Request that does not work
tcpdump trace:
# Incoming request
10:05:25.598366 IP 10.254.78.0.43154 > api-manager-rc-9ba3b.8280: Flags [P.], seq 2438838108:2438838564, ack 2130919342, win 985, options [nop,nop,TS val 1606674803 ecr 1606668326], length 456
POST http://apimanager.sid-sec:8280/t/operator.seeed/api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa HTTP/1.1
Accept-Encoding: gzip, deflate
userAgent: "marketgw-1.0.0-RC3"
Host: apimanager.sid-sec:8280
userID: [email protected]
userGroups: group-public
Authorization: Bearer aaa8192ef297278f85b68bd4a1f8e020
User-Agent: spray-can/1.3.3
Content-Type: application/json; charset=UTF-8
Content-Length: 1
# Outgoing request
10:05:25.878610 IP api-manager-rc-9ba3b.37066 > 10.10.10.237.http: Flags [P.], seq 871498147:871501861, ack 2502574994, win 732, options [nop,nop,TS val 1606675174 ecr 1606668348], length 3714
POST /api/servicemanager/1.0.0/deployments HTTP/1.1
userGroups: group-public
X-JWT-Assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlpESTNOVE5sWWpFMVpEZzNNMlJsTWpreFptTmtZV1prWldWaE1qaG1aamN6WWpoa00yWTVNUSJ9.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hbSIsImV4cCI6MTQ3ODY4NjgyNTg2NiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmVyIjoic3Vic2NyaWJlckBvcGVyYXRvci5zZWVlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBwbGljYXRpb25pZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9ubmFtZSI6IlNwYXJrSW5EYXRhR1ciLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9udGllciI6IlVubGltaXRlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBpY29udGV4dCI6Ii90L29wZXJhdG9yLnNlZWVkL2FwaS9zZXJ2aWNlbWFuYWdlci8xLjAuMCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdmVyc2lvbiI6IjEuMC4wIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy90aWVyIjoiVW5saW1pdGVkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdXNlcnR5cGUiOiJBUFBMSUNBVElPTl9VU0VSIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9lbmR1c2VyIjoiZ2F0ZXdheVVzZXJAb3BlcmF0b3Iuc2VlZWQiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VuZHVzZXJUZW5hbnRJZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VtYWlsYWRkcmVzcyI6ImdhdGV3YXlVc2VyQHNwYXJraW5kYXRhLmNvbSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZnVsbG5hbWUiOiJnYXRld2F5VXNlciIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZ2l2ZW5uYW1lIjoiZ2F0ZXdheVVzZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2lkZW50aXR5L2FjY291bnRMb2NrZWQiOiJmYWxzZSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvbGFzdG5hbWUiOiJnYXRld2F5VXNlciIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvcm9sZSI6IkFkbWluaXN0cmF0b3IsSW50ZXJuYWwvZXZlcnlvbmUiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3VzZXJuYW1lIjoiZ2F0ZXdheVVzZXIifQ.J2VvP0IZYhs-tQtc5cY2omnA9LfE6jIwbrrjrnuaa406OLsQ1J2mvJcbRkyggD_RyHm0td2JDNhQRpicP5LS1FwhBSVZZEtOcKe5mm8OJOIUMkT7biitZA7LdfjgUvxPSRE9wzzBZi9eCNF53Bs6laTBDWCU_Uj7XN5w0qcFAyE
assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlpESTNOVE5sWWpFMVpEZzNNMlJsTWpreFptTmtZV1prWldWaE1qaG1aamN6WWpoa00yWTVNUSJ9.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hbSIsImV4cCI6MTQ3ODY4NjgyNTg2NiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmVyIjoic3Vic2NyaWJlckBvcGVyYXRvci5zZWVlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBwbGljYXRpb25pZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9ubmFtZSI6IlNwYXJrSW5EYXRhR1ciLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9udGllciI6IlVubGltaXRlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBpY29udGV4dCI6Ii90L29wZXJhdG9yLnNlZWVkL2FwaS9zZXJ2aWNlbWFuYWdlci8xLjAuMCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdmVyc2lvbiI6IjEuMC4wIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy90aWVyIjoiVW5saW1pdGVkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdXNlcnR5cGUiOiJBUFBMSUNBVElPTl9VU0VSIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9lbmR1c2VyIjoiZ2F0ZXdheVVzZXJAb3BlcmF0b3Iuc2VlZWQiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VuZHVzZXJUZW5hbnRJZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VtYWlsYWRkcmVzcyI6ImdhdGV3YXlVc2VyQHNwYXJraW5kYXRhLmNvbSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZnVsbG5hbWUiOiJnYXRld2F5VXNlciIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZ2l2ZW5uYW1lIjoiZ2F0ZXdheVVzZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2lkZW50aXR5L2FjY291bnRMb2NrZWQiOiJmYWxzZSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvbGFzdG5hbWUiOiJnYXRld2F5VXNlciIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvcm9sZSI6IkFkbWluaXN0cmF0b3IsSW50ZXJuYWwvZXZlcnlvbmUiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3VzZXJuYW1lIjoiZ2F0ZXdheVVzZXIifQ.J2VvP0IZYhs-tQtc5cY2omnA9LfE6jIwbrrjrnuaa406OLsQ1J2mvJcbRkyggD_RyHm0td2JDNhQRpicP5LS1FwhBSVZZEtOcKe5mm8OJOIUMkT7biitZA7LdfjgUvxPSRE9wzzBZi9eCNF53Bs6laTBDWCU_Uj7XN5w0qcFAyE
userAgent: "marketgw-1.0.0-RC3"
Accept-Encoding: gzip, deflate
userID: [email protected]
Content-Type: application/json; charset=UTF-8; charset=UTF-8
Transfer-Encoding: chunked
Host: services-manager-2.default:80
Connection: Keep-Alive
User-Agent: Synapse-PT-HttpComponents-NIO
As you can see, the API Manager dumps the query string (?applicationID=47ec2d04-8969-40ee-a533-2807965914aa
) when forwarding the request:
POST http://apimanager.sid-sec:8280/t/operator.seeed/api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa
# gets changed to
POST /api/servicemanager/1.0.0/deployments
Request that does work
Trace produced with the following cURL request:
curl -X POST \
-H "userID: [email protected]" \
-H "userGroups: group-public" \
-H "Authorization: Bearer 7e553f59d4bcfc31c1a385d6d73f9cfe" \
-H "Accept-Encoding: gzip, deflate" \
-H 'userAgent: "marketgw-1.0.0-RC3"'\
-H "Content-Type: application/json; charset=UTF-8" \
-d "toto"\
http://apimanager.sid-sec:8280/t/operator.seeed/api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa
tcpdump trace:
# Incoming request
10:38:08.469938 IP 10.254.78.0.50584 > api-manager-rc-9ba3b.8280: Flags [P.], seq 1:439, ack 1, win 221, options [nop,nop,TS val 1608637675 ecr 1608637764], length 438
POST /t/operator.seeed/api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa HTTP/1.1
User-Agent: curl/7.38.0
Host: apimanager.sid-sec:8280
Accept: */*
userID: [email protected]
userGroups: group-public
Authorization: Bearer 7e553f59d4bcfc31c1a385d6d73f9cfe
Accept-Encoding: gzip, deflate
userAgent: "marketgw-1.0.0-RC3"
Content-Type: application/json; charset=UTF-8
Content-Length: 4
# Outgoing request
10:38:08.602825 IP api-manager-rc-9ba3b.45728 > 10.10.10.237.http: Flags [P.], seq 1:4318, ack 1, win 221, options [nop,nop,TS val 1608637898 ecr 1608637959], length 4317
POST /api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa HTTP/1.1
userGroups: group-public
X-JWT-Assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlpESTNOVE5sWWpFMVpEZzNNMlJsTWpreFptTmtZV1prWldWaE1qaG1aamN6WWpoa00yWTVNUSJ9.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hbSIsImV4cCI6MTQ3ODY4Nzk1MDUzMywiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmVyIjoic3Vic2NyaWJlckBvcGVyYXRvci5zZWVlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBwbGljYXRpb25pZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9ubmFtZSI6IlNwYXJrSW5EYXRhR1ciLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9udGllciI6IlVubGltaXRlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBpY29udGV4dCI6Ii90L29wZXJhdG9yLnNlZWVkL2FwaS9zZXJ2aWNlbWFuYWdlci8xLjAuMCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdmVyc2lvbiI6IjEuMC4wIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy90aWVyIjoiVW5saW1pdGVkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdXNlcnR5cGUiOiJBUFBMSUNBVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZW5kdXNlciI6InN1YnNjcmliZXJAb3BlcmF0b3Iuc2VlZWQiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VuZHVzZXJUZW5hbnRJZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VtYWlsYWRkcmVzcyI6InN1YnNjcmliZXJAc3BhcmtpbmRhdGEuY29tIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9mdWxsbmFtZSI6InN1YnNjcmliZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2dpdmVubmFtZSI6InN1YnNjcmliZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2lkZW50aXR5L2FjY291bnRMb2NrZWQiOiJmYWxzZSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvbGFzdG5hbWUiOiJzdWJzY3JpYmVyIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9yb2xlIjoiQXBwbGljYXRpb24vc3Vic2NyaWJlcl9EZWZhdWx0QXBwbGljYXRpb25fUFJPRFVDVElPTixBcHBsaWNhdGlvbi9zdWJzY3JpYmVyX3RvdG9fUFJPRFVDVElPTixzdWJzY3JpYmVyLEFwcGxpY2F0aW9uL3N1YnNjcmliZXJfU3BhcmtJbkRhdGFHV19QUk9EVUNUSU9OLEludGVybmFsL2V2ZXJ5b25lLEFwcGxpY2F0aW9uL3N1YnNjcmliZXJfdGVzdF9TQU5EQk9YLEFwcGxpY2F0aW9uL3N1YnNjcmliZXJfdGVzdF9QUk9EVUNUSU9OIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy91c2VybmFtZSI6InN1YnNjcmliZXIifQ.eqouBE9UDMM0sHRi1O9BA2sDOL7M_svmF3ZRboJM7za9CVTZIpg7eWu1bWQrUjk6I88nFD3QsK0PyrG7Rn15jYRvm-NNTg1ONFZ_7nkwBI9JsShdgsipayhl0mSMwK1vyaIY5pUlB8v10Xsyq_28e3N0oGYAbKZHZSd95eIe4QY
Accept: */*
assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlpESTNOVE5sWWpFMVpEZzNNMlJsTWpreFptTmtZV1prWldWaE1qaG1aamN6WWpoa00yWTVNUSJ9.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hbSIsImV4cCI6MTQ3ODY4Nzk1MDUzMywiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmVyIjoic3Vic2NyaWJlckBvcGVyYXRvci5zZWVlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBwbGljYXRpb25pZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9ubmFtZSI6IlNwYXJrSW5EYXRhR1ciLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9udGllciI6IlVubGltaXRlZCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBpY29udGV4dCI6Ii90L29wZXJhdG9yLnNlZWVkL2FwaS9zZXJ2aWNlbWFuYWdlci8xLjAuMCIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdmVyc2lvbiI6IjEuMC4wIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy90aWVyIjoiVW5saW1pdGVkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdXNlcnR5cGUiOiJBUFBMSUNBVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZW5kdXNlciI6InN1YnNjcmliZXJAb3BlcmF0b3Iuc2VlZWQiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VuZHVzZXJUZW5hbnRJZCI6IjIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VtYWlsYWRkcmVzcyI6InN1YnNjcmliZXJAc3BhcmtpbmRhdGEuY29tIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9mdWxsbmFtZSI6InN1YnNjcmliZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2dpdmVubmFtZSI6InN1YnNjcmliZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2lkZW50aXR5L2FjY291bnRMb2NrZWQiOiJmYWxzZSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvbGFzdG5hbWUiOiJzdWJzY3JpYmVyIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9yb2xlIjoiQXBwbGljYXRpb24vc3Vic2NyaWJlcl9EZWZhdWx0QXBwbGljYXRpb25fUFJPRFVDVElPTixBcHBsaWNhdGlvbi9zdWJzY3JpYmVyX3RvdG9fUFJPRFVDVElPTixzdWJzY3JpYmVyLEFwcGxpY2F0aW9uL3N1YnNjcmliZXJfU3BhcmtJbkRhdGFHV19QUk9EVUNUSU9OLEludGVybmFsL2V2ZXJ5b25lLEFwcGxpY2F0aW9uL3N1YnNjcmliZXJfdGVzdF9TQU5EQk9YLEFwcGxpY2F0aW9uL3N1YnNjcmliZXJfdGVzdF9QUk9EVUNUSU9OIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy91c2VybmFtZSI6InN1YnNjcmliZXIifQ.eqouBE9UDMM0sHRi1O9BA2sDOL7M_svmF3ZRboJM7za9CVTZIpg7eWu1bWQrUjk6I88nFD3QsK0PyrG7Rn15jYRvm-NNTg1ONFZ_7nkwBI9JsShdgsipayhl0mSMwK1vyaIY5pUlB8v10Xsyq_28e3N0oGYAbKZHZSd95eIe4QY
userAgent: "marketgw-1.0.0-RC3"
Accept-Encoding: gzip, deflate
userID: [email protected]
Content-Type: application/json; charset=UTF-8; charset=UTF-8
Transfer-Encoding: chunked
Host: services-manager-2.default:80
Connection: Keep-Alive
User-Agent: Synapse-PT-HttpComponents-NIO
4
toto
Analysis
It turns out that when the host address is present in the Request Target, the API Manager performs some extraction (to separate the host from the REST path and other things), but somehow "forgets" to extract the query parameters.
# works
POST /t/operator.seeed/api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa
# does not work
POST http://apimanager.sid-sec:8280/t/operator.seeed/api/servicemanager/1.0.0/deployments?applicationID=47ec2d04-8969-40ee-a533-2807965914aa
Definition of the Request Target: RFC 7230 - section 5.3
So the exact description of the bug is that the API Manager does not support absolute-form Request Targets (only origin-form).