Comments (6)
Hello, as far as I understand, if the "HTTP/1.1 400 Bad Request" in your capture is the response from AZF, then the request that is causing it should be visible just before. Unfortunately, I cannot find it here. Is it anywhere in your packet capture so I can see what's wrong with it that is causing the error 400 response from AZF?
Thanks.
from fiware.
Hi @cdanger! I'll provide you with the capture result on Monday. To me it's just some binary content sent to the authzforce port, so I doubt that would be helpful. It's definitely no valid request so I totally agree with AZF's response but also don't know what triggers this response. Anyway, we will see soon.
BTW: Is it possible for you to setup a working security installation based on the currently available docker-images/Dockerfiles or master branches?
from fiware.
Hello, I found the time to setup a IdM-PEP-AZF infrastructure with latest Docker releases at last, and indeed, I faced a couple of issues in the PEP proxy and one in the IdM. I do not own these components, so I did what I could to fix things quickly. For long-term fixes, I reported specific issues on their respective github repositories and created pull requests, so we'll have to wait for the next releases. In the meantime, I can tell you the quick fixes I did.
First, I assume you still have an AZF Docker container up and running, probably the version 5.4.0b which was the latest at the time you created the issue. You may upgrade to 5.4.1 which I released more recently. Anyway, this is just for your info, and will not fix the issue here.
As for the IdM, especially the dashboard, you have to fix issues:
- 72: you can check my pull request to know how to fix it; basically fixing a typo in file
openstack_dashboard/templates/access_control/policy.xacml
. - 71: this one I already told you about. I created a pull request as well to get it fixed.
Then restart the IdM container after fixing the files.
As for the PEP, you have to fix issues:
- 29: until 2 days ago, the version of the pep proxy inside the image tagged 5.3.1 was not 5.3.1 actually, but 5.2.1. This has been fixed a day ago. Therefore you have to get rid of the Docker image
fiware/pep-proxy:5.3.1
in your local repository:docker stop
anddocker rm
any container using imagefiware/pep-proxy:5.3.1
, thendocker rmi fiware/pep-proxy:5.3.1
. Thendocker run
to get back the new image and run the container with your customconfig.js
, and also a customlog_config.json
in DEBUG level everywhere to make troubleshooting easier at the first stage of testing; for example:
docker run -d --name pep-proxy -v /home/toto/fiware-pep-proxy/config.js:/opt/fiware-pep-proxy/config.js -v /home/toto/fiware-pep-proxy/log_config.json:/opt/fiware-pep-proxy/log_config.json -p 80:80 fiware/pep-proxy:5.3.1
My config.js
looks like this:
var config = {};
config.pep_port = 80;
// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
enabled: false,
cert_file: 'cert/cert.crt',
key_file: 'cert/key.key',
port: 443
};
config.account_host = 'http://idm:8000';
config.keystone_host = 'idm';
config.keystone_port = 5000;
config.app_host = 'www.google.es';
config.app_port = '80';
// Use true if the app server listens in https
config.app_ssl = false;
// Credentials obtained when registering PEP Proxy in Account Portal
// Of course these are not the real ones I am using but just for example
config.username = 'pep_proxy_XXXXXXXX';
config.password = 'XXXXXXXXXXXXXX';
// in seconds
config.chache_time = 300;
// if enabled PEP checks permissions with AuthZForce GE.
// only compatible with oauth2 tokens engine
//
// you can use custom policy checks by including programatic scripts
// in policies folder. An script template is included there
config.azf = {
enabled: true,
protocol: 'http',
host: 'azf',
port: 8080,
custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};
// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];
// options: oauth2/keystone
config.tokens_engine = 'oauth2';
config.magic_key = undefined;
module.exports = config;
Here I am using hostnames for the IdM and AZF hosts but you can use IP addresses of course. What is important is config.azf.protocol
which must be set to http
. I assume you are using a default setup of AZF with SSL disabled and listening to port 8080
(depends on the docker run command you used to run the AZF container). We want to make sure everything works with SSL disabled first, before we begin to tackle the SSL issues.
My log_config.json
:
{
"appenders": [
{
"type": "console",
"layout": {
"type": "pattern",
"pattern": "%d - %p: %c - %m",
"replaceConsole": true
}
}
],
"levels": {
"Server": "DEBUG",
"Root": "DEBUG",
"HTTP-Client": "DEBUG",
"AZF-Client": "DEBUG",
"IDM-Client": "DEBUG",
"Test": "DEBUG"
}
}
- 31 and 32. I created a pull request to fix both. In order to apply this fix to your Docker container, you can download the fixed version of
lib/azf.js
file from my forked repository. then copy it to the container, then connect to the container's shell (assuming your pep-proxy container's name ispep-proxy
):
$ docker cp /home/toto/fiware-pep-proxy/lib/azf.js pep-proxy:/opt/fiware-pep-proxy/lib/azf.js
$ docker exec -t -i pep-proxy
In the container's shell, install the Node.js package xml2js
(this requires Internet connection over https, so make sure the proxy is well configured with npm config set https-proxy ...
if you have one):
$ npm install xml2js
Exit the shell/container, restart the container and check that it starts OK with docker logs -f pep-proxy
.
from fiware.
Thanks a lot @cdanger! I'm currently on vacations and will give your fixes a try once I'm back in office (about two weeks from now) and get some time for it.
from fiware.
Now the fixes are parts of the new releases so you should upgrade to KeyRock v5.4.0, PEP Proxy v5.4 or later, AZF v5.4.1 or later.
from fiware.
I am now closing this issue since no news from the OP for quite some time. You can re-open when you happen to reproduce the issue with new software versions.
from fiware.
Related Issues (19)
- Update domains path in Dockerfile.
- Documentation typos: missing XACML namespace in sample request
- Problem with the configuration of Maven POM: HOT 4
- Authzforce should expose Docker Volumes
- [SHOULD] Double tag FIWARE Release HOT 1
- [MUST] Credits are missing
- Doc - Features section - typos
- Unable to use docker container HOT 9
- Automate building of the docker image at Docker Hub. HOT 1
- 501 Unimplemented for XACML+JSON PDP requests HOT 3
- Authzforce GE docker image is vulnerable HOT 2
- Unable to use JWT token generated from Fiware Keyrock HOT 5
- Provide versioned tags for the docker images. HOT 2
- Confusing example of a GET request in Users and Programmers Guide
- XML returned by Policy Decision API differs from documentation.
- Docker image release-5.4.0 fails to start HOT 3
- Unable to perform Level 2: Basic Authorization HOT 16
- Add features section to documentation (readthedocs.org)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fiware.