Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]Using Queue service SAS URL with HTTPS and HTTP to create client #10283

Closed
3 tasks
Luyunmt opened this issue Apr 16, 2020 · 12 comments · Fixed by #14150
Closed
3 tasks

[BUG]Using Queue service SAS URL with HTTPS and HTTP to create client #10283

Luyunmt opened this issue Apr 16, 2020 · 12 comments · Fixed by #14150
Labels
blocking-release Blocks release Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files) test-manual-pass
Milestone
[2020] August

Comments

@Luyunmt
Copy link
Contributor

Luyunmt commented Apr 16, 2020
edited
Loading

Describe the bug
Using the Queue service SAS URL created by HTTPS and HTTP as follow to create QueueServiceClient
image

Exception or Stack Trace
Exception in thread "main" com.azure.storage.queue.models.QueueStorageException: Status code 403, "AuthenticationFailedServer failed to
authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:09a68746-1003-0009-2dc0-13cc4f000000
Time:2020-04-16T07:30:15.1638447ZSignature did not match. String to sign used was yunlustorage
rwdlacup
bfqt
sco
2020-04-15T07:00:14Z
2020-04-17T15:00:14Z

https
2019-02-02
image
">"
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at com.azure.core.http.rest.RestProxy.instantiateUnexpectedException(RestProxy.java:309)
at com.azure.core.http.rest.RestProxy.lambda$ensureExpectedStatus$3(RestProxy.java:350)
at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:118)
at reactor.core.publisher.Operators$MonoSubscriber.complete(Operators.java:1705)
at reactor.core.publisher.MonoCacheTime$CoordinatorSubscriber.signalCached(MonoCacheTime.java:320)
at reactor.core.publisher.MonoCacheTime$CoordinatorSubscriber.onNext(MonoCacheTime.java:337)
at reactor.core.publisher.Operators$ScalarSubscription.request(Operators.java:2267)
at reactor.core.publisher.MonoCacheTime$CoordinatorSubscriber.onSubscribe(MonoCacheTime.java:276)
at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:191)
at reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53)
at reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:48)
at reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:52)
at reactor.core.publisher.MonoCacheTime.subscribeOrReturn(MonoCacheTime.java:132)
at reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:48)
at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:150)
at reactor.core.publisher.FluxDoFinally$DoFinallySubscriber.onNext(FluxDoFinally.java:123)
at reactor.core.publisher.FluxHandle$HandleSubscriber.onNext(FluxHandle.java:112)
at reactor.core.publisher.FluxMap$MapConditionalSubscriber.onNext(FluxMap.java:213)
at reactor.core.publisher.FluxDoFinally$DoFinallySubscriber.onNext(FluxDoFinally.java:123)
at reactor.core.publisher.FluxHandleFuseable$HandleFuseableSubscriber.onNext(FluxHandleFuseable.java:178)
at reactor.core.publisher.FluxContextStart$ContextStartSubscriber.onNext(FluxContextStart.java:103)
at reactor.core.publisher.Operators$MonoSubscriber.complete(Operators.java:1705)
at reactor.core.publisher.MonoCollectList$MonoCollectListSubscriber.onComplete(MonoCollectList.java:121)
at reactor.core.publisher.FluxPeek$PeekSubscriber.onComplete(FluxPeek.java:252)
at reactor.core.publisher.FluxMap$MapSubscriber.onComplete(FluxMap.java:136)
at reactor.netty.channel.FluxReceive.terminateReceiver(FluxReceive.java:419)
at reactor.netty.channel.FluxReceive.drainReceiver(FluxReceive.java:209)
at reactor.netty.channel.FluxReceive.onInboundComplete(FluxReceive.java:367)
at reactor.netty.channel.ChannelOperations.onInboundComplete(ChannelOperations.java:363)
at reactor.netty.channel.ChannelOperations.terminate(ChannelOperations.java:412)
at reactor.netty.http.client.HttpClientOperations.onInboundNext(HttpClientOperations.java:585)
at reactor.netty.channel.ChannelOperationsHandler.channelRead(ChannelOperationsHandler.java:90)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:321)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:295)
at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1470)
at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1231)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1268)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)
Suppressed: java.lang.Exception: #block terminated with an error
at reactor.core.publisher.BlockingSingleSubscriber.blockingGet(BlockingSingleSubscriber.java:99)
at reactor.core.publisher.Mono.block(Mono.java:1664)
at com.azure.storage.common.implementation.StorageImplUtils.blockWithOptionalTimeout(StorageImplUtils.java:99)
at com.azure.storage.queue.QueueServiceClient.createQueueWithResponse(QueueServiceClient.java:121)
at com.azure.storage.queue.QueueServiceClient.createQueue(QueueServiceClient.java:95)
at Test.main(Test.java:44)

To Reproduce
run the code in code Code Snippet

Code Snippet
String queueServiceURL = String.format("https://%s.queue.core.windows.net/%s", storageName, sasToken);
QueueServiceClient queueServiceClient = new
QueueServiceClientBuilder().endpoint(queueServiceURL).buildClient();
queueServiceClient.createQueue("myqueue1");

Expected behavior
Create queue successful.
Screenshots
If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

  • OS: windows
  • IDE : vscode
    -azure-storage-queue 12.6.0-beta.1.dev.20200413.1

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@tzhanl tzhanl added the Client This issue points to a problem in the data-plane of the library. label Apr 16, 2020
@tzhanl tzhanl added the Storage Storage Service (Queues, Blobs, Files) label Apr 16, 2020
@rickle-msft
Copy link
Contributor

@Luyunmt Thank you for posting this question. Because you're using the portal to generate a sas, there's really not any room for the SDK to be generating an incorrect signature, so there must be something strange going on with producing the url you are using to issue the request. Can you please capture the request url and share it here (redacting sensitive information such as the signature)

I'm also a bit confused by the ">" at the bottom of the string to sign you shared. Did that come back from the service? Or was that an artifact of pasting details in the issue?

@Luyunmt
Copy link
Contributor Author

Luyunmt commented Apr 20, 2020
edited
Loading

Https only sastoken:
image
Http and Https sastoken:
image
">" is part of the error message.

@rickle-msft
Copy link
Contributor

@Luyunmt Sorry, can you please un-redact everything except the signature? The signature is the only sensitive piece here, and without the other information it will be difficult to determine what may be mismatched with the string to sign the service used.

Additionally, out of curiosity, if you specify the sas token using the .sasToken(String) method on the builder rather than appending it to your URI string yourself, does that make any difference?

@Luyunmt
Copy link
Contributor Author

Luyunmt commented Apr 21, 2020
edited
Loading

Using the .sasToken(String) method on the builder is no problem, only using sastoken creted by HTTPS and HTTP in endpoint will fail.
Https only sastoken:
image
Http and Https sastoken:
image

@rickle-msft
Copy link
Contributor

Ok. It sounds like there may be a bug in how we are parsing the sas token from the url if it is already attached.

It sounds like you have an effective work around if you can continue to use the sasToken(String) method. In the meantime, we will look into resolving the actual issue when we have a bit more bandwidth.

@jongio jongio removed their assignment Apr 22, 2020
@tzhanl tzhanl added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team manual-test-pass blocking-release Blocks release labels Jul 14, 2020
@tzhanl tzhanl added this to the [2020] August milestone Jul 14, 2020
@tzhanl
Copy link

tzhanl commented Aug 11, 2020

@rickle-msft any plan for this issue?

@rickle-msft
Copy link
Contributor

@tzhanl We haven't begun work on this yet. If this issue is affecting your work, I can look into scheduling time to fixing it.

@tzhanl
Copy link

tzhanl commented Aug 13, 2020
edited
Loading

@rickle-msft This bug found in April. It would be great if it can be resolved soon.

@Luyunmt
Copy link
Contributor Author

Luyunmt commented Aug 14, 2020

@rickle-msft

azure-storage-blob/azure-storage-file-datalake and azure-storage-queue/ azure -storage-file-share parse sastoken in endpoint with different methods.

#1 In package azure-storage-blob and azure-storage-file-datalake use Method
"com.azure.storage.blob.BlobUrlParts.parseQueryString(String queryParams)" in package azure-storage-blob to parse it.

image
image

"spr" is string[0]="http,https"

#2 In package azure-storage-queue and azure -storage-file-share use Method "com.azure.storage.common.implementation.StorageImplUtils.parseQueryStringSplitValues(String queryString)
" in package azure-storage-common to parse it.

image

"spr"is string[0]="https"

Different value of key "spr" is assigned. #1 is "http,https", #2 is string[0]="https" ( string[1]=http). Wrong spr was assigned in #2 and cause this bug.

@jongio
Copy link
Member

jongio commented Aug 14, 2020

@tzhanl - Do you want to try to do a PR for this?

@jongio
Copy link
Member

jongio commented Aug 14, 2020

@amishra-dev - Is this something you can help bump the pri on?

@rickle-msft rickle-msft mentioned this issue Aug 14, 2020
Merged
@jongio
Copy link
Member

jongio commented Aug 17, 2020

Thank you @rickle-msft !

@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
blocking-release Blocks release Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files) test-manual-pass
Projects
None yet
Milestone
[2020] August
Development

Successfully merging a pull request may close this issue.

Fixed a bug in queue and share sas parsing rickle-msft/azure-sdk-for-java
4 participants
@jongio @rickle-msft @tzhanl @Luyunmt