AccessDeniedInvalid according to Policy: Extra input fields: content-type

Question

AccessDeniedInvalid according to Policy: Extra input fields: content-type

Closed this issue 10 years ago · 6 comments

Hi,

I'm trying to use this module, but the request payload duplicates the content-type.
Not sure where this is hapenning, but the error is the one I see on the title.

AccessDeniedInvalid according to Policy: Extra input fields: content-type xxxxx

This is the request payload, any hints.

------WebKitFormBoundarywrG3WQbImsw3CmIS
Content-Disposition: form-data; name="key"

1233000928661-8file.jpeg
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="acl"

public-read
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="Content-Type"

image/jpeg
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="AWSAccessKeyId"

KeyId...
------WebKitFormBoundarywrxxxx
Content-Disposition: form-data; name="policy"

encoded....
------WebKitFormBoundarywrxxxx
Content-Disposition: form-data; name="signature"

signature.....
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="file"; filename="file.jpeg"
Content-Type: image/jpeg

CORS is the same as iin the example
My endpoint is built using aws php sdk
Thanks

Answer 1 · 2014-05-16T15:08:50.000Z

Hi Raul,

I just got this implemented just yesterday where the most difficult part for me was getting the policy correct.

Here's what I ended up with, a PHP class that has one public method called access_token(). Then I have a server side script that simply uses this class and returns the data to the s3-upload directive.

Here I'll start with my use of the directive:

<div s3-upload
    bucket="activity_images"
    ng-model="artist.image_url"
    s3-upload-options="{getOptionsUri: 'php_ajax/s3_access.php?bucket=activity_images'}">
</div>

Next is the relevant snippet from s3_access.php:

$bucket_name = isset($_REQUEST['bucket']) ? $_REQUEST['bucket'] : '';

$s3_provider = new S3Provider($bucket_name);
echo $s3_provider->access_token();
exit;

And finally my S3Provider class (where you'll see how I created the policy):

class S3Provider {
    private $bucket_name;
    private $aws_account_no;
    private $aws_access_key_id;
    private $aws_secret_key;

    public function __construct($bucket_name) {
        $this->bucket_name = $bucket_name;
        $this->aws_access_key_id = 'xxxxxxxxxxxxxxx';
        $this->aws_secret_key  = 'xxxxxxxxxxxxxx';
    }

    public function access_token() {
        $now = time() + (12 * 60 * 60 * 1000);
        $expire = gmdate('Y-m-d\TH:i:s\Z', $now);

        $url = 'https://' . $this->bucket_name . '.s3.amazonaws.com'; 
        $policy_document = '
            {"expiration": "' . $expire . '",
             "conditions": [
                {"bucket": "' . $this->bucket_name . '"},
                ["starts-with", "$key", ""],
                {"acl": "public-read"},
                ["content-length-range", 0, 10485760],
                ["starts-with", "$Content-Type", ""]
            ]
        }';

        $policy = base64_encode($policy_document); 

        $hash = $this->hmacsha1($this->aws_secret_key, $policy);

        $signature = $this->hex2b64($hash);

        $token = array('policy' => $policy,
                       'signature' => $signature,
                       'key' => $this->aws_access_key_id);

        return json_encode($token);
    }

    private function hmacsha1($key, $data) {
        $blocksize = 64;
        $hashfunc = 'sha1';
        if(strlen($key) > $blocksize)
            $key = pack('H*', $hashfunc($key));
        $key = str_pad($key, $blocksize, chr(0x00));
        $ipad = str_repeat(chr(0x36), $blocksize);
        $opad = str_repeat(chr(0x5c), $blocksize);
        $hmac = pack('H*', $hashfunc(($key ^ $opad).pack('H*', $hashfunc(($key ^ $ipad).$data))));
        return bin2hex($hmac);
    }

    private function hex2b64($str) {
        $raw = '';
        for($i=0; $i < strlen($str); $i+=2) {
            $raw .= chr(hexdec(substr($str, $i, 2)));
        }
        return base64_encode($raw);
    }
}

Notice how I set $expire to be in the future (probably doesn't need to be that far into the future). This works like charm for us. Hope this helps.

Answer 2 · 2014-05-16T16:10:27.000Z

@captainmarkos that did it sweet!

I wonder why aws sdk php is broken on this regard, or maybe I'm trying to use PostObject where it was not intended to use.
https://github.com/aws/aws-sdk-php/blob/4ded8a201bd6fcac37d630197e6443f41aa2752d/src/Aws/S3/Model/PostObject.php

<?php

class PolicyProvider
{

    public function signPolicy()
    {
        $aws = Aws::factory([
            'key' => $this->key,
            'secret' => $this->secret,
            'region' => 'xxxxx'
        ]);

        $s3 = $aws->get('S3');

        $postObject = new PostObject($s3, $this->bucket);
        $postObject->prepareData();

        $inputs = $postObject->getFormInputs();

        return json_encode([
            'policy' => $inputs['policy'],
            'signature' => $inputs['signature'],
            'key' => $this->key
        ]);
    }
}

Anyway this is working now, thanks

Answer 3 · 2014-05-16T20:30:59.000Z

Good deal, glad it helped.

Answer 4 · 2014-05-16T20:38:48.000Z

Hi! I'm glad it worked for you!
@captainmarkos first of all thank you! would you mind adding your php example to the README or a wiki page so others will be able to depend on it ?

Answer 5 · 2014-05-16T21:46:51.000Z

Wiki created. https://github.com/asafdav/ng-s3upload/wiki/PHP-Creating-the-S3-Policy

Answer 6 · 2014-05-16T22:36:36.000Z

Thank you very much!