B2 fails with app key limited to specific buckets

[cyberduck]

db1fac5 created the issue

Regression from <7.0

When opening connection, b2_list_buckets will fail if the app key in-use is limited to one bucket. 6.9 would list one bucket, 7.0 errors and breaks authorization flow.

Reproduction:

1. Create B2 app key limited to one bucket
2. Attempt connection POST /b2api/v2/b2_list_buckets HTTP/1.1

Error: 401 Listing Directory / Failed

https://www.backblaze.com/b2/docs/application_keys.html#usingRestrictedKeys

Most of the API calls that deal with buckets or files use a bucketId to identify a bucket. But, when using an application key that restricts access to just one bucket, you can't use b2_list_buckets to list all the buckets.

When there is a bucket restriction, the bucketId and the bucketName for that bucket are in the response from b2_authorize_account in the allowed section. You can then use that bucketId in all of your later calls.

[cyberduck]

@dkocher commented

What capabilities do you have assigned to the application key? Please post the transcript from the log drawer (⌘-L).

[cyberduck]

@dkocher commented

I cannot reproduce this issue with an application key with the capabilities listBuckets, listFiles, readFiles, shareFiles.

[cyberduck]

db1fac5 commented

Traced it. The application keys were limited to a single bucket. An application key with "All" for buckets works. An application key with just one bucket fails. Probably on t he new apiv2 list buckets?

-capabilities:* deleteFiles, listBuckets, listFiles, readFiles, shareFiles, writeFiles

-Old Flow 6.9*

GET /b2api/v1/b2_authorize_account HTTP/1.1
Authorization: ********
Host: api.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 608
Date: Thu, 06 Jun 2019 15:54:41 GMT
POST /b2api/v1/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 279
Date: Thu, 06 Jun 2019 15:54:42 GMT

7.00 connection flow

[Window Title]
Error

[Main Instruction]
Listing directory / failed.

[Content]
Please contact your web hosting service provider for assistance.

[Expanded Information]
POST /b2api/v2/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 401 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 62
Date: Thu, 06 Jun 2019 16:02:25 GMT
GET /b2api/v2/b2_authorize_account HTTP/1.1
Authorization: ********
Host: api.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 576
Date: Thu, 06 Jun 2019 16:02:30 GMT
POST /b2api/v2/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 401 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 62
Date: Thu, 06 Jun 2019 16:02:30 GMT


[^] Hide details  [Try Again] [Cancel]

[Footer]
Help

[cyberduck]

db1fac5 commented

Ok there is a change in the API in v2.

v2: Remove application key workaround (Sept 13, 2018)
Listing buckets will always return all buckets, unless you ask for just one by specifying bucketName or bucketId. **If you ask for all buckets and your application key is restricted to one bucket, the call is unauthorized.**

I see though in the Authorize response JSON it does return:

 "allowed": {
        "bucketId": "****",
        "bucketName": "AAABCC",

So that you don't need to actually call the list_buckets separately.

[cyberduck]

db1fac5 commented

Opened a SynampticLoop backblaze-b2-java-api ticket. Looks like the error is ultimately with its handling of the login flow.

synapticloop/backblaze-b2-java-api#41

Need to add the "allowed" field to the client object. And list_buckets needs to conditionally check for a like getAllowedBuckets() length !> 0 before submitting a request.

Could you feasibly just use the /v1/ api for just the list_buckets command? Since it doesn't fail in 6.9? Easy band-aid solution?

[cyberduck]

@dkocher commented

Upstream in (iterate-ch/backblaze-b2-java-api#4).

[cyberduck]

@dkocher commented

In b15532c.