bug: Presigned URL failed on GET for downloading

[cchentyro]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

URL:

127.0.0.1:32848/<bucket-name>/presignTestFile?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240517T090340Z&X-Amz-SignedHeaders=host&X-Amz-Credential=accessKeyId%252F20240517%252Fap-southeast-2%252Fs3%252Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=ce80156d648142563ef1e3be3f41a3b4b901ac14c3add2db8f1adc99b50ab173

Error:

2024-05-17T09:08:44.719 ERROR --- [et.reactor-0] l.aws.handlers.logging     : exception during call chain
Traceback (most recent call last):
  File "/opt/code/localstack/.venv/lib/python3.11/site-packages/rolo/gateway/chain.py", line 166, in handle
    handler(self, self.context, response)
  File "/opt/code/localstack/localstack/aws/handlers/presigned_url.py", line 23, in __call__
    handler(chain, context, response)
  File "/opt/code/localstack/localstack/services/s3/presigned_url.py", line 201, in __call__
    validate_presigned_url_s3v4(context)
  File "/opt/code/localstack/localstack/services/s3/presigned_url.py", line 425, in validate_presigned_url_s3v4
    sigv4_context, exception = _find_valid_signature_through_ports(context)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack/services/s3/presigned_url.py", line 487, in _find_valid_signature_through_ports
    sigv4_context = S3SigV4SignatureContext(context=context)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack/services/s3/presigned_url.py", line 543, in __init__
    region = self._query_parameters["X-Amz-Credential"].split("/")[2]
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range

Expected Behavior

It should parse the region from the parameter.

How are you starting LocalStack?

Custom (please describe below)

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

By TestContainer

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

Create bucket, upload and presigned url by aws java sdk

Environment

- OS:
- LocalStack:
  LocalStack version: Test from 3.0 to 3.4.1
  LocalStack Docker image sha:
  LocalStack build date:
  LocalStack build git hash:

Anything else?

Guess maybe there is no url decode for those params?

[localstack-bot]

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

[bentsku]

Hello @cchentyro and thanks for your report!

Could you please share how you are generated the pre-signed URL so that we can easily reproduce and fix this issue?
Could you also share the LocalStack logs with the config LS_LOG=trace when the issue happens, to see exactly what LocalStack receives?
Thanks!

[bentsku]

After looking at your URL, it seems your query string parameter is double URL encoded:
A / is equal to %2F, but yours are %252F which is %2F URL-encoded.

I believe the parameter should be the following:
X-Amz-Credential=accessKeyId%2F20240517%2Fap-southeast-2%2Fs3%2Faws4_request

I've tried your format against AWS and it fails, AWS does not double-encode the X-Amz-Credential parameter and if you do, it will return the following:

<Error>
  <Code>AuthorizationQueryParametersError</Code>
  <Message>
    Error parsing the X-Amz-Credential parameter; the Credential is mal-formed; expecting "&lt;YOUR-AKID&gt;/YYYYMMDD/REGION/SERVICE/aws4_request".
  </Message>
  <RequestId>GYD5Z0TSA3384VSS</RequestId>
  <HostId>lJ3Qh5M4RlUiShRvfhL72xJqN+DOeceFsb8cb5w6GbSkhx9+LTkXBmxAj2/qJinKz6i+KgpHZnc=</HostId>
</Error>

I'll open a PR to raise the same exception as AWS in the meantime.