
Content-Length: 670
Content-Type: text/html; charset=ISO-8859-1
Content-Type: text/xml
Expires: Thu, 09 Aug 2012 18:59:14 GMT
Last-Modified: Thu, 09 Aug 2012 18:59:14 GMT
Notice that there are 2 content-type tags. I am using VS2008 for this VB project. I have a service reference for this connection and can send a request and receive a response. I created a CustomTextMessageEncoder using the MSDN samples to read the response for text/html; charset=ISO-8859-1. This is working for single variable returns, but arrays are never read in correctly. They are always empty. I am using a Web Debugging Proxy and can see that the array information is there in the SOAP response, but it is never actually pulled through. I presume this is due to the bad header (?). I tried decoding the message as text/xml; charset=ISO-8859-1 and got the same results... empty array returns.
Does anyone have any advice on how to handle this situation? Do I need to deserialize this message manually or is there a better way?
In the end, these bad headers prevented Visual Studio from ever reading in array's properly.
I wound up having to capture the entire response in an XMl document in memory then open it up and use xmlNodeList to manually read the data from the arrays.