Why do I get a 400 Bad Request error when working with Direct Cloud Storage Download?

Guy Cohen
2019-09-16 10:32

Subject

Why do I get a 400 Bad Request error when trying to resolve artifacts using Direct Cloud Storage Download?

Description

As mentioned on our documentation, Artifactory officially support Direct Cloud Storage Download from version 6.11.
If you are using Artifactory Cloud (hosted by JFrog), Artifactory is already configured to serve requests when resolving from Docker, Maven, Npm and Debian repositories.

However, there are few HTTP clients which results with a 400 error, for example, here is the response from an old cURL https client:

< HTTP/1.1 400 Bad Request
< x-amz-request-id:
< x-amz-id-2://=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Wed, 24 Jul 2019 13:30:56 GMT
< Connection: close
< Server: AmazonS3
<
<?xml version="1.0" encoding="UTF-8"?>
* Closing connection 1
* TLSv1.2 (OUT), TLS alert, Client hello (1):
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter,
Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>
Authorization</ArgumentName><ArgumentValue>Bearer *****************************

As per our tests, old versions of cURL and old versions of wget, had this behavior. However, newer versions of these clients, served the request successfully.
Moreover, when using Gradle client to resolve from Maven repository type (not Gradle repo), the request will always fail regardless the version.

Cause:

This is happening due to supplement of more than one authentication types – Bearer/Basic Artifactory bound authentication is incorrectly forwarded to Amazon's S3 service from Artifactory.

Resolution

In order to overcome this error when using cURL, you need to upgrade the client version to 7.58.0 or above.
With 'wget', you need to upgrade the client to version 1.20.3 or above to overcome this error.

If you are using Gradle as your build tool, kindly refer to the published vulnerability which describes the issue and its fix in Gradle version 5.6.