[opensuse-buildservice] 2.6 api not requesting any password
Hi, is it possible to secure the api by enforcing a password? Using the appliance: $ wget -Sv --no-check-certificate https://172.16.210.154/person/Admin -O - --2015-08-25 15:33:14-- https://172.16.210.154/person/Admin Connecting to 172.16.210.154:443... connected. WARNING: cannot verify 172.16.210.154's certificate, issued by 'emailAddress=test@email.address,OU=Organizational Unit Name,O=Organization Name,L=Test Locality,ST=Test State or Province,C=CC': Self-signed certificate encountered. WARNING: certificate common name '' doesn't match requested host name '172.16.210.154'. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 25 Aug 2015 15:33:14 GMT Server: Apache cache-control: max-age=0, private, must-revalidate vary: Accept-Encoding x-xss-protection: 1; mode=block x-opensuse-runtimes: {"view":0.29869500000000004,"db":0.825372,"backend":0,"xml":0} x-request-id: 4fee742f-a49a-4ad8-870d-e562089dabc0 x-opensuse-apiversion: 2.6.3 x-frame-options: SAMEORIGIN x-runtime: 0.007125 x-content-type-options: nosniff Connection: close X-Powered-By: Phusion Passenger 5.0.7 etag: "1fac7a8b0b5a51791daf3179c386d6ac" Status: 200 OK Cache-Control: public Transfer-Encoding: chunked Content-Type: text/xml; charset=utf-8 Length: unspecified [text/xml] Saving to: 'STDOUT' - [<=> ] 0 --.-KB/s <person> <login>Admin</login> <email>root@localhost</email> <realname>OBS Instance Superuser</realname> <state>confirmed</state> <globalrole>Admin</globalrole> </person> - [ <=> ] 180 --.-KB/s in 0s 2015-08-25 15:33:14 (10.7 MB/s) - written to stdout [180] the old 2.4 installation would deny that request: $ wget -Sv --no-check-certificate https://buildapi.open-xchange.com/person/Admin -O - --2015-08-25 15:36:13-- https://buildapi.open-xchange.com/person/Admin Resolving buildapi.open-xchange.com... 10.20.30.240 Connecting to buildapi.open-xchange.com|10.20.30.240|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Authorization Required Date: Tue, 25 Aug 2015 13:36:13 GMT Server: Apache/2.2.12 (Linux/SUSE) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.18 X-Opensuse-APIVersion: 2.4.0 WWW-Authenticate: basic realm="API login" X-Opensuse-Errorcode: unknown X-Opensuse-Runtimes: {"view":0.6410629999999999,"db":0,"backend":0,"xml":0} Cache-Control: no-cache X-Request-Id: a5850abe01e7e3564713da42c831cb07 X-Runtime: 0.002770 X-Rack-Cache: miss Status: 401 Content-Length: 123 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/xml; charset=utf-8 Username/Password Authentication Failed. -- mit freundlichen Gruessen/with best regards, Carsten Hoeger Open-Xchange GmbH -------------------------------------------------------------------------------- Open-Xchange AG, Rollnerstr. 14, 90408 Nürnberg, Amtsgericht Nürnberg HRB 24738 Vorstand: Rafael Laguna de la Vera, Carsten Dirks Aufsichtsratsvorsitzender: Richard Seibt European Office: Open-Xchange GmbH, Martinstr. 41, D-57462 Olpe, Germany Amtsgericht Siegen, HRB 8718, Geschäftsführer: Frank Hoberg, Martin Kauss US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA --------------------------------------------------------------------------------
On Tuesday 25 August 2015, 15:38:18 wrote Carsten Höger:
Hi,
is it possible to secure the api by enforcing a password?
Using the appliance:
$ wget -Sv --no-check-certificate https://172.16.210.154/person/Admin -O -
This route is also requireing a password today. Are you sure you do not have a .netrc? Can you try with curl?
--2015-08-25 15:33:14-- https://172.16.210.154/person/Admin Connecting to 172.16.210.154:443... connected. WARNING: cannot verify 172.16.210.154's certificate, issued by 'emailAddress=test@email.address,OU=Organizational Unit Name,O=Organization Name,L=Test Locality,ST=Test State or Province,C=CC': Self-signed certificate encountered. WARNING: certificate common name '' doesn't match requested host name '172.16.210.154'. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 25 Aug 2015 15:33:14 GMT Server: Apache cache-control: max-age=0, private, must-revalidate vary: Accept-Encoding x-xss-protection: 1; mode=block x-opensuse-runtimes: {"view":0.29869500000000004,"db":0.825372,"backend":0,"xml":0} x-request-id: 4fee742f-a49a-4ad8-870d-e562089dabc0 x-opensuse-apiversion: 2.6.3 x-frame-options: SAMEORIGIN x-runtime: 0.007125 x-content-type-options: nosniff Connection: close X-Powered-By: Phusion Passenger 5.0.7 etag: "1fac7a8b0b5a51791daf3179c386d6ac" Status: 200 OK Cache-Control: public Transfer-Encoding: chunked Content-Type: text/xml; charset=utf-8 Length: unspecified [text/xml] Saving to: 'STDOUT'
- [<=> ] 0 --.-KB/s <person> <login>Admin</login> <email>root@localhost</email> <realname>OBS Instance Superuser</realname> <state>confirmed</state> <globalrole>Admin</globalrole> </person> - [ <=> ] 180 --.-KB/s in 0s
2015-08-25 15:33:14 (10.7 MB/s) - written to stdout [180]
the old 2.4 installation would deny that request:
$ wget -Sv --no-check-certificate https://buildapi.open-xchange.com/person/Admin -O - --2015-08-25 15:36:13-- https://buildapi.open-xchange.com/person/Admin Resolving buildapi.open-xchange.com... 10.20.30.240 Connecting to buildapi.open-xchange.com|10.20.30.240|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Authorization Required Date: Tue, 25 Aug 2015 13:36:13 GMT Server: Apache/2.2.12 (Linux/SUSE) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.18 X-Opensuse-APIVersion: 2.4.0 WWW-Authenticate: basic realm="API login" X-Opensuse-Errorcode: unknown X-Opensuse-Runtimes: {"view":0.6410629999999999,"db":0,"backend":0,"xml":0} Cache-Control: no-cache X-Request-Id: a5850abe01e7e3564713da42c831cb07 X-Runtime: 0.002770 X-Rack-Cache: miss Status: 401 Content-Length: 123 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/xml; charset=utf-8
Username/Password Authentication Failed.
-- mit freundlichen Gruessen/with best regards,
Carsten Hoeger Open-Xchange GmbH
-------------------------------------------------------------------------------- Open-Xchange AG, Rollnerstr. 14, 90408 Nürnberg, Amtsgericht Nürnberg HRB 24738 Vorstand: Rafael Laguna de la Vera, Carsten Dirks Aufsichtsratsvorsitzender: Richard Seibt
European Office: Open-Xchange GmbH, Martinstr. 41, D-57462 Olpe, Germany Amtsgericht Siegen, HRB 8718, Geschäftsführer: Frank Hoberg, Martin Kauss
US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA --------------------------------------------------------------------------------
-- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi,
On 25 Aug 2015, at 15:44 , Adrian Schröter <adrian@suse.de> wrote:
On Tuesday 25 August 2015, 15:38:18 wrote Carsten Höger:
Hi,
is it possible to secure the api by enforcing a password?
Using the appliance:
$ wget -Sv --no-check-certificate https://172.16.210.154/person/Admin -O -
This route is also requireing a password today. Are you sure you do not have a .netrc?
Nope, I don’t have one.
Can you try with curl?
$ curl -vk https://172.16.210.154/person/Admin * Trying 172.16.210.154... * Connected to 172.16.210.154 (172.16.210.154) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * Server certificate: Organizational Unit Name
GET /person/Admin HTTP/1.1 Host: 172.16.210.154 User-Agent: curl/7.43.0 Accept: */*
< HTTP/1.1 200 OK < Date: Tue, 25 Aug 2015 15:49:37 GMT < Server: Apache < cache-control: max-age=0, private, must-revalidate < vary: Accept-Encoding < x-xss-protection: 1; mode=block < x-opensuse-runtimes: {"view":0.35848,"db":1.0506950000000002,"backend":0,"xml":0} < x-request-id: ac2b3d89-2565-4da8-ae35-5f92d4dc9260 < x-opensuse-apiversion: 2.6.3 < x-frame-options: SAMEORIGIN < x-runtime: 0.008162 < x-content-type-options: nosniff < Connection: close < X-Powered-By: Phusion Passenger 5.0.7 < etag: "1fac7a8b0b5a51791daf3179c386d6ac" < Status: 200 OK < Cache-Control: public < Transfer-Encoding: chunked < Content-Type: text/xml; charset=utf-8 < <person> <login>Admin</login> <email>root@localhost</email> <realname>OBS Instance Superuser</realname> <state>confirmed</state> <globalrole>Admin</globalrole> </person> * Closing connection 0 $ cat ~/.netrc cat: /Users/choeger/.netrc: No such file or directory -- mit freundlichen Gruessen/with best regards, Carsten Hoeger Open-Xchange GmbH -------------------------------------------------------------------------------- Open-Xchange AG, Rollnerstr. 14, 90408 Nürnberg, Amtsgericht Nürnberg HRB 24738 Vorstand: Rafael Laguna de la Vera, Carsten Dirks Aufsichtsratsvorsitzender: Richard Seibt European Office: Open-Xchange GmbH, Martinstr. 41, D-57462 Olpe, Germany Amtsgericht Siegen, HRB 8718, Geschäftsführer: Frank Hoberg, Martin Kauss US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA --------------------------------------------------------------------------------
On Tuesday 25 August 2015, 15:51:14 wrote Carsten Höger:
Hi,
On 25 Aug 2015, at 15:44 , Adrian Schröter <adrian@suse.de> wrote:
On Tuesday 25 August 2015, 15:38:18 wrote Carsten Höger:
Hi,
is it possible to secure the api by enforcing a password?
Using the appliance:
$ wget -Sv --no-check-certificate https://172.16.210.154/person/Admin -O -
This route is also requireing a password today. Are you sure you do not have a .netrc?
Nope, I don’t have one.
Can you try with curl?
$ curl -vk https://172.16.210.154/person/Admin * Trying 172.16.210.154... * Connected to 172.16.210.154 (172.16.210.154) port 443 (#0)
ah, you accessing it via the web interface route .... Can be indeed considered as a bug. Right now, I can just recommend to disable anonymous mode in the configuration osc api -e /configuration -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi,
On 25 Aug 2015, at 15:56 , Adrian Schröter <adrian@suse.de> wrote:
Can you try with curl?
$ curl -vk https://172.16.210.154/person/Admin * Trying 172.16.210.154... * Connected to 172.16.210.154 (172.16.210.154) port 443 (#0)
ah, you accessing it via the web interface route ....
did I something wrong?
Can be indeed considered as a bug. Right now, I can just recommend to disable anonymous mode in the configuration
osc api -e /configuration
linux:~ # osc api -e /configuration Certificate Verification Error: no commonName in peer certificate I wasn’t able to find a way to convince osc to ignore that. I found this hack(http://stackoverflow.com/questions/2319909/m2crypto-override-post-connection...): linux:~ # diff -u /usr/lib/python2.7/site-packages/osc/oscssl.py.orig /usr/lib/python2.7/site-packages/osc/oscssl.py --- /usr/lib/python2.7/site-packages/osc/oscssl.py.orig 2015-08-26 08:49:16.191985558 +0000 +++ /usr/lib/python2.7/site-packages/osc/oscssl.py 2015-08-26 08:49:41.415984974 +0000 @@ -176,6 +176,7 @@ saved_session = None def __init__(self, *args, **kwargs): + SSL.Connection.clientPostConnectionCheck = None self.appname = kwargs.pop('appname', 'generic') M2Crypto.m2urllib2.HTTPSHandler.__init__(self, *args, **kwargs) then it works, dunno if there’s a better way -- mit freundlichen Gruessen/with best regards, Carsten Hoeger Open-Xchange GmbH -------------------------------------------------------------------------------- Open-Xchange AG, Rollnerstr. 14, 90408 Nürnberg, Amtsgericht Nürnberg HRB 24738 Vorstand: Rafael Laguna de la Vera, Carsten Dirks Aufsichtsratsvorsitzender: Richard Seibt European Office: Open-Xchange GmbH, Martinstr. 41, D-57462 Olpe, Germany Amtsgericht Siegen, HRB 8718, Geschäftsführer: Frank Hoberg, Martin Kauss US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA --------------------------------------------------------------------------------
participants (2)
-
Adrian Schröter -
Carsten Höger