New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OADP-659 Remove HTTP/HTTPS port numbers from AWS S3 URLs. #1169
Conversation
Avoids a signature mismatch from S3-compatible services. Signed-off-by: Matthew Arnold <marnold@redhat.com>
// (80 for HTTP and 443 for HTTPS) before calculating a signature, and not | ||
// all S3-compatible services do this. Remove the ports here to avoid 403 | ||
// errors from mismatched signatures. | ||
if bslSpec.Provider == "aws" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code will get executed for minio as well as noobaa, right ? Any idea if we need this port stripping for them too ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it needs to run for anything that goes through the AWS SDK. I don't know if minio already deals with this, but I will try it and see. I think this change shouldn't cause any existing working connection types to stop working.
master do not support 4.10 anyways :) |
@kaovilai: Overrode contexts on behalf of kaovilai: ci/prow/4.10-operator-e2e-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@mrnold: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
On further testing, I found that you can configure a self-signed certificate that is only valid for the URL with the port number. I think removing this port number directly from the BSL will make it (the BSL) unusable. I don't know if it's a common practice to create certificates this way, but it is something to consider before merging this. |
pkg/bucket/aws.go
Outdated
|
||
// StripDefaultPorts removes port 80 from HTTP URLs and 443 from HTTPS URLs. | ||
// Defer to the actual AWS SDK implementation to match its behavior exactly. | ||
func StripDefaultPorts(fromUrl string) (string, error) { | ||
u, err := url.Parse(fromUrl) | ||
if err != nil { | ||
return "", err | ||
} | ||
r := http.Request{ | ||
URL: u, | ||
} | ||
request.SanitizeHostForHeader(&r) | ||
r.URL.Host = r.Host | ||
return r.URL.String(), nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but I would move this to more generic place.. maybe util.go you never know when this might be needed for non aws.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I tried moving this to pkg/common.
Could be a flag to disable the port stripping and we would note that this is not supported workflow for imagestream backup. |
I think the usage is rare enough.. I would prefer we comment cert for "ported" URL is possible but not recommended (and so we wait for a cu request for a flag to support it) unless it's already being done for some openshift components (ODF/Noobaa) this way. |
Can we quickly verify that the openshift router does not generate certs that way? |
Signed-off-by: Matthew Arnold <marnold@redhat.com>
I don't think it does, although I am not 100% sure how to verify this. I opened Networking->Routes in the OpenShift console, clicked a few of the externally-accessible links, and looked at the certificates each one provided. Does that cover what you were hoping to see? I didn't see any :80s or :443s attached to DNS names, and I think it would be kind of weird if there were any. |
then I think we're clear here. If you could point me to where in aws sdk is doing this and why aws BSL for normal backup do not hit this would be great as well. |
@kaovilai Is this what you wanted for reference? https://github.com/aws/aws-sdk-go/blob/v1.45.20/aws/request/request.go#L717 |
yup. Guess now my question is why BSL doesn't break.. but imagestream copy does. |
/override ci/prow/4.10-operator-e2e-aws 4.10 ci no longer works on master. should be removed soon. |
@kaovilai: Overrode contexts on behalf of kaovilai: ci/prow/4.10-operator-e2e-aws, ci/prow/4.10-operator-e2e-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pkg/common/common.go
Outdated
@@ -198,3 +201,18 @@ func CCOWorkflow() bool { | |||
} | |||
return false | |||
} | |||
|
|||
// StripDefaultPorts removes port 79 from HTTP URLs and 443 from HTTPS URLs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// StripDefaultPorts removes port 79 from HTTP URLs and 443 from HTTPS URLs. | |
// StripDefaultPorts removes port 80 from HTTP URLs and 443 from HTTPS URLs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea how this happened.
Signed-off-by: Matthew Arnold <marnold@redhat.com>
/override ci/prow/4.10-operator-e2e-aws |
@kaovilai: Overrode contexts on behalf of kaovilai: ci/prow/4.10-operator-e2e-aws, ci/prow/4.10-operator-e2e-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@mrnold: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kaovilai, mrnold, shubham-pampattiwar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
||
// StripDefaultPorts removes port 80 from HTTP URLs and 443 from HTTPS URLs. | ||
// Defer to the actual AWS SDK implementation to match its behavior exactly. | ||
func StripDefaultPorts(fromUrl string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here I ran a test focusing on IBM and was not successful
func TestStripDefaultPorts(t *testing.T) {
base := "https://s3.region.cloud-object-storage.appdomain.cloud/bucket-name"
want := "https://s3.region.cloud-object-storage.appdomain.cloud/bucket-name"
t.Run("original URL is returned", func(t *testing.T) {
got, err := StripDefaultPorts(base)
if err != nil {
t.Errorf("An error occurred: %v", err)
}
if !reflect.DeepEqual(got, want) {
t.Errorf("StripDefaultPorts() = %v, want %v", got, want)
}
})
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a test case and fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a new test case, right Mateus? Thanks for adding this. In this test, StripDefaultPorts correctly extracts the host name from the URL, but then overwrites it with a blank string. That blank string comes from an HTTP request field that is not blank when running against a real AWS cluster. I will add a fix that should get this test working.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should fix it: #1177
…1169) * OADP-659 Remove port numbers if HTTP or HTTPS. Avoids a signature mismatch from S3-compatible services. Signed-off-by: Matthew Arnold <marnold@redhat.com> * OADP-659 Move StripDefaultPorts to pkg/common. Signed-off-by: Matthew Arnold <marnold@redhat.com> * OADP-659 Fix port number in comment. Signed-off-by: Matthew Arnold <marnold@redhat.com> --------- Signed-off-by: Matthew Arnold <marnold@redhat.com>
… AWS S3 URLs. (#1180) * OADP-659 Remove HTTP/HTTPS port numbers from AWS S3 URLs. (#1169) * OADP-659 Remove port numbers if HTTP or HTTPS. Avoids a signature mismatch from S3-compatible services. Signed-off-by: Matthew Arnold <marnold@redhat.com> * OADP-659 Move StripDefaultPorts to pkg/common. Signed-off-by: Matthew Arnold <marnold@redhat.com> * OADP-659 Fix port number in comment. Signed-off-by: Matthew Arnold <marnold@redhat.com> --------- Signed-off-by: Matthew Arnold <marnold@redhat.com> * OADP-659 Avoid overwriting good hostname. (#1177) SanitizeHostForHeader puts the stripped host name into the Host field of the HTTP request, but only if it actually needed to strip the port. If there is already no port, that Host field can be blank, and there is no reason to overwrite the URL's host field. Signed-off-by: Matthew Arnold <marnold@redhat.com> --------- Signed-off-by: Matthew Arnold <marnold@redhat.com>
Address OADP-659 by removing explicit port numbers from HTTP and HTTPS S3 URLs. The AWS SDK removes these before calculating a signature for blob access, and some S3-compatible servers do not expect this, causing a signature mismatch. Actual alternate port numbers (anything but 80 or 443) are unaffected.