Skip to content

S3 ASF fix pre-signed ports permutation#7152

Merged
bentsku merged 2 commits intomasterfrom
s3-asf-fix-presign-ports
Nov 18, 2022
Merged

S3 ASF fix pre-signed ports permutation#7152
bentsku merged 2 commits intomasterfrom
s3-asf-fix-presign-ports

Conversation

@bentsku
Copy link
Contributor

@bentsku bentsku commented Nov 9, 2022
edited
Loading

Follow-up PR to #7070
While migrating the tests, it came to light that port permutation while checking for SigV4 signature was not working.
For context, while validating the signature, we check the host value. But with LocalStack, you can access S3 from different ports (edge port, 443, 80 or not port at all for example in the browser). So we permute ports to try for different host value if the first received one is incorrect.
This also comes with a significant refactor, as we would create a lot of resource for every permutation which needed to be created only once.

@bentsku bentsku temporarily deployed to localstack-ext-tests November 9, 2022 14:37 Inactive
@bentsku bentsku mentioned this pull request Nov 9, 2022
Merged
21 tasks
@bentsku bentsku force-pushed the s3-asf-fix-presign-ports branch from 2f0a9f4 to 85bb943 Compare November 9, 2022 15:41
@bentsku bentsku temporarily deployed to localstack-ext-tests November 9, 2022 15:41 Inactive
@coveralls
Copy link

coveralls commented Nov 9, 2022
edited
Loading

Coverage Status

Coverage decreased (-0.02%) to 79.844% when pulling 6120cac on s3-asf-fix-presign-ports into 62502bf on master.

@github-actions
Copy link

github-actions bot commented Nov 9, 2022
edited
Loading

LocalStack integration with Pro

       3 files  ±0         3 suites  ±0   1h 13m 29s ⏱️ - 4m 10s
1 485 tests ±0  1 266 ✔️ +1  219 💤  - 1  0 ±0 
2 085 runs  ±0  1 632 ✔️ +1  453 💤  - 1  0 ±0 

Results for commit a5f314d. ± Comparison against base commit 65230eb.

♻️ This comment has been updated with latest results.

@bentsku bentsku force-pushed the s3-asf-fix-presign-ports branch from 85bb943 to 6120cac Compare November 15, 2022 13:30
@bentsku bentsku temporarily deployed to localstack-ext-tests November 15, 2022 13:30 Inactive
@bentsku bentsku marked this pull request as ready for review November 15, 2022 15:50
@bentsku bentsku requested a review from thrau as a code owner November 15, 2022 15:50
thrau
thrau approved these changes Nov 17, 2022
View reviewed changes
Copy link
Member

@thrau thrau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! i don't claim to fully understand what's going on but the code looks very clean overall :-)

localstack/services/s3/presigned_url.py
for header, value in context.request.headers.items():
header_low = header.lower()
if header_low.startswith("x-amz-") or header_low in ["content-type", "date", "content-md5"]:
new_headers[header_low] = value
Copy link
Member

@thrau thrau Nov 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure what we are doing with the resulting request, but should we maybe preserve the original header casing?

Suggested change
new_headers[header_low] = value
new_headers[header] = value

Copy link
Contributor Author

@bentsku bentsku Nov 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While creating the signature, it lowers the name of the header as well, so we need to lower the header to be able to match the signature. The corresponding code snippet is here in botocore:
botocore.auth.SigV4Auth.headers_to_sign (l.231)

def headers_to_sign(self, request):
    """
    Select the headers from the request that need to be included
    in the StringToSign.
    """
    header_map = HTTPHeaders()
    for name, value in request.headers.items():
        lname = name.lower()
        if lname not in SIGNED_HEADERS_BLACKLIST:
            header_map[lname] = value
    if 'host' not in header_map:
        # TODO: We should set the host ourselves, instead of relying on our
        # HTTP client to set it for us.
        header_map['host'] = _host_from_url(request.url)
    return header_map

I could add a comment pointing to this. The code is full of traps to reverse. I had to use the lower-cased one or it would fail in CI if I remember well.

localstack/services/s3/presigned_url.py Outdated
"signing": {"bucket": self._bucket},
},
}
self.aws_request: AWSRequest = create_request_object(request_dict)
Copy link
Member

@thrau thrau Nov 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe it would be good to add the annotation to the class declaration.

Copy link
Contributor Author

@bentsku bentsku Nov 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refactored to return the AWSRequest from the method 👍

@bentsku bentsku temporarily deployed to localstack-ext-tests November 18, 2022 10:58 Inactive
@bentsku bentsku force-pushed the s3-asf-fix-presign-ports branch from 1ac6d71 to a5f314d Compare November 18, 2022 11:36
@bentsku bentsku temporarily deployed to localstack-ext-tests November 18, 2022 11:37 Inactive
@bentsku bentsku merged commit 580e37c into master Nov 18, 2022
@bentsku bentsku deleted the s3-asf-fix-presign-ports branch November 18, 2022 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thrau thrau thrau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bentsku @coveralls @thrau