Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blob/azureblob: Using a SAS token no longer works #2933

Closed
stanhu opened this issue Dec 18, 2020 · 8 comments · Fixed by #2934
Closed

blob/azureblob: Using a SAS token no longer works #2933

stanhu opened this issue Dec 18, 2020 · 8 comments · Fixed by #2934

Comments

@stanhu
Copy link
Contributor

stanhu commented Dec 18, 2020

Describe the bug

Before #2873, setting the environment variable AZURE_STORAGE_SAS_TOKEN would work fine because the default behavior was to open the bucket via the environment: https://github.com/google/go-cloud/pull/2873/files#diff-9ee8a1ad2dadc385fec784185cfeacacb8796a02b4da3b576dfe5e3a9346d753L154-R169

Now, an account key MUST be provided for that to work, but that defeats the purpose of the SAS token in the first place.

To Reproduce

Attempt to download or upload a blob with AZURE_STORAGE_SAS_TOKEN and AZURE_STORAGE_ACCOUNT. Azure will attempt to access the file publicly:

FATAL: blob (key "myblob") (code=Unknown): write error: -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /Users/stanhu/.gvm/pkgsets/go1.15.3/global/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.11.0/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=PublicAccessNotPermitted) =====
Description=Public access is not permitted on this storage account.

Expected behavior

The upload works.

Version

v0.21.0

Additional context

I think the fix here should be to tweak that if statement to look at sasToken.
@vangent
Copy link
Contributor

vangent commented Dec 18, 2020

@chrismellard

@stanhu
Copy link
Contributor Author

stanhu commented Dec 18, 2020

I cleaned my module cache, but I'm seeing this:

verifying github.com/Azure/azure-storage-blob-go@v0.12.0: checksum mismatch
	downloaded: h1:LEu0WO1uxAkeJFuNTZR+xxUpIoRUwOXgA2ipS798Ycc=
	go.sum:     h1:7bFXA1QB+lOK2/ASWHhp6/vnxjaeeZq6t8w1Jyp0Iaw=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

stanhu added a commit to stanhu/go-cloud that referenced this issue Dec 18, 2020
@stanhu
blob/azblob: Fix SAS token not being used to open a container
dafa508 
Prior to google#2873, setting the
environment variable `AZURE_STORAGE_SAS_TOKEN` would work because the
default behavior was to open the bucket via the environment. However,
that pull request changed the behavior to only use the environment if an
account key were provided, but the SAS token can be thought of as a
temporary key.

To fix this, we check whether an account key or a SAS token is
provided. If one of them is available, open the container with the
environment.

Closes google#2933
@stanhu stanhu mentioned this issue Dec 18, 2020
Merged
@vangent
Copy link
Contributor

vangent commented Dec 18, 2020

The module cache thing appears to be Azure's fault; they moved a tag.
Azure/azure-storage-blob-go#236 (comment)

@chrismellard
Copy link
Contributor

chrismellard commented Dec 18, 2020
edited
Loading

I'll take a look later on today around pushing a fix for this (and add some unit tests around this hopefully)

@stanhu
Copy link
Contributor Author

stanhu commented Dec 18, 2020

I submitted a fix in #2934.

@chrismellard
Copy link
Contributor

Or not :) Too slow

@vangent
Copy link
Contributor

vangent commented Dec 18, 2020

@chrismellard thanks! A review of #2934 would be great though.

@stanhu
Copy link
Contributor Author

stanhu commented Dec 18, 2020

I submitted #2935 to pin the version to the pseudo-version, so I'll need to update #2934 accordingly.

stanhu added a commit to stanhu/go-cloud that referenced this issue Dec 18, 2020
@stanhu
blob/azblob: Fix SAS token not being used to open a container
6e93d95 
Prior to google#2873, setting the
environment variable `AZURE_STORAGE_SAS_TOKEN` would work because the
default behavior was to open the bucket via the environment. However,
that pull request changed the behavior to only use the environment if an
account key were provided, but the SAS token can be thought of as a
temporary key.

To fix this, we check whether an account key or a SAS token is
provided. If one of them is available, open the container with the
environment.

Closes google#2933
stanhu added a commit to stanhu/go-cloud that referenced this issue Dec 18, 2020
@stanhu
blob/azblob: Fix SAS token not being used to open a container
b334d89 
Prior to google#2873, setting the
environment variable `AZURE_STORAGE_SAS_TOKEN` would work because the
default behavior was to open the bucket via the environment. However,
that pull request changed the behavior to only use the environment if an
account key were provided, but the SAS token can be thought of as a
temporary key.

To fix this, we check whether an account key or a SAS token is
provided. If one of them is available, open the container with the
environment.

Closes google#2933
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

blob/azblob: Fix SAS token not being used to open a container stanhu/go-cloud
3 participants
@stanhu @chrismellard @vangent