fog-aws presigned URLs can't GET object #476

Closed
opened 2025-12-28 17:37:32 +00:00 by sami · 1 comment
Owner

Originally created by @roman-khimov on GitHub (Dec 17, 2024).

Originally assigned to: @smallhive on GitHub.

Current Behavior

GitLab can't fetch objects, it goes with

GET /gitlab-uploads/%40hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png?response-content-disposition=inline%3B%20filename%3D%22image.png%22%3B%20filename%2A%3DUTF-8%27%27image.png&response-content-type=image%2Fpng&X-Amz-Expires=600&X-Amz-Date=20241217T100211Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=2i7FYHMcwNwktZ2bg6YvzTWohFpqXQZiEa3sayCJTc8Z0Eewc5G4BGHnu9f4Ccu8fWshFaVr5S4bC6fhzMnSfYzym%2F20241217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=f4ba80e4155fc8ec3867b3da85d9b12b769c00044c8eb2a65f2a5918dc9c94b6

But it fails:

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key>@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Key><BucketName>gitlab-uploads</BucketName><Resource>/gitlab-uploads/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Resource><RequestId>4cbc44d2-b41b-4974-936b-5612c412735b</RequestId><HostId>c9ed11c7-020d-4d93-b282-39a41516e49a</HostId></Error>

It's a presigned URL, but somewhat special one. Gitlab uses https://github.com/fog/fog-aws

Expected Behavior

Success.

Possible Solution

Fix it.

Steps to Reproduce

Configure GL to store objects in some network available via S3 gateway, add an image, try fetching it.

Context

Happens in production.

Your Environment

  • Version of the product used: 0.33.0
  • Operating System and version (uname -a): Debian stable
Originally created by @roman-khimov on GitHub (Dec 17, 2024). Originally assigned to: @smallhive on GitHub. ## Current Behavior GitLab can't fetch objects, it goes with ``` GET /gitlab-uploads/%40hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png?response-content-disposition=inline%3B%20filename%3D%22image.png%22%3B%20filename%2A%3DUTF-8%27%27image.png&response-content-type=image%2Fpng&X-Amz-Expires=600&X-Amz-Date=20241217T100211Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=2i7FYHMcwNwktZ2bg6YvzTWohFpqXQZiEa3sayCJTc8Z0Eewc5G4BGHnu9f4Ccu8fWshFaVr5S4bC6fhzMnSfYzym%2F20241217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=f4ba80e4155fc8ec3867b3da85d9b12b769c00044c8eb2a65f2a5918dc9c94b6 ``` But it fails: ``` <Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key>@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Key><BucketName>gitlab-uploads</BucketName><Resource>/gitlab-uploads/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Resource><RequestId>4cbc44d2-b41b-4974-936b-5612c412735b</RequestId><HostId>c9ed11c7-020d-4d93-b282-39a41516e49a</HostId></Error> ``` It's a presigned URL, but somewhat special one. Gitlab uses https://github.com/fog/fog-aws ## Expected Behavior Success. ## Possible Solution Fix it. ## Steps to Reproduce Configure GL to store objects in some network available via S3 gateway, add an image, try fetching it. ## Context Happens in production. ## Your Environment * Version of the product used: 0.33.0 * Operating System and version (`uname -a`): Debian stable
sami 2025-12-28 17:37:32 +00:00
  • closed this issue
  • added the
    bug
    S4
    I4
    U1
    labels
Author
Owner
@roman-khimov commented on GitHub (Dec 18, 2024): Related to #39, #529. References: * https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/signer/v4#hdr-Pre_escaping_a_request_URI * https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/signer/v4#SignerOptions
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nspcc-dev/neofs-s3-gw#476
No description provided.