Closed Woljtek closed 1 year ago
IVV_CCB_2023_w28 : Linked to #922 issue. Moved into "Accepted Werum", fix to allow https only for uwc querries, Priority major, to be fixed phase 1
Werum_CCB_2023_w28 : Moved into "Product backlog" to implement the proposed fix
We introduce a new property in order to configure whether or not the old behaviour shall be enforced or not.
obs.enforce-http=true
The default of this property in code is true, setting the property to false
will change the protocol to https which is the default by the library.
In the default configurations we only added it to the prip_frontend component.
System_CCB_2023-w30 : assigned to @Woljtek for clarification.
@w-fsi I tried to test the fix on rs-prip-frontend and I got the same behavior. May I miss something ?
EDIT: Yes, I added a "obs." in the variable name.
The HTTPS fix works fine. This issue can be closed.
Nevertheless, a new error occurs:
=> Reason: CORS header 'Access-Control-Allow-Origin' missing
Yes, we come to the same conclusion. The fix is working fine.
System_CCB_2023-w30 : To be closed after the UWC 1.10.0 delivery.
FYI, we fixed the cross origin error (Bucket configuration) and successfully displayed quicklook on UWC.
System_CCB_2023_w31: Delivered in the Processing Common v1.14.0 (Refer to https://github.com/COPRS/production-common/releases/tag/1.14.0-rc2) To be validated by IVV/OPS team.
System_CCB_2023_w31 : Validated, Closed
Environment:
Traceability: Test(s):
Requirements:
Current Behavior: We observed that request to OBS are using HTTP and not HTTPS.
Using HTTP protocol has not impact for RS CORE, RS ADDON and standalone app features. But the download queries from UWC are blocked by the web-broswser. So it s not possible to download a product or disply quicklook images with the UWC.
Expected Behavior: RS shall be able to provide downloading feature and display quicklook on UWC.
Steps To Reproduce: See steps of issue #922
Test execution artefacts (i.e. logs, screenshots…)
Whenever possible, first analysis of the root cause The UWC is sending to the PRIP a HTTPS requests. The PRIP is processing it and accessing the OBS SDK in order to generate a temporary download link using a presigned requests to the actual OBS endpoint. This is technically handled as a http 307 code and basically meaning that there was a temporary redirect. The browser is checking this and noticed that the redirect location is a "HTTP" and thus not encrypted anymore and tackling this as a possible security breach (man-in-the-middle) and rejecting to follow the redirection. This ends up as a 401 with the "mixed block" message
The AWS SDK used in the S1PRO OBS implementation configure HTTP as default protocol. This is happens in the class S3ObsClient line 77: If a new obs client is generated, the protocol will always set to http. This is not affecting the PRIP, but all clients of the system that will communicate via HTTP.
Partial workaround An end user is able to download products using curl queries on DDIP or NATIVE API. Indeed, curl does not take care about possible security breach.
Nevertheless, there isn't any workaround possibility for quicklook displaying
Bug Generic Definition of Ready (DoR)
Bug Generic Definition of Done (DoD)