Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-19728

Some clients will (incorrectly) resend Bearer or Basic header auth for S3 Direct Cloud storage download - will result in 400 Bad Request response

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: 1 - Blocker
    • Resolution: Done
    • Affects Version/s: 6.11.0, 6.11.3
    • Fix Version/s: None
    • Component/s: Access Tokens, S3
    • Labels:
      None
    • Regression:
      Yes

      Description

      Summary:

      Using an Artifactory Access Token as a "Authorization: Bearer accessToken", or encoded username credentials as "Authorization: Basic base64EncodedCreds" authenticate against Artifactory in-order to download artifacts with S3 Direct Cloud storage enabled download will result in 400 Bad Request from Amazon's S3 service due to supplement of more than one authentication types - Bearer/Basic Artifactory bound authentication is incorrectly forwarded to Amazon's S3 service from Artifactory.

      • The reason seems to be related to the HTTP client version as it's actually the client's decision whether to re-send credentials after the redirection*
      • Reproduces on Artifactory's K8S SaaS platform with curl 7.54.0.
      • Gradle fails on all versions (against maven repos)
      • Relevant system property: artifactory.list.of.repos.allowed.send.redirect.url=Maven,Docker,Debian,Npm

      Steps to reproduce:

      1. Upload a file (above 1MB by default is required for redirection) to any of the enabled repositories: Maven, Npm, Debian, Docker

      2. Generate a permissive access token:

      $ curl -u username -XPOST "RESTRICTED_URL1" -d "username=johnq" -d "scope=member-of-groups:readers"
      

      Export it an enviroment variable to deal with string length:

      $ export TOKEN={accessToken}
      

      Use the token to get the artifact:

      curl -i -Lvv -H "Authorization: Bearer $TOKEN" RESTRICTED_URL2
      

      Or

      Encode your credentials to base64 and send it with curl using -H explicitly:

      $  echo -n 'tester:passwrd' | openssl base64
      
      $ curl -H "Authorization: Basic RESTRICTED_TOKEN" RESTRICTED_URL2
      

      3. Get the following response (after 302 redirection):

      < HTTP/1.1 400 Bad Request
      < x-amz-request-id:
      < x-amz-id-2://=
      < Content-Type: application/xml
      < Transfer-Encoding: chunked
      < Date: Wed, 24 Jul 2019 13:30:56 GMT
      < Connection: close
      < Server: AmazonS3
      <
      <?xml version="1.0" encoding="UTF-8"?>
      * Closing connection 1
      * TLSv1.2 (OUT), TLS alert, Client hello (1):
      <Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>Bearer *****************************
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            andreik Andrei Komarov (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Sync Status

                Connection: RTFACT Sync
                RTMID-19728 -
                SYNCHRONIZED
                • Last Sync Date: