Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignores upload encryption policy when creating a Cryptomator Vault. User unable to create vault in bucket requiring s3:x-amz-server-side-encryption": "AES256 #10488

Closed
cyberduck opened this issue Oct 7, 2018 · 6 comments
Assignees
Labels
bug fixed s3 AWS S3 Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

20f353b created the issue

Hi there. It took a bit of testing to narrow this one down, but I believe you will be able to reproduce this issue pretty easily.

Me:
macOS 10.14 (18A391)
Cyberduck 6.7.0 (28613)

The issue:

I have an AWS user with Administrator privileges.
This user can create and upload files at will via either the AWS Web UI or CyberDuck.
This user is not able to create a new Cryptomator vault, using Cyberduck.

How to reproduce:
0. make sure the S3 > Encryption setting is set to SS3-S3 (AES 256) in CyberDuck settings

  1. create an IAM user with the Administrator policy (specified below)
  2. create a S3 bucket with the Bucket Policy (also, below)
  3. configure Cyberduck to connect to the bucket with the user key/secret from step 1
  4. attempt to create a folder in bucket; this should work
  5. attempt to create a new encrypted vault; this should fail.

Here's the bucket policy i am using. MY_BUCKET_NAME replaces the actual bucket name.

{
    "Version": "2012-10-17",
    "Id": "force encrypt at rest for date",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Here's the User policy I am using; this is akin to root level access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Here's the Log from Cyberduck when connecting to the S3 bookmark with the Admin account detailed above. I am browsing a few directories deep to the location where I would like to create the Cryptomator vault:

GET / HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:08 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: s3.amazonaws.com
x-amz-date: 20181007T191708Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: 97ExqV0ZxTT3738rfjrj11aao9WfkncVQHeeplQ+dIjXKi0T7lEld0TMynLnmiivt0GV6ljAwwc=
x-amz-request-id: 21444FBD145A6CEF
Date: Sun, 07 Oct 2018 19:17:09 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET / HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:08 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: s3.amazonaws.com
x-amz-date: 20181007T191708Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: JnA/A9g9exOhYkmcaUXZ9KvSF1KkLqw7yYTjyetrv3R/uONMSF2pC4Hx2HpCXf4N5yDOBXA1no4=
x-amz-request-id: 3ECF6D6D85C38D47
Date: Sun, 07 Oct 2018 19:17:09 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET / HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:08 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: s3.amazonaws.com
x-amz-date: 20181007T191708Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: VC8tDFXQmPoePQ8mqJGd8HEg8IYT81qEJ/Wbi8yZRfM/r3yAJN1j1XKUe4wXKniFJ53YBjYX8JE=
x-amz-request-id: EFC47358A535E5C9
Date: Sun, 07 Oct 2018 19:17:09 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?location HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191709Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 400 Bad Request
x-amz-request-id: 52BB6CC9CE3AC892
x-amz-id-2: vYqxkFHosnfruN2rgqueimgCRGJa6kbqWujJms4SAWPlKGVLx3zSORRnU/3njjU9xOkmyjD6Wzk=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Sun, 07 Oct 2018 19:17:08 GMT
Connection: close
Server: AmazonS3
GET /?location HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191709Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: cpVbjy2IVm0bBBpE6f0kBdSd5rZICREAINp4q1h6Xe0KYpRrirdiyuJanbhwCBnebAUDBdwU5ck=
x-amz-request-id: 0D441CA5B15F5A06
Date: Sun, 07 Oct 2018 19:17:10 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?versioning HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:39 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191739Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: NgI8pq3aIfcB8E9J/uYQB7b7s/ShEpN5vCtxqNRVxxknCtY5J/DhlgxYCiHrmLwWhXSy70TOhQ0=
x-amz-request-id: 3E745C0AA14E068C
Date: Sun, 07 Oct 2018 19:17:40 GMT
Transfer-Encoding: chunked
Server: AmazonS3
GET /?max-keys=1000&versions&prefix&delimiter=%2F HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:39 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191739Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: LDOQYBUQ6Sf0upXWEw50XjGajrxBp9P8WhnK06A3rwjYpxQjoonA9/8zBbh1wc2ARpzmJ6nAbB0=
x-amz-request-id: 1013309AC1494B4A
Date: Sun, 07 Oct 2018 19:17:40 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:39 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191739Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: 25hm9HLudZxuLsQa7TYRQvudTQ7jfBpyJhdozM7elEa7Z5DSrB2A1nvGTH1DuJgc+7mV0xR3MAg=
x-amz-request-id: 8FE7B857AF907F57
Date: Sun, 07 Oct 2018 19:17:40 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:42 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191742Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: EqKTKvsUoGrGyMblZblrP+J1e4Hwyb4D+2ranblNBXpXXGTUTQNMvJMCKe00/P9q2Umiu6ZB3Mk=
x-amz-request-id: DE75085D8F1512AC
Date: Sun, 07 Oct 2018 19:17:43 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:42 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191742Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: Ukr6HK9nJb0XB0Axc/q0FwqvXipt1RA7d7HvR9vneairun8UTBoZI1UiUp2VFL9hDYGCIlA9meA=
x-amz-request-id: 7DED0B45902B7187
Date: Sun, 07 Oct 2018 19:17:43 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3

And here's me trying to create a test-folder. This action susceeds.

PUT /MY_BUCKET_PREFIX/test-folder/ HTTP/1.1
Date: Sun, 07 Oct 2018 19:18:54 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-server-side-encryption: AES256
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191854Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: r61qLybeBa7YE1IVtwaTTha5af6zK2NVhQXF/pB1fTJ47VALfz5SK5LTEID8qm7lh9Pom3usfVI=
x-amz-request-id: B95A0EB56F13EE9C
Date: Sun, 07 Oct 2018 19:18:55 GMT
x-amz-server-side-encryption: AES256
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Content-Length: 0
Server: AmazonS3
GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F HTTP/1.1
Date: Sun, 07 Oct 2018 19:18:55 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191855Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: TzzkuOrStHg1L7L/GA7z6ASRbcGTyuDnlgYm4Xn31tQIBZweIGlPNyZDnS1RfC5PZ9e6Zrzy6E4=
x-amz-request-id: 8671AE55F534C81C
Date: Sun, 07 Oct 2018 19:18:56 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:18:55 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191855Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: cQM2bEUrwyxpDe4/F0Br5I9iCoHVaiKt9uwTIvB6VPioIQO2O58ZRBPuhIDaDq/ScoJNkWtPn/0=
x-amz-request-id: B9B127003293E008
Date: Sun, 07 Oct 2018 19:18:56 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3

And here's the log from trying to create a test-vault. I get this error in Cyberduck:

Upload test-vault failed.
Access Denied. Please contact your web hosting service provider for assistance.

And here's the connection log. I clicked try again once before clicking cancel:

PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
Date: Sun, 07 Oct 2018 19:19:38 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191938Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
Date: Sun, 07 Oct 2018 19:20:18 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T192018Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F HTTP/1.1
Date: Sun, 07 Oct 2018 19:20:20 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T192020Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: MkFr74BriPUXzjLVe9jwyyAJ+02odaOLCiUbCGPIYrjiU89rZCZBAwJB157vp462bUVWQo4/l+M=
x-amz-request-id: 9A3EBDB60F0255CB
Date: Sun, 07 Oct 2018 19:20:21 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:20:20 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T192020Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: IsBWnSdi/uuzk/UNzZWM0iGLOWOv1OPSho2l9fRLb8NOzPuToba253FgK9CibO/ST0Hp3f6MFT4=
x-amz-request-id: 76375E460D298CED
Date: Sun, 07 Oct 2018 19:20:21 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3

There is nothing particurally useful in console.app even after turning Cyberduck debugging mode on:

default	12:19:28.792415 -0700	Cyberduck	27366555: RECEIVED OUT-OF-SEQUENCE NOTIFICATION: 307 vs 532, 512, <private>
default	12:20:09.333915 -0700	Cyberduck	27366555: RECEIVED OUT-OF-SEQUENCE NOTIFICATION: 309 vs 536, 512, <private>
default	12:20:15.921380 -0700	Cyberduck	27366555: RECEIVED OUT-OF-SEQUENCE NOTIFICATION: 311 vs 540, 512, <private>
default	12:20:22.104317 -0700	Cyberduck	Requesting sharingServicesForItems:<private> mask:6
default	12:20:22.104550 -0700	Cyberduck	filteredItemsFromItems:<private> [2057]--> <private>
default	12:20:22.105861 -0700	Cyberduck	Discover <private>
default	12:20:22.123759 -0700	Cyberduck	discovery complete: 3 plugins
default	12:20:22.124437 -0700	Cyberduck	Discover done
default	12:20:22.124644 -0700	Cyberduck	Discover <private>
default	12:20:22.144425 -0700	Cyberduck	discovery complete: 4 plugins
default	12:20:22.144500 -0700	Cyberduck	Discover done
default	12:20:22.144642 -0700	Cyberduck	services: <private>
default	12:20:22.145180 -0700	Cyberduck	Requesting sharingServicesForItems:<private> mask:6
default	12:20:22.145425 -0700	Cyberduck	filteredItemsFromItems:<private> [2057]--> <private>
default	12:20:22.145947 -0700	Cyberduck	Discover <private>
default	12:20:22.153916 -0700	Cyberduck	discovery complete: 3 plugins
default	12:20:22.154574 -0700	Cyberduck	Discover done
default	12:20:22.154618 -0700	Cyberduck	Discover <private>
default	12:20:22.164258 -0700	Cyberduck	discovery complete: 4 plugins
default	12:20:22.164372 -0700	Cyberduck	Discover done
default	12:20:22.164552 -0700	Cyberduck	services: <private>
default	12:20:22.164968 -0700	Cyberduck	Requesting sharingServicesForItems:<private> mask:6
default	12:20:22.165115 -0700	Cyberduck	filteredItemsFromItems:<private> [2057]--> <private>
default	12:20:22.165515 -0700	Cyberduck	Discover <private>
default	12:20:22.173573 -0700	Cyberduck	discovery complete: 3 plugins
default	12:20:22.174238 -0700	Cyberduck	Discover done
default	12:20:22.174298 -0700	Cyberduck	Discover <private>
default	12:20:22.184411 -0700	Cyberduck	discovery complete: 4 plugins
default	12:20:22.184491 -0700	Cyberduck	Discover done
default	12:20:22.184633 -0700	Cyberduck	services: <private>
default	12:20:22.185144 -0700	Cyberduck	Requesting sharingServicesForItems:<private> mask:6
default	12:20:22.185333 -0700	Cyberduck	filteredItemsFromItems:<private> [2057]--> <private>
default	12:20:22.185877 -0700	Cyberduck	Discover <private>
default	12:20:22.193870 -0700	Cyberduck	discovery complete: 3 plugins
default	12:20:22.194551 -0700	Cyberduck	Discover done
default	12:20:22.194606 -0700	Cyberduck	Discover <private>
default	12:20:22.205383 -0700	Cyberduck	discovery complete: 4 plugins
default	12:20:22.205486 -0700	Cyberduck	Discover done
default	12:20:22.205676 -0700	Cyberduck	services: <private>

As soon as i remove the bucket policy, i have no issues creating the vault.

It appears that Cyberduck is ignoring my settings for S3 uploads, under the Encryption heading.

Please let me know what else you need from me in order to reproduce & fix.

Thank you

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In 6c80ef4.

@cyberduck
Copy link
Collaborator Author

20f353b commented

Hi. This is not solved, yet. When using Cyberduck to create a vault, the encryption header is missing. The expected header is present in PUT requests for ordinary files / folders, though.

I am using version Version 6.9.0 (29768)

Here is a log

## Create a new folder, test-folder - OK

PUT /test-folder/ HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:47 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-server-side-encryption: AES256
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194347Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: 6iZZwctjRVLnk1+8LhS1M9UGFou2prhH1t5TVM8lwW13my31iETkB9RK6rvWsuVmSThdUPXzddg=
x-amz-request-id: 54FC4BD7AF01F90A
Date: Wed, 13 Feb 2019 19:43:48 GMT
x-amz-server-side-encryption: AES256
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Content-Length: 0
Server: AmazonS3


GET /?max-keys=1000&prefix&delimiter=%2F HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:48 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194348Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: Cc2Ve72aMN7GJDwE/0ZPzrv2qTis2J8HmjBU86Cpw4d7rF50oyz/5HpgByJ/XnWI/XLgo+F5Wkc=
x-amz-request-id: 7C2914CCF580048D
Date: Wed, 13 Feb 2019 19:43:49 GMT
x-amz-bucket-region: us-west-1
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?uploads HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:48 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194348Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: Erk46ThMjSirJfpXjsUEUypOL7zYq8fuuuvI3/VnYIULhFEbGH4L8par0yywfJvP7npBekLt6M4=
x-amz-request-id: C975A0C117E61FFB
Date: Wed, 13 Feb 2019 19:43:49 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?max-keys=1000&prefix=test-folder%2F&delimiter=%2F HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:49 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194349Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: dtqfpSLacBiZGL0bKpduE9GCsCbhPXE3loKJ9Z0Qs04E8eRRoT/aJ6xLS2fgBFTrgvf1njaoGCM=
x-amz-request-id: 4E898610C9B07094
Date: Wed, 13 Feb 2019 19:43:50 GMT
x-amz-bucket-region: us-west-1
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?prefix=test-folder%2F&uploads HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:49 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194349Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: C+bZyDxdzrAYmFu3o9OHZQexvoG3Q6TyqBLBCZxsVoUk4AeqZQ10PIcx+bYFFOibEz0spQb+yvw=
x-amz-request-id: C2E06D84FDD32E26
Date: Wed, 13 Feb 2019 19:43:50 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3

## Create a new file in test folder - OK
PUT /test-folder/test-file HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:56 GMT
Expect: 100-continue
Content-Type: application/octet-stream
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-server-side-encryption: AES256
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194356Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: iDNn60IvqqagnMYEpaqkOGAHpxXLD5voXTfJhi5Y9yvY8hUfYcDZTOQmC3tQ4cXAMbRW4rIz31Q=
x-amz-request-id: AF426F1BD32A9446
Date: Wed, 13 Feb 2019 19:43:57 GMT
x-amz-server-side-encryption: AES256
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Content-Length: 0
Server: AmazonS3


GET /?max-keys=1000&prefix=test-folder%2F&delimiter=%2F HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:56 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194356Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: hNNVi3rW3imRBdKV5C6WNUXVDYBPbWWAlezPxrkfHXDdUCE/OaTgzblh8FwXAeIkg82fN7WbJpE=
x-amz-request-id: 90C2B486AE8A5BD3
Date: Wed, 13 Feb 2019 19:43:57 GMT
x-amz-bucket-region: us-west-1
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?prefix=test-folder%2F&uploads HTTP/1.1
Date: Wed, 13 Feb 2019 19:43:56 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194356Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: B41MA4MoqiMTMCxAi4IvOYYssarfAHsKEQSevEnHw7oVOP0SSoXm1aO7GHEUO8C58skB1gt3EkI=
x-amz-request-id: BB8A031644C024A1
Date: Wed, 13 Feb 2019 19:43:57 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3

## Create a new vault called test-vault in test folder - OK
PUT /test-folder/test-vault/ HTTP/1.1
Date: Wed, 13 Feb 2019 19:44:08 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-server-side-encryption: AES256
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194408Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: B6j8C357isrN0vlndXzWSlI6YIaeVsbztzkHhNWas+a2IuE5vseX4hNGYV2RXKLNA19VrFqubxo=
x-amz-request-id: 072913ADCA4A3A86
Date: Wed, 13 Feb 2019 19:44:09 GMT
x-amz-server-side-encryption: AES256
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Content-Length: 0
Server: AmazonS3

## Attempt to PUT file - fails, as there is no x-amz-server-side-encryption: AES256 header present
PUT /test-folder/test-vault/masterkey.cryptomator HTTP/1.1
Date: Wed, 13 Feb 2019 19:44:08 GMT
Expect: 100-continue
Content-Type: application/octet-stream
x-amz-content-sha256: 9708e5c71dc4e777e9122c96a8dc6b57128a42a79f4cea37db272104ff275488
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194408Z
Authorization: ********
Content-Length: 327
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)


GET /?max-keys=1000&prefix=test-folder%2F&delimiter=%2F HTTP/1.1
Date: Wed, 13 Feb 2019 19:44:10 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194410Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: 71Hw8puhYHWuT+EOxxPjGyNWcGM8mUtrxO+cdTgpElMub4H6iHupW9e62euvHZSS8tEEUbCzxAU=
x-amz-request-id: 92C2863BE11FCD6B
Date: Wed, 13 Feb 2019 19:44:11 GMT
x-amz-bucket-region: us-west-1
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?prefix=test-folder%2F&uploads HTTP/1.1
Date: Wed, 13 Feb 2019 19:44:10 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194410Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: 5NFOClAvBd28YWdsOmPVFsi/q3eE6sVSBzjb/9EgTMAlvJYl7i8BdgVtgftO6G0VbcBG/EZgyU8=
x-amz-request-id: A8F8B340967412C1
Date: Wed, 13 Feb 2019 19:44:11 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?max-keys=1000&prefix=test-folder%2Ftest-vault%2F&delimiter=%2F HTTP/1.1
Date: Wed, 13 Feb 2019 19:44:13 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194413Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: IsVqsdX1U+99Av/NBPcmCaCSGrHMR2bOPfPgboWdAyrdxKLjkp+KTdL982WDmIF26MLKarUiwiw=
x-amz-request-id: F0493B49F46F20B2
Date: Wed, 13 Feb 2019 19:44:14 GMT
x-amz-bucket-region: us-west-1
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3


GET /?prefix=test-folder%2Ftest-vault%2F&uploads HTTP/1.1
Date: Wed, 13 Feb 2019 19:44:14 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-storage-bucket.s3.amazonaws.com
x-amz-date: 20190213T194414Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.0.29768 (Mac OS X/10.14.3) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: AVhhFYoS7TM4HHW5UpiFcSxuHwElf9GqMXxKlRxGWVtx6shU5+ITa8bnf/WI0sTos892yknVkXU=
x-amz-request-id: C1B7A6F1D5D0B6A2
Date: Wed, 13 Feb 2019 19:44:15 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Thanks for the detailed log.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Fix in 4069560 for missing header when creating masterkey.cryptomator.

@cyberduck
Copy link
Collaborator Author

20f353b commented

Still not fixed. The required header is missing from subsequent/sub-directories, still:

Here's the creation of the root folder test-vault:


PUT /Takeout/test-vault/ HTTP/1.1
Date: Sun, 14 Apr 2019 15:21:53 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-server-side-encryption: AES256
Host: my-bucket-name-here.s3.amazonaws.com
x-amz-date: 20190414T152153Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Mac OS X/10.14.4) (x86_64)
HTTP/1.1 200 OK

And here's the /d/ dir that belongs inside the vault folder


PUT /Takeout/test-vault/d/ HTTP/1.1
Date: Sun, 14 Apr 2019 15:21:53 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: my-bucket-name-here.s3.amazonaws.com
x-amz-date: 20190414T152153Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Mac OS X/10.14.4) (x86_64)
HTTP/1.1 403 Forbidden

The x-amz-server-side-encryption: AES256 header is present on the root folder creation and not present on the sub-folder creation.

The IAM policy that is applied to the bucket&object path requires that every call to s3 that involves writing bytes to an object must include the "store with AES key managed by KMS" header. For testing purposes, you can:

  • create an s3 bucket
  • apply this bucket policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name-here/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name-here/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

to reproduce / test.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:9 a.cyberduc.user]:

Still not fixed. The required header is missing from subsequent/sub-directories, still:

In 4c77491.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug fixed s3 AWS S3 Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants