Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] BlobClient.Exists() fails if a blob was uploaded with a customer-provided encryption key #20361

Closed
bkromhout opened this issue Apr 13, 2021 · 1 comment · Fixed by #20383
Closed

[BUG] BlobClient.Exists() fails if a blob was uploaded with a customer-provided encryption key #20361

bkromhout opened this issue Apr 13, 2021 · 1 comment · Fixed by #20383
Assignees
@seanmcc-msft
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files)

Comments

@bkromhout
Copy link

Describe the bug
We have blobs that are uploaded with a CustomerProvidedKey (the REST equivalent would be uploading with the x-ms-encryption-key header).

At some later time, we want to check whether one of these blobs exists using the BlobClient.Exists() method. Importantly, the BlobClient instance used to call Exists() is NOT configured with a CustomerProvidedKey.

Expected behavior
Regardless of whether the BlobClient knows a blob's CustomerProvidedKey, the Exists() method should return true if the blob exists. (This is possible, see Further Discussion below.)

Actual behavior
When a BlobClient with no CustomerProvidedKey is used to call Exists() on a blob which was uploaded previously with a CustomerProvidedKey, it gets a 409 error response because the Azure Blob API expects the same encryption key to be passed.

The message returned is "The blob is encrypted with customer specified encryption, but it was not provided in the request", and the x-ms-error-code response header is set to "BlobUsesCustomerSpecifiedEncryption".

Further Discussion
I'm not disputing how the REST API works here; the fact that it's returning this error response makes perfect sense to me. The issue I have is with the SDK's handling of it: I'm just calling BlobClient.Exists(), and this particular error response from the REST API is proof positive that the blob does indeed exist...so my expectation is that the SDK would eat this particular error response and just return true, not error out.

To Reproduce

  1. Upload a blob using a CustomerProvidedKey.
  2. Using a new BlobClient instance pointed at said blob (which does not have a CustomerProvidedKey configured), call Exists()

Environment:

  • Name and version of the Library package used: Azure.Storage.Blobs 12.8.1
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 13, 2021
@amnguye amnguye added Client This issue points to a problem in the data-plane of the library. Storage Storage Service (Queues, Blobs, Files) labels Apr 13, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 13, 2021
@amnguye
Copy link
Member

amnguye commented Apr 13, 2021

That's valid, that message does infer that the blob exists, we were just unable to decrypt it without the key because a GetProperties call as done to check if the blob exists.

I will mark this as a bug and we will address it accordingly across services that support customer provided encryption keys.

@amnguye amnguye added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Apr 13, 2021
@ghost ghost added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Apr 13, 2021
@amnguye amnguye removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Apr 13, 2021
@seanmcc-msft seanmcc-msft self-assigned this Apr 13, 2021
This was referenced Apr 14, 2021
Closed
Closed
Closed
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Mar 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@seanmcc-msft seanmcc-msft

Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
3 participants
@bkromhout @seanmcc-msft @amnguye