[jbosstools-issues] [JBoss JIRA] (JBIDE-26869) CRC server adapter: OpenShift connection that is created is unusable at times
André Dietisheim (Jira)
issues at jboss.org
Fri Oct 25 17:38:00 EDT 2019
[ https://issues.jboss.org/browse/JBIDE-26869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804745#comment-13804745 ]
André Dietisheim edited comment on JBIDE-26869 at 10/25/19 5:37 PM:
--------------------------------------------------------------------
Digging further I found out the following: when this happens, the request to retrieve the token via the REST service fails with a 403 while when done via the Web-Site URL things work properly.
It thus looks to me as if in these failure cases, CRC didnt start up correctly, portions failed to come up.
To solve this issue we should use the full url that's reported as authentication endpoint. The client library currently maps the host portion to the known REST service host.
In full details:
In the client library we retrieve the authorization endpoint via the unprotected url *<REST-service-host>/.well-known/oauth-authorization-server*. We then get the following json:
{code}
{
...
"authorization_endpoint": "https://oauth-openshift.apps-crc.testing/oauth/authorize",
...
{code}
The REST client then only uses the path and replaces the host with the one of the known REST-endpoint (*<REST-service-host>/oauth/authorize* instead of *https://oauth-openshift.apps-crc.testing/oauth/authorize*).
The client requests:
{code}
curl -k -v "https://api.crc.testing:6443/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
{code}
and gets an error:
{code}
< HTTP/2 403
< audit-id: 4416d6ab-5f0a-4bab-b5b3-507e9a6aa319
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< content-length: 248
< date: Fri, 25 Oct 2019 20:43:11 GMT
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/oauth/authorize\"",
"reason": "Forbidden",
"details": {
},
"code": 403
{code}
Re-requesting won't help, you always get the same error back.
In 8/10 cases in crc and on all online variants this works just fine and wont report an error.
If you instead then use the host that's provided in the json and request
{code}
curl -k -H "X-CSRF-Token:1" "https://oauth-openshift.apps-crc.testing/oauth/authorize?response_type=token&client_id=openshift-challenging-client" -v -H "X-OPENSHIFT-AUTH-ATTEMPTS: 1" -H "Authorization: Basic ZGV2ZWxvcGVyOmRldmVsb3Blcg=="
{code}
You get the token via the following response:
{code}
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: 0
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location: https://oauth-openshift.apps-crc.testing/oauth/token/implicit#access_token=gZmoytHS0tGIT4m6fQhat958eIT-lbTvF-4M8SSvNzc&expires_in=86400&scope=user%3Afull&token_type=Bearer
< Pragma: no-cache
< Pragma: no-cache
< Referrer-Policy: strict-origin-when-cross-origin
< Set-Cookie: ssn=MTU3MjAzNTQxOHxSZ2N0YXNjZENEMGx2Qk9zTHBidDZQQzIwU3kwMnNjMEh3VGRwTk5GcmRqemFEaXV0M0lnOW5wMmR1bUV3cjE1RUdYU1h3NXZKMWhiRDVtczFqcTJUY2I2MEQyVDI0RWNEc1I0U1k1UjlVT2pWV3hFcGREOFZIajBqWHlLbWo3OHduU0xXeGJzSmZIbG5reEpabUJqTDVOcy1oQkFMSGxHQXc9PXzPAWZ_kLR1ZzE8gHpjwIrj8y_enudtAwsN09vQGToCCw==; Path=/; HttpOnly; Secure
< X-Content-Type-Options: nosniff
< X-Dns-Prefetch-Control: off
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Date: Fri, 25 Oct 2019 20:30:18 GMT
{code}
The token is in the *Location* header (access_token=).
was (Author: adietish):
Digging further I found out the following: when this happens, the request to retrieve the token via the REST service fails with a 403 while when done via the Web-Site URL things work properly.
It thus looks to me as if in these failure cases, CRC didnt start up correctly, portions failed to come up.
To solve this issue we should use the full url that's reported as authentication endpoint. The client library currently maps the host portion to the known REST service host.
In full details:
In the client library we retrieve the authorization endpoint via the unprotected url *<REST-service-host>/.well-known/oauth-authorization-server*. We then get the following json:
{code}
{
...
"authorization_endpoint": "https://oauth-openshift.apps-crc.testing/oauth/authorize",
...
{code}
The REST client then only uses the path and replaces the host with the one of the known REST-endpoint (*<REST-service-host>/oauth/authorize*).
The client requests:
{code}
curl -k -v "https://api.crc.testing:6443/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
{code}
and gets an error:
{code}
< HTTP/2 403
< audit-id: 4416d6ab-5f0a-4bab-b5b3-507e9a6aa319
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< content-length: 248
< date: Fri, 25 Oct 2019 20:43:11 GMT
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/oauth/authorize\"",
"reason": "Forbidden",
"details": {
},
"code": 403
{code}
Re-requesting won't help, you always get the same error back.
In 8/10 cases in crc and on all online variants this works just fine and wont report an error.
If you instead then use the host that's provided in the json and request
{code}
curl -k -H "X-CSRF-Token:1" "https://oauth-openshift.apps-crc.testing/oauth/authorize?response_type=token&client_id=openshift-challenging-client" -v -H "X-OPENSHIFT-AUTH-ATTEMPTS: 1" -H "Authorization: Basic ZGV2ZWxvcGVyOmRldmVsb3Blcg=="
{code}
You get the token via the following response:
{code}
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: 0
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location: https://oauth-openshift.apps-crc.testing/oauth/token/implicit#access_token=gZmoytHS0tGIT4m6fQhat958eIT-lbTvF-4M8SSvNzc&expires_in=86400&scope=user%3Afull&token_type=Bearer
< Pragma: no-cache
< Pragma: no-cache
< Referrer-Policy: strict-origin-when-cross-origin
< Set-Cookie: ssn=MTU3MjAzNTQxOHxSZ2N0YXNjZENEMGx2Qk9zTHBidDZQQzIwU3kwMnNjMEh3VGRwTk5GcmRqemFEaXV0M0lnOW5wMmR1bUV3cjE1RUdYU1h3NXZKMWhiRDVtczFqcTJUY2I2MEQyVDI0RWNEc1I0U1k1UjlVT2pWV3hFcGREOFZIajBqWHlLbWo3OHduU0xXeGJzSmZIbG5reEpabUJqTDVOcy1oQkFMSGxHQXc9PXzPAWZ_kLR1ZzE8gHpjwIrj8y_enudtAwsN09vQGToCCw==; Path=/; HttpOnly; Secure
< X-Content-Type-Options: nosniff
< X-Dns-Prefetch-Control: off
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Date: Fri, 25 Oct 2019 20:30:18 GMT
{code}
The token is in the *Location* header (access_token=).
> CRC server adapter: OpenShift connection that is created is unusable at times
> -----------------------------------------------------------------------------
>
> Key: JBIDE-26869
> URL: https://issues.jboss.org/browse/JBIDE-26869
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: openshift
> Affects Versions: 4.13.0.AM1
> Environment: CRC Beta5
> Reporter: André Dietisheim
> Assignee: André Dietisheim
> Priority: Critical
> Fix For: 4.13.0.Final, 4.14.0.AM1
>
> Attachments: crc-connection-error.mp4, start-crc-error-openshift-conn.mp4
>
>
> *Steps* - not reproducibe at 100%, happens from time to time:
> # ASSERT: have ~/.crc folder killed
> # EXEC: create new CRC server adapter & Start it
> # ASSERT: OpenShift connection is created
> *Result:*
> Connection fails to authorize, reports that it cannot access resources using system:anonymous. Refreshing the connection doesn't help, so it's apparently not a timing issue (ex. creating the connection before the cluster is fully up and running)
> {code}
> com.openshift.restclient.authorization.ResourceForbiddenException: forbidden: User "system:anonymous" cannot get path "/oauth/authorize" forbidden: User "system:anonymous" cannot get path "/oauth/authorize"
> at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.createOpenShiftException(ResponseCodeInterceptor.java:111)
> at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:66)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
> at okhttp3.RealCall.execute(RealCall.kt:66)
> at com.openshift.internal.restclient.okhttp.OpenShiftAuthenticator.tryAuth(OpenShiftAuthenticator.java:109)
> at com.openshift.internal.restclient.okhttp.OpenShiftAuthenticator.authenticate(OpenShiftAuthenticator.java:62)
> at okhttp3.internal.http.RetryAndFollowUpInterceptor.followUpRequest(RetryAndFollowUpInterceptor.kt:213)
> at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:102)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:55)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
> at okhttp3.RealCall.execute(RealCall.kt:66)
> at com.openshift.internal.restclient.DefaultClient.request(DefaultClient.java:315)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:307)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:275)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:243)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:226)
> at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:423)
> at com.openshift.internal.restclient.authorization.AuthorizationContext.isAuthorized(AuthorizationContext.java:63)
> at org.jboss.tools.openshift.core.connection.Connection.authorize(Connection.java:237)
> at org.jboss.tools.openshift.core.connection.Connection.connect(Connection.java:226)
> at org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener.configureOpenshift(ConfigureCRCFrameworksListener.java:102)
> at org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener.configureFrameworks(ConfigureCRCFrameworksListener.java:73)
> at org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener$1.run(ConfigureCRCFrameworksListener.java:66)
> at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jbosstools-issues
mailing list