签名的可写网址出现错误:我们计算出的请求签名与您提供的签名不匹配

时间:2018-11-22 01:24:20

标签: c# google-cloud-platform google-cloud-storage pre-signed-url

我正在将虚拟文件上传到Google Cloud Storage,然后在将读写URL传递给单独托管的另一项服务之前对其进行签名。不幸的是,我收到403响应,并显示以下消息:

  

我们计算出的请求签名与您提供的签名不匹配。检查您的Google密钥和签名方法。

我用于创建虚拟对象并签名URL的代码:

const string BASE64_JSON_CREDS = "UklQIFN0YW4gTGVl"; // credentials of service account with "Storage Admin" role (entire json file as received from Google's Console)
const string BUCKET = "testbucket";
const string FILENAME = "test.jpg";
byte[] imageBytes = File.ReadAllBytes(@"test.jpg");

GoogleCredential credentials = null;
using (var stream = new MemoryStream(Convert.FromBase64String(BASE64_JSON_CREDS)))
{
    credentials = GoogleCredential.FromStream(stream);
}

StorageClient storageClient = StorageClient.Create(credentials);
var bucket = await storageClient.GetBucketAsync(BUCKET);
await storageClient.UploadObjectAsync(bucket.Name, FILENAME, null, new MemoryStream());

var scopedCreds = credentials.CreateScoped("https://www.googleapis.com/auth/devstorage.read_write").UnderlyingCredential as ServiceAccountCredential;
var urlSigner = UrlSigner.FromServiceAccountCredential(scopedCreds);
var url = urlSigner.Sign(bucket.Name, FILENAME, TimeSpan.FromHours(100));

为解决这个问题,我编写了一些测试代码(我也尝试过HttpWebRequest):

var handler = new HttpClientHandler()
{
//    Proxy = new WebProxy("localhost", 8888)
};
var client = new HttpClient(handler);
var content = new ByteArrayContent(imageBytes, 0, imageBytes.Length);
content.Headers.Remove("Content-Type");
var response = await client.PutAsync(url, content);
if (response.IsSuccessStatusCode)
{
    Console.WriteLine("yay");
}
else
{
    Console.WriteLine(await response.Content.ReadAsStringAsync());
}
Console.ReadKey();

通过Fiddler代理时,请求如下所示:

PUT https://storage.googleapis.com/testbucket/test.jpg?GoogleAccessId=testbucket@testproject.iam.gserviceaccount.com&Expires=1543209340&Signature=j1cagZ9MHZQAIeYrzbm95MWsIdFMvX1Em13il%2F2nEB1qx9xGB6%2BUzt6vo2OVuRp2TlW1G1TtyX32lxbH%2Fb51dr49eFBcSSm9H8rSXtuEXci02dY%2Fe%2FV0n4kpVwDjpiq4QVSMM%2BaCEdrUtPxT69BSoDuRqh6UHkeOL6VqLgcHGKQcXraZCrEaCXCJfNBwBlPcoXzOD708Nasl99ahxGwcPY6s1FXLCiAiP0VDJSRrPqbE8LHyRLLTgCk9r2H4pEW%2BpGpjEWj3DVpDC334%2BQQFttzDNuZQnUMtZi%2BGz5rqQbU5hBLgthb%2B13884uL4eUalnoSuRfR9JPKIJP7xk3%2FH4g%3D%3D HTTP/1.1
Content-Length: 21925
Host: storage.googleapis.com

{IMAGE_CONTENT}

响应为:

HTTP/1.1 403 Forbidden
X-GUploader-UploadID: AEnB2UoklkZmIP8odWSx14Y0ZDgxjM8ZM94SCfNgAONG1giFTd9cncH8bAMK3s7I7v2DC1NwVirOrNbTjnBzdS2o1tOGX2pLBg
Content-Type: application/xml; charset=UTF-8
Content-Length: 314
Date: Thu, 22 Nov 2018 01:15:39 GMT
Server: UploadServer
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"

<?xml version='1.0' encoding='UTF-8'?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>PUT


1543209340
/testbucket/test.jpg</StringToSign></Error>

看看Google的UrlSigner code,上面列出的行是:

var signatureLines = new List<string>
{
    requestMethod.ToString(),
    contentMD5,
    contentType,
    expiryUnixSeconds
};

我在this question中发现建议设置Content-Type标头 ,因此我进行了以下更改:

// New signing code
var headers = new Dictionary<string, IEnumerable<string>>() { { "Content-Type", new string[] { "image/jpeg" } } };
var url = urlSigner.Sign(bucket.Name, FILENAME, TimeSpan.FromHours(100), requestHeaders: headers);

// New put code (I removed the line removing Content-Type)
var content = new ByteArrayContent(imageBytes, 0, imageBytes.Length);
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("image/jpeg");

但是这还没有解决问题。新的“ StringToSign”值反映了更改:

PUT

image/jpeg
1543214247
/teams-storage-test-bucket/test.jpg

因此(我认为)应该检查的标头与发送的标头是否正确。生成的URL适用于GET(我可以下载空文件),但不适用于PUT。有解决办法吗?

2 个答案:

答案 0 :(得分:3)

在对Sign()的调用中,包括HTTP方法和Content-Type标头:

urlSigner.Sign(bucket.Name, FILENAME, TimeSpan.FromHours(100), HttpMethod.Put, contentHeaders: new Dictionary<string, IEnumerable<string>> { { "Content-Type", new[] { "image/jpeg" } } });

答案 1 :(得分:1)

通过在上传期间在 signedURL 和 PUT 请求中添加相同的内容类型对我有用

file.getSignedUrl({
    action:"write",
    expires:(Date.now() + expDuration),
    contentType: "text/csv",  <-- add your type 
});

并在上传请求中添加标题

"Content-Type":"text/csv"