Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blob user delegation SAS wrong service version #19249

Closed
yvespp opened this issue Oct 3, 2022 · 3 comments · Fixed by #19299
Closed

Blob user delegation SAS wrong service version #19249

yvespp opened this issue Oct 3, 2022 · 3 comments · Fixed by #19299
Assignees
@siminsavani-msft
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)

Comments

@yvespp
Copy link

yvespp commented Oct 3, 2022

Bug Report

  • import path of package in question:
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob"
azcontainer "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
  • SDK version e.g. 0.5.0, lock file:
github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE=
github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.3 h1:8LoU8N2lIUzkmstvwXvVfniMZlFbesfT2AmA1aqvRr8=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.3/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 h1:XUNQ4mw+zJmaA2KXzP9JlQiecy1SI+Eog7xVkPiqIbg=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.0 h1:fe+kSd9btgTTeHeUlMTyEsjoe6L/zd+Q61iWEMPwHmc=
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.0/go.mod h1:T7nxmZ9i42Dqy7kwnn8AZYNjqxd4TloKXdIbhosHSqo=
  • output of go version: go version go1.18.6 linux/amd64
  • What happened?
    With user delegation sas, the default for service version (sv) doesn't match the generated string to sign. It should be 2020-02-10 but it's 2019-12-12:

    azure-sdk-for-go/sdk/storage/azblob/sas/query_params.go

    Line 26 in c4b71e1

    Version = "2019-12-12"

    As the string to sing includes the snapshotTime it must be version 2020-02-10:
    https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#version-2020-02-10

    azure-sdk-for-go/sdk/storage/azblob/sas/service.go

    Line 95 in c4b71e1

    snapshotTime, // signed timestamp

    Opening the generated url causes this error: 
    <Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:575ebe24-001e-001f-6309-d7cece000000\nTime:2022-10-03T09:19:32.7586903Z</Message><AuthenticationErrorDetail>Signature did not match. String to sign used was r\n2022-10-03T09:09:32Z\n2022-10-03T09:24:32Z\n/blob/yptestsa/velero/folder/test\n3bc854ed-cfe6-4eab-add6-43bb99c5e2ca\naf7227b1-ac3a-4487-9e9f-ba462bb409d4\n2022-10-03T09:09:32Z\n2022-10-03T09:24:32Z\nb\n2020-10-02\n\nhttps\n2019-12-12\nb\n\n\n\n\n\n</AuthenticationErrorDetail></Error>"

Setting the version to 2020-02-10 manually in the BlobSignatureValues fixes it.

  • What did you expect or want to happen?
    The default of service version should match the used string to sign and the generated sas url should work.
  • How can we reproduce it?
func (b *azureBlob) GetSASURI(ttl time.Duration) (string, error) {
	// because of clock skew it can happen that the token is not yet valid, so make it valid in the past
	startTime := time.Now().Add(-10 * time.Minute).UTC()
	expiryTime := time.Now().Add(ttl).UTC()
	blobSignatureValues := sas.BlobSignatureValues{
		ContainerName: b.container,
		BlobName:      b.blob,
		Protocol:      sas.ProtocolHTTPS,
		StartTime:     startTime,
		ExpiryTime:    expiryTime,
		Permissions:   to.Ptr(sas.BlobPermissions{Read: true}).String(),
		// Version:       "2020-02-10",
	}

	info := service.KeyInfo{
		Start:  to.Ptr(startTime.Format(sas.TimeFormat)),
		Expiry: to.Ptr(expiryTime.Format(sas.TimeFormat)),
	}
	udc, err := b.serviceClient.GetUserDelegationCredential(context.TODO(), info, nil)
	if err != nil {
		return "", err
	}
	queryParam, err := blobSignatureValues.SignWithUserDelegation(udc)
	if err != nil {
		return "", err
	}

	url := fmt.Sprintf("%s?%s", b.blobClient.URL(), queryParam.Encode())
	return url, nil
}

The generate url will cause the error above.

  • Anything we should know about your environment.
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 3, 2022
@ghost
Copy link

ghost commented Oct 3, 2022

Hi @yvespp. Thank you for your feedback and we will look into it soon. Meanwhile, feel free to share your experience using the Azure SDK in this survey.

@jhendrixMSFT jhendrixMSFT added Storage Storage Service (Queues, Blobs, Files) and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Oct 3, 2022
@ghost ghost added the needs-team-attention This issue needs attention from Azure service team or SDK team label Oct 3, 2022
@jhendrixMSFT
Copy link
Member

This is because the string-to-sign used in BlobSignatureValues.SignWithUserDelegation uses the newer format that includes the snapshot time.

@siminsavani-msft we need to change the default value as indicated above. However, we need to ensure that this remains compatible with the other string-to-sign algorithms in use.

@siminsavani-msft siminsavani-msft mentioned this issue Oct 6, 2022
Merged
5 tasks
@jhendrixMSFT
Copy link
Member

This is fixed in azblob@v0.5.1

@malt3 malt3 mentioned this issue Oct 14, 2022
Merged
1 task
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@siminsavani-msft siminsavani-msft

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updating SAS Version siminsavani-msft/azure-sdk-for-go
3 participants
@jhendrixMSFT @yvespp @siminsavani-msft