search

bcgov / common-object-management-service

A microservice for managing access control to S3 Objects
https://bcgov.github.io/common-object-management-service/
Apache License 2.0
6 stars 9 forks source link

Internal errors never return and cause client time out errors #134

Closed pbolduc closed 1 year ago

pbolduc commented 1 year ago

Describe the bug

If there in an internal error, for example, a permission error on the bucket/object operations, the API will never return. The client will get a connection time out error instead of a 500 error.

Here is my request still running, the curl command has been running for over 15 minutes and continues to run.

image

On the COMS server this error

{"$fault":"client","$metadata":{"attempts":1,"extendedRequestId":"","httpStatusCode":403,"totalRetryDelay":0},"Code":"AccessDenied","RequestId":"8e22ee16:1868a5acd50:7830:ad7","Resource":"bucket/5f76114f-d5a7-48a8-8cf6-18b963d09ec9","component":"app","level":"error","message":"Access Denied","name":"AccessDenied","stack":"AccessDenied: Access Denied\n at throwDefaultError (/opt/app-root/src/app/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)\n at deserializeAws_restXmlPutObjectTaggingCommandError (/opt/app-root/src/app/node_modules/@aws-sdk/client-s3/dist-cjs/protocols/Aws_restXml.js:5918:43)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async /opt/app-root/src/app/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24\n at async /opt/app-root/src/app/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:14:20\n at async /opt/app-root/src/app/node_modules/@aws-sd...

You can see in this case our account does not have permission for PutObjectTagging.

To Reproduce

Steps to reproduce the behavior:

  1. Remove permission to put object tagging on your account
  2. attempt to create an object with tags
  3. Notice the http request never returns

Expected behavior

Screenshots

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context

TimCsaky commented 1 year ago

Hi Phil. when you try to update an object that you dont have the UPDATE permission on, it will return a 403. for example, putObjectTagging (PATCH /object/:objectId/tagging?tagset[fruit]=orange) will only work if you have the UPDATE permission on the object and returns a 204, otherwise you get a 403 For the curl request in your screenshot, I dont see the objectId path param, maybe that was causing the 500(?)

When you create an object, if you are passing the bucketId query param, you need the CREATE permission for that bucket. No other perms required.

jujaga commented 1 year ago

COMS v0.4.0 has been released. Closing this issue for now as we were not able to reproduce locally. Please feel free to reopen this issue if it doesn't appear resolved in the latest release.