search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.44k stars 2.74k forks source link

"Incorrect padding" while attempting to check if blob exists #36379

Closed roy-work closed 1 month ago

roy-work commented 1 month ago

Describe the bug A call to BlobClient.exists fails after a huge delay with:

Traceback (most recent call last):
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/authentication.py", line 128, in _add_authorization_header
    signature = sign_string(self.account_key, string_to_sign)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/__init__.py", line 45, in sign_string
    key = decode_base64_to_bytes(key)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/__init__.py", line 35, in decode_base64_to_bytes
    return base64.b64decode(data)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/python@3.12/3.12.3/Frameworks/Python.framework/Versions/3.12/lib/python3.12/base64.py", line 88, in b64decode
    return binascii.a2b_base64(s, strict_mode=validate)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Incorrect padding

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/eng-vm-releases-replicate/replicate-installers.py", line 83, in <module>
    if blob_client.exists():
       ^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_blob_client.py", line 1288, in exists
    process_storage_error(error)
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/response_handlers.py", line 88, in process_storage_error
    raise storage_error
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_blob_client.py", line 1278, in exists
    self._client.blob.get_properties(
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_generated/operations/_blob_operations.py", line 1881, in get_properties
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 229, in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/policies.py", line 555, in send
    raise err
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/policies.py", line 529, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 84, in send
    _await_result(self._policy.on_request, request)
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/core/pipeline/_tools.py", line 49, in await_result
    result = func(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/authentication.py", line 151, in on_request
    self._add_authorization_header(request, string_to_sign)
  File "/Users/roy/workspace/infrastructure/tools/pk-vm-bootstrap/argus-crawl/venv/lib/python3.12/site-packages/azure/storage/blob/_shared/authentication.py", line 134, in _add_authorization_header
    raise _wrap_exception(ex, AzureSigningError) from ex
azure.storage.blob._shared.authentication.AzureSigningError: Incorrect padding

To Reproduce Steps to reproduce the behavior:

  1. I think this happens if one supplies an invalid access key; e.g., I get similar (but not the same) behavior with an (invalid) access key of "a".

Expected behavior The error here needs to help me understand what's wrong; base64 padding has "nothing" to do with the API call here, and I had no idea at first what I'd done wrong, as I thought I had supplied a valid key.

The long timeout is equally weird; this should abort immediately … no?

The signature generation scheme here is to a user of the API an internal detail. I'm "lucky" in the sense that I've implemented it by hand before & know how it works (and that's what nudged me towards "maybe the key I supplied wasn't right?"), but a user who isn't familiar with how the signature scheme on the underlying API requests work is going to just be perplexed by this.

Screenshots N/A

Additional context I suspect this was previously reported here: https://github.com/Azure/azure-sdk-for-python/issues/35010

github-actions[bot] commented 1 month ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jalauzon-msft @vincenttran-msft.

jalauzon-msft commented 1 month ago

Hi @roy-work Roy, thanks for the report. Yes, you are correct that this is almost certainly caused by an invalid shared key, specifically one that cannot be properly base64 decoded. The long timeout is due to the automatic retry policy of the SDK retrying this error a few times. The fact that this type of error is retried is not correct and #36431 has been created to fix that issue.

We will also consider catching this error and adjusting the error message to hint at the fact this is probably an issue with the shared key.