Regression in recent version of Storage Explorer fails to download files due to response 403 ServiceCode=AuthenticationFailed

[maburlik]

Storage Explorer Version: 1.11.1
Build Number: 20191121.1
Platform/OS: Windows 10
Architecture: ia32
Regression From: Another recent version, probably 1.1x. My coworker's 1.0 version does not have this issue.

Bug Description

Microsoft Service Fabric team uses Azure Storage Explorer to download specific files from storage accounts using SAS keys generated through ACIS. I am able to open and list the set of files contained in the Azure Storage container through ASE, but when I go to download a file I receive the error:

failed to perform copy command due to error: cannot start job due to error: cannot list blobs. Failed with error -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.7.0/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthenticationFailed) =====
Description=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:0f74d2cd-a01e-0024-3808-b53cfc000000
Time:2019-12-17T18:33:10.5068500Z, Details: 
   AuthenticationErrorDetail: Signature did not match. String to sign used was suptlogllrqes6to57a2
rl
bt
sco

2019-12-18T01:45:50Z


2015-04-05

   Code: AuthenticationFailed
   GET https://suptlogllrqes6to57a2.blob.core.windows.net/fabriclogs-862777af-b0d0-4e71-9f5d-1833627173b4?comp=list&include=metadata&prefix=_nt0_0%2Fbootstrap%2Fe3083346caa3d3825857fb86a14347c9_fabricdeployer-637117210176601136.trace%2F&restype=container&se=2019-12-18t01%3A45%3A50z&sig=-REDACTED-&sp=rl&srt=sco&ss=bt&sv=2015-04-05&timeout=901
   User-Agent: [AzCopy/10.3.2 Azure-Storage/0.7 (go1.13; Windows_NT)]
   X-Ms-Client-Request-Id: [b6f50795-cda9-4dc7-6a1d-b6106a1b0484]
   X-Ms-Version: [2018-03-28]
   --------------------------------------------------------------------------------
   RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
   Content-Length: [490]
   Content-Type: [application/xml]
   Date: [Tue, 17 Dec 2019 18:33:09 GMT]
   Server: [Microsoft-HTTPAPI/2.0]
   X-Ms-Error-Code: [AuthenticationFailed]
   X-Ms-Request-Id: [0f74d2cd-a01e-0024-3808-b53cfc000000]


.

The ACIS job owner had expressed we have not changed the SAS key generation logic so there has been no change in privileges in our workflow from our end that could result in this issue. My coworker's 1.0 version does not hit this issue. The SAS key we use is minimum privilege and not all access so a delta in the required privilege to download files is a regression for us.

Seems like there may have been a perf optimization or other change in ASE that resulted in a change to minimum privilege to download files from Azure Storage.

Steps to Reproduce

1. Create Service Fabric cluster through Azure Portal.
2. Generate SAS key through ACIS to access traces.
3. Download a file using Azure Storage Explorer v1.11.1.

Expected Experience

File is downloaded successfully.

Actual Experience

Error response 403; ServiceCode=AuthenticationFailed

Additional Context

The SAS key we use is minimum privilege. I can supply this directly over IM. My alias is maburlik.

[maburlik]

I will be using the 1.0 version my coworker has shared with me for now. It does not hit this issue with the exact same SAS key:

[maburlik]

Tested a few releases from https://github.com/microsoft/AzureStorageExplorer/releases
1.10.1 does not reproduce
1.11.0 has the issue

[jinglouMSFT]

The error message came from AzCopy so I am not surprised that you don't see it in 1.10.1. If you have time to help us narrow down the issue, in 1.10.1, could you turn on AzCopy (in Preview) and give it a try? I am just interested in knowing whether this was a problem in the older version of AzCopy. Thanks.
BTW, we are investigating the issue as we speak.

[maburlik]

1.10.1 /w AzCopy preview feature works

[JasonYeMSFT]

Issue caused by AzCopy not parsing the timestamp in the SAS correctly.
Related issue Azure/azure-storage-azcopy#122

[MRayermannMSFT]

This has been fixed in AzCopy 10.5. We'll be updating the integrated version to that in release 1.14.1. The integration update has been merged.

[maburlik]

Confirmed this is fixed, tried on 1.20.0 azcopy 10.11.0.