HEAD got 403 (using boto python library)

[allan-simon]

When I do this very simple code with version 3.5.0 I got a 403

import boto                                                                                                                                                                                  
import boto.s3.connection                                                                                                                                                                    
                                                                                                                                                                                                                                                                                                                                    
bucket = boto.connect_s3(                                                                                                                                                                    
    host="127.0.0.1",                                                                                                                                                                               
    port=5001,                                                                                                                                                                               
    is_secure=False,                                                                                                                                                                         
    calling_format=boto.s3.connection.OrdinaryCallingFormat(),                                                                                                                               
).get_bucket("yolaw-develop")

and I launch the server with

s3rver -a 0.0.0.0 --port 5001 --directory /tmp --configure-bucket "yolaw-develop" /CORS.xml

I got the following log fom the server

info: HEAD /yolaw-develop/ 403 1ms -                                                                                                                                                         

I correctly set the env variable to S3RVER

$ env | grep AWS | grep ACCE

AWS_ACCESS_KEY_ID=S3RVER
AWS_SECRET_ACCESS_KEY=S3RVER

[allan-simon]

and tcpdump of the network communication

HEAD /yolaw-develop/ HTTP/1.1
Host: s3:5001
Accept-Encoding: identity
Date: Thu, 28 Nov 2019 22:11:29 GMT
Content-Length: 0
Authorization: AWS S3RVER:g7Y97yEsmOLVMCenkRmaU8L4cLM=
User-Agent: Boto/2.42.0 Python/2.7.15+ Linux/5.0.0-17.1-liquorix-amd64

HTTP/1.1 403 Forbidden
Content-Type: application/xml
Content-Length: 546
Date: Thu, 28 Nov 2019 22:11:29 GMT
Connection: keep-alive

[allan-simon]

If I do it without the Authorization header I got 404

[allan-simon]

if I replay with netcat the same request but with GET instead , I got

GET /yolaw-develop/ HTTP/1.1
Host: s3:5001
Accept-Encoding: identity
Date: Thu, 28 Nov 2019 22:11:29 GMT
Content-Length: 0
Authorization: AWS S3RVER:g7Y97yEsmOLVMCenkRmaU8L4cLM=
User-Agent: Boto/2.42.0 Python/2.7.15+ Linux/5.0.0-17.1-liquorix-amd64

HTTP/1.1 403 Forbidden                                                                                                                                                                       
Content-Type: application/xml                                                                                                                                                                
Content-Length: 542                                                                                                                                                                          
Date: Fri, 29 Nov 2019 07:24:43 GMT                                                                                                                                                          
Connection: keep-alive                                                                                                                                                                       
                                                                                                                                                                                             
<?xml version="1.0" encoding="UTF-8"?>                                                                                                                                                       
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>S3RVER</AWSAccessKeyId><StringToSign>GET                                                                                                                                                     
                                                                                                                                                                                             
                                                                                                                                                                                             
Fri, 29 Nov 2019 07:23:50 GMT                                                                                                                                                                
/s3/yolaw-develop/</StringToSign><StringToSignBytes>47 45 54 0a 0a 0a 46 72 69 2c 20 32 39 20 4e 6f 76 20 32 30 31 39 20 30 37 3a 32 33 3a 35 30 20 47 4d 54 0a 2f 73 33 2f 79 6f 6c 61 77 2d 64 65 76 65 6c 6f 70 2f</StringToSignBytes></Error> 

(which i think is normal has the signature contain the http method used?)

[allan-simon]

ok after adding console.log everywhere in the code (as HEAD does not give you the body, it's a PITA to debug ^^) I finally found it;s failing in the authentication middleware with a SignatureDoesNotMatch

I'm trying to find why , but i'm getting closer

using --allow-mismatched-signatures works around the issue

[kherock]

Hi @allan-simon, thanks for the extensive report, I should be able to have this fixed for the next release. Sorry for the delay. My guess is s3rver is supposed to be signing these requests as GET, but if it's not I should still be able to get to the bottom of it.

[allan-simon]

thanks, it was actually quite fun to debug ^^

[kherock]

Resolved by #630.