[
https://issues.apache.org/jira/browse/JCLOUDS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480467#comment-17480467
]
Jim Sermersheim edited comment on JCLOUDS-1595 at 1/23/22, 2:06 AM:
--------------------------------------------------------------------
Thanks [~gaul]. It turns out my first stab at a fix was naive.
The real issue is that
org.jclouds.s3.filters.Aws4SignerBase#getCanonicalizedQueryString is
percent-encoding the '/' while url-encoding the query string.
https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 and the URI class
agree that '/' should not be encoded in query strings.
Because '/' chars in query params are encoded in
Aws4SignerForAuthorizationHeader, but not in the HTTP URL, the S3 server fails
the auth.
I'll fix the description and post a completely different PR later.
was (Author: jimse):
Thanks [~gaul]. It turns out my first stab at a fix was naive.
The real issue is that
org.jclouds.s3.filters.Aws4SignerBase#getCanonicalizedQueryString is
percent-encoding the '/' while url-encoding the query string.
https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 and the URI class
agree that '/' should not be encoded in query string.
Because '/' chars in query params are encoded in
Aws4SignerForAuthorizationHeader, but not in the HTTP URL, the S3 server fails
the auth.
I'll fix the description and post a completely different PR later.
> ListBucketOptions methods should URLEncode values
> -------------------------------------------------
>
> Key: JCLOUDS-1595
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1595
> Project: jclouds
> Issue Type: Bug
> Components: jclouds-blobstore
> Affects Versions: 2.4.0
> Reporter: Jim Sermersheim
> Priority: Minor
> Labels: s3
> Time Spent: 40m
> Remaining Estimate: 0h
>
> When org.jclouds.s3.options.ListBucketOptions calls {{queryParameters.put}}
> any string values should be url encoded.
> This is currently causing a bug when jclouds is used to list with a prefix
> against NetApp's ONTAP S3 server (version 9.10.1). The calculation of the S3
> V4 signature differs between JClouds and the NetApp because the NetApp is
> calculating it with escaped slashes (in the observed case, the delimiter was
> "/" and the prefix ended with a "/". Both need to be escaped as %2F prior to
> building the Authorization header.
> For reference, the error coming back from the NetApp ONTAP is a 403 with the
> message: "The request signature we calculated does not match the signature
> you provided. Check your key and signing method."
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
