search

cortezaproject / corteza

Low-code platform
https://cortezaproject.org
Apache License 2.0
1.65k stars 379 forks source link

Retrieving logo from MinIO fails with signature error #1456

Open jem-Solytica opened 1 year ago

jem-Solytica commented 1 year ago

Is there an existing issue for this?

Version of Corteza

2023.3.6

Current Behavior

After uploading a new logo file in the Admin-->User Interface Settings page, the logo does not display within Corteza. Only a broken image placeholder is shown.

The file is properly uploaded to MinIO (both the <file>.jpeg and a <file>_preview.jpeg appear within the system folder in the bucket). The file can be downloaded from MinIO with other clients.

On refreshing the page, the browser reports a 500 error when trying to load ui.mainLogo with response seeker can't seek

MinIO trace logs show a problem with the signature generation when trying to retrieve the newly-stored logo file.

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
</Error>

Expected Behavior

After uploading a logo, it should be stored on the MinIO instance and visible within Corteza.

Steps To Reproduce

No response

Environment and versions

Ubuntu 22.04
MinIO:
  - Standalone, pre-deployed instance
  - Version: 2023-05-18T00:05:36Z
  - Has Server Location/region set to custom value

Certain Corteza Env Settings:
  - MINIO_ENDPOINT=<host>:<path>
  - MINIO_SECURE=true
  - MINIO_BUCKET=<custom>
  - MINIO_PATH_PREFIX={component}/
  - MINIO_ACCESS_KEY=<secret>
  - MINIO_SECRET_KEY=<secret>

Anything else?

I did check that the MinIO keys and permissions work to download the file by using a separate script to download the file using the Authorization header in this form: 

Authorization: AWS <access_key>:<signature>

But the MinIO trace log shows that Corteza is using an authorization method of AWS4-HMAC-SHA256:


Authorization: AWS4-HMAC-SHA256 Credential=***...
``` 

Other services that call MinIO and use the AWS4-style authorization header work fine.
jem-Solytica commented 1 year ago

I did some further exploring tonight and confirmed that it does seem to be a problem with how the signature is being calculated. Recomputing the AWS4-HMAC-SHA256 signature for the same request yields a different signature string for a working request than it does for the Corteza-generated request, even where the X-Amz-Date header is consistent between the two requests.

I tried working with some blobs in the Case Management app and noticed the same behavior if I uploaded binary data. But .txt files seem to download fine. I did note that there's an extra header coming across in those requests--an "If-Match" that looks like it's part of the signed headers. If I upload a copy of the same .txt file with a different extension (e.g., .bin), the "If-Match" header goes away and the file again refuses to download from MinIO, citing a signature calculation mismatch.

github-actions[bot] commented 1 year ago

Stale issue message