Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

B2 fails with app key limited to specific buckets #10725

Closed
cyberduck opened this issue Jun 5, 2019 · 7 comments
Closed

B2 fails with app key limited to specific buckets #10725

cyberduck opened this issue Jun 5, 2019 · 7 comments
Assignees
@dkocher
Labels
b2 Backblaze B2 Protocol Implementation bug fixed high priority
Milestone
7.0.1

Comments

@cyberduck
Copy link
Collaborator

db1fac5 created the issue

Regression from <7.0

When opening connection, b2_list_buckets will fail if the app key in-use is limited to one bucket. 6.9 would list one bucket, 7.0 errors and breaks authorization flow.

Reproduction:

  1. Create B2 app key limited to one bucket
  2. Attempt connection POST /b2api/v2/b2_list_buckets HTTP/1.1

Error: 401 Listing Directory / Failed

https://www.backblaze.com/b2/docs/application_keys.html#usingRestrictedKeys

Most of the API calls that deal with buckets or files use a bucketId to identify a bucket. But, when using an application key that restricts access to just one bucket, you can't use b2_list_buckets to list all the buckets.

When there is a bucket restriction, the bucketId and the bucketName for that bucket are in the response from b2_authorize_account in the allowed section. You can then use that bucketId in all of your later calls.
@cyberduck
Copy link
Collaborator Author

@dkocher commented

What capabilities do you have assigned to the application key? Please post the transcript from the log drawer (⌘-L).

@cyberduck
Copy link
Collaborator Author

@dkocher commented

I cannot reproduce this issue with an application key with the capabilities listBuckets, listFiles, readFiles, shareFiles.

@cyberduck
Copy link
Collaborator Author

db1fac5 commented

Traced it. The application keys were limited to a single bucket. An application key with "All" for buckets works. An application key with just one bucket fails. Probably on t he new apiv2 list buckets?

-capabilities:* deleteFiles, listBuckets, listFiles, readFiles, shareFiles, writeFiles

-Old Flow 6.9*



GET /b2api/v1/b2_authorize_account HTTP/1.1
Authorization: ********
Host: api.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 608
Date: Thu, 06 Jun 2019 15:54:41 GMT
POST /b2api/v1/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 279
Date: Thu, 06 Jun 2019 15:54:42 GMT

7.00 connection flow

[Window Title]
Error

[Main Instruction]
Listing directory / failed.

[Content]
Please contact your web hosting service provider for assistance.

[Expanded Information]
POST /b2api/v2/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 401 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 62
Date: Thu, 06 Jun 2019 16:02:25 GMT
GET /b2api/v2/b2_authorize_account HTTP/1.1
Authorization: ********
Host: api.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 576
Date: Thu, 06 Jun 2019 16:02:30 GMT
POST /b2api/v2/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 401 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 62
Date: Thu, 06 Jun 2019 16:02:30 GMT


[^] Hide details  [Try Again] [Cancel]

[Footer]
Help

@cyberduck
Copy link
Collaborator Author

db1fac5 commented

Ok there is a change in the API in v2.

v2: Remove application key workaround (Sept 13, 2018)
Listing buckets will always return all buckets, unless you ask for just one by specifying bucketName or bucketId. **If you ask for all buckets and your application key is restricted to one bucket, the call is unauthorized.**

I see though in the Authorize response JSON it does return:

 "allowed": {
        "bucketId": "****",
        "bucketName": "AAABCC",

So that you don't need to actually call the list_buckets separately.

@cyberduck
Copy link
Collaborator Author

db1fac5 commented

Opened a SynampticLoop backblaze-b2-java-api ticket. Looks like the error is ultimately with its handling of the login flow.

synapticloop/backblaze-b2-java-api#41

Need to add the "allowed" field to the client object. And list_buckets needs to conditionally check for a like getAllowedBuckets() length !> 0 before submitting a request.

Could you feasibly just use the /v1/ api for just the list_buckets command? Since it doesn't fail in 6.9? Easy band-aid solution?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Upstream in (iterate-ch/backblaze-b2-java-api#4).

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In b15532c.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dkocher dkocher

Labels
b2 Backblaze B2 Protocol Implementation bug fixed high priority
Projects
None yet
Milestone
7.0.1
Development

No branches or pull requests
2 participants
@dkocher @cyberduck