Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(credentials): query for Agent HTTP credentials without specific userinfo #1674

Merged
merged 1 commit into from
Sep 25, 2023

Conversation

andrewazores
Copy link
Member

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits using a GPG signature

To recreate commits with GPG signature git fetch upstream && git rebase --force --gpg-sign upstream/main


Fixes: #1673

Description of the change:

When querying for stored credentials by targetId, check if the provided targetId is JMX. If not, assume it is Agent HTTP, and check if there is an exact match for the given targetId as well as if there is a match for that targetId without the userinfo part of the URI.

Motivation for the change:

This way the credentials querying is lenient on clients not including stored credentials in the Agent HTTP URI, which should not normally be expected - the server has those credentials stored in the encrypted database table, provided to it by the Agent instance, so these credentials are not known to the client and the reference to them in the database should also not be required knowledge for the client to perform queries.

How to manually test:

  1. Run CRYOSTAT_IMAGE=quay.io... sh smoketest.sh...
  2. https -vv --auth=user:pass :8181/api/v2.3/targets/$(echo -n http://localhost:9988/ | jq -sRr @uri)/mbeanMetrics and ensure that the response is a JSON object containing MBean information.

@github-actions
Copy link
Contributor

Hi @andrewazores! Add at least one of the required labels to this PR

Required labels are : chore,ci,cleanup,docs,feat,fix,perf,refactor,style,test

@andrewazores
Copy link
Member Author

/build_test

@mergify mergify bot added the safe-to-test label Sep 18, 2023
@andrewazores
Copy link
Member Author

@github-actions
Copy link
Contributor

ARCH IMAGE
amd64 ghcr.io/cryostatio/cryostat:pr-1674-6b80549a7de4e3a92d9989b32b221804e3f58993-linux-amd64
arm64 ghcr.io/cryostatio/cryostat:pr-1674-6b80549a7de4e3a92d9989b32b221804e3f58993-linux-arm64

To run smoketest:

# amd64          
CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat:pr-1674-6b80549a7de4e3a92d9989b32b221804e3f58993-linux-amd64 sh smoketest.sh

# or arm64
CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat:pr-1674-6b80549a7de4e3a92d9989b32b221804e3f58993-linux-arm64 sh smoketest.sh

@aali309
Copy link
Contributor

aali309 commented Sep 18, 2023

I get this error:

Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic dXNlcjpwYXNz
Connection: keep-alive
Host: localhost:8181
User-Agent: HTTPie/3.2.2


https: error: SSLError: HTTPSConnectionPool(host='localhost', port=8181): Max retries exceeded with url: 
/api/v2.3/targets/http%3A%2F%2Flocalhost%3A9988%2F/mbeanMetrics 
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1002)'))) while doing a GET 
request to URL: https://localhost:8181/api/v2.3/targets/http%3A%2F%2Flocalhost%3A9988%2F/mbeanMetrics

@andrewazores
Copy link
Member Author

https://httpie.io/docs/cli/https

Add --verify=no.

Copy link
Contributor

@aali309 aali309 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still get the error:

HTTP/1.1 500 Internal Server Error
content-encoding: gzip
content-length: 214
content-type: application/json

{
    "data": {
        "reason": "java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.util.concurrent.CompletionException: java.lang.RuntimeException: org.apache.http.auth.InvalidCredentialsException: No credentials found for agent http://localhost:9988/"
    },
    "meta": {
        "status": "Internal Server Error",
        "type": "text/plain"
    }
}

@andrewazores
Copy link
Member Author

Go to the Security view in th Web UI. Are there stored credentials for that agent connection URL listed?

@andrewazores andrewazores force-pushed the api-targetid-agent-http branch 3 times, most recently from 553b8bb to 6c15238 Compare September 22, 2023 13:48
Copy link
Member

@mwangggg mwangggg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me - just need to rebase

@andrewazores andrewazores merged commit 3344e78 into cryostatio:main Sep 25, 2023
7 checks passed
@andrewazores andrewazores deleted the api-targetid-agent-http branch September 25, 2023 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Status: Done
Development

Successfully merging this pull request may close these issues.

[Bug] Cannot use targets/:targetId-style API endpoints for Agent HTTP connections
3 participants