[jbosstools-issues] [JBoss JIRA] (JBIDE-26869) CRC server adapter: OpenShift connection that is created is unusable at times

André Dietisheim (Jira) issues at jboss.org
Fri Oct 25 17:31:00 EDT 2019 

    [ https://issues.jboss.org/browse/JBIDE-26869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804745#comment-13804745 ] 

André Dietisheim commented on JBIDE-26869:
------------------------------------------

Digging further I found out the following: when this happens, the request to retrieve the token via the REST service fails with a 403 while when done via the Web-Site URL things work properly.

In the client library we retrieve the authorization endpoint via the unprotected url *<REST-service-host>/.well-known/oauth-authorization-server*. We then get the following json:
{code}
{
  ...
  "authorization_endpoint": "https://oauth-openshift.apps-crc.testing/oauth/authorize",
  ...
{code}

The REST client then only uses the path and replaces the host with the host of the REST-endpoint. 
The client requests:
{code}
curl -k -v "https://api.crc.testing:6443/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
{code}
and gets an error:
{code}
< HTTP/2 403
< audit-id: 4416d6ab-5f0a-4bab-b5b3-507e9a6aa319
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< content-length: 248
< date: Fri, 25 Oct 2019 20:43:11 GMT
<
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/oauth/authorize\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
{code}
Re-requesting won't help, you always get the same error back.
In 8/10 cases and on all online variants this works just fine. 

If you instead then use the host that's provided in the json and request
{code}
curl -k -H "X-CSRF-Token:1" "https://oauth-openshift.apps-crc.testing/oauth/authorize?response_type=token&client_id=openshift-challenging-client" -v -H "X-OPENSHIFT-AUTH-ATTEMPTS: 1" -H "Authorization: Basic ZGV2ZWxvcGVyOmRldmVsb3Blcg=="
{code}
You get the token via the following response:
{code}
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: 0
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location: https://oauth-openshift.apps-crc.testing/oauth/token/implicit#access_token=gZmoytHS0tGIT4m6fQhat958eIT-lbTvF-4M8SSvNzc&expires_in=86400&scope=user%3Afull&token_type=Bearer
< Pragma: no-cache
< Pragma: no-cache
< Referrer-Policy: strict-origin-when-cross-origin
< Set-Cookie: ssn=MTU3MjAzNTQxOHxSZ2N0YXNjZENEMGx2Qk9zTHBidDZQQzIwU3kwMnNjMEh3VGRwTk5GcmRqemFEaXV0M0lnOW5wMmR1bUV3cjE1RUdYU1h3NXZKMWhiRDVtczFqcTJUY2I2MEQyVDI0RWNEc1I0U1k1UjlVT2pWV3hFcGREOFZIajBqWHlLbWo3OHduU0xXeGJzSmZIbG5reEpabUJqTDVOcy1oQkFMSGxHQXc9PXzPAWZ_kLR1ZzE8gHpjwIrj8y_enudtAwsN09vQGToCCw==; Path=/; HttpOnly; Secure
< X-Content-Type-Options: nosniff
< X-Dns-Prefetch-Control: off
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Date: Fri, 25 Oct 2019 20:30:18 GMT
{code}
The token is in the *Location* header (access_token=).

It thus looks to me as if in these failure cases, CRC didnt start up correctly, portions failed to come up.
To solve this issue we should request on the host that's reported in the json, not replace it by the known REST endpoint. We'd also have to verify that requesting in this way also works for OpenShift 3.x. Chances are high given that the latter also reports in the same way, at least from what I can see in employee.openshift.com.

> CRC server adapter: OpenShift connection that is created is unusable at times
> -----------------------------------------------------------------------------
>
>                 Key: JBIDE-26869
>                 URL: https://issues.jboss.org/browse/JBIDE-26869
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: openshift
>    Affects Versions: 4.13.0.AM1
>         Environment: CRC Beta5
>            Reporter: André Dietisheim
>            Assignee: André Dietisheim
>            Priority: Critical
>             Fix For: 4.13.0.Final, 4.14.0.AM1
>
>         Attachments: crc-connection-error.mp4, start-crc-error-openshift-conn.mp4
>
>
> *Steps* - not reproducibe at 100%, happens from time to time:
> # ASSERT: have ~/.crc folder killed
> # EXEC: create new CRC server adapter & Start it
> # ASSERT: OpenShift connection is created
> *Result:*
> Connection fails to authorize, reports that it cannot access resources using system:anonymous. Refreshing the connection doesn't help, so it's apparently not a timing issue (ex. creating the connection before the cluster is fully up and running)
> {code}
> com.openshift.restclient.authorization.ResourceForbiddenException: forbidden: User "system:anonymous" cannot get path "/oauth/authorize" forbidden: User "system:anonymous" cannot get path "/oauth/authorize"
> 	at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.createOpenShiftException(ResponseCodeInterceptor.java:111)
> 	at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:66)
> 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> 	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
> 	at okhttp3.RealCall.execute(RealCall.kt:66)
> 	at com.openshift.internal.restclient.okhttp.OpenShiftAuthenticator.tryAuth(OpenShiftAuthenticator.java:109)
> 	at com.openshift.internal.restclient.okhttp.OpenShiftAuthenticator.authenticate(OpenShiftAuthenticator.java:62)
> 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.followUpRequest(RetryAndFollowUpInterceptor.kt:213)
> 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:102)
> 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> 	at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:55)
> 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> 	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
> 	at okhttp3.RealCall.execute(RealCall.kt:66)
> 	at com.openshift.internal.restclient.DefaultClient.request(DefaultClient.java:315)
> 	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:307)
> 	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:275)
> 	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:243)
> 	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:226)
> 	at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:423)
> 	at com.openshift.internal.restclient.authorization.AuthorizationContext.isAuthorized(AuthorizationContext.java:63)
> 	at org.jboss.tools.openshift.core.connection.Connection.authorize(Connection.java:237)
> 	at org.jboss.tools.openshift.core.connection.Connection.connect(Connection.java:226)
> 	at org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener.configureOpenshift(ConfigureCRCFrameworksListener.java:102)
> 	at org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener.configureFrameworks(ConfigureCRCFrameworksListener.java:73)
> 	at org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener$1.run(ConfigureCRCFrameworksListener.java:66)
> 	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
> {code}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jbosstools-issues mailing list