search

OpenCHAMI / bss

MIT License
1 stars 2 forks source link

[BUG] /bootscript requests crash BSS when authentication is enabled #21

Closed synackd closed 4 months ago

synackd commented 4 months ago

Describe the bug When running BSS with authentication enabled (--jwks-url/BSS_JWKS_URL is set), querying the unprotected endpoint /bootscript crashes BSS.

To Reproduce Steps to reproduce the behavior:

  1. Run BSS with --jwks-url/BSS_JWKS_URL set; run SMD, Postgres, and Hydra as well. a. E.g. in this branch and directory, run: 
    docker compose -f ochami-services.yml -f hydra.yml up postgres smd bss
  2. Try adding a MAC with: 
    curl -k http://<host>:27778/boot/v1/bootscript?mac=00:00:00:00:00:00
  3. See curl response: 
    curl: (52) Empty reply from server
  4. In the logs for BSS, observe crash: 
    2024/02/01 23:41:15 /bootparameters DELETE: {
  "params": "console=tty2 console=ttyS2,115200n8",
  "kernel": "https://testkerneluri3.tld",
        /home/runner/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.11/mux.go:443 +0x2b4
net/http.HandlerFunc.ServeHTTP(0xc0005b0d00?, {0x7fedd42316a0?, 0xc0003a4380?}, 0x45?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
main.initHandlers.Timeout.func2.1({0x7fedd42316a0?, 0xc0003a4380}, 0xc00046b838?)
        /home/runner/go/pkg/mod/github.com/go-chi/chi@v1.5.1/middleware/timeout.go:45 +0xff
net/http.HandlerFunc.ServeHTTP(0x4124a5?, {0x7fedd42316a0?, 0xc0003a4380?}, 0xf8?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
github.com/go-chi/chi/middleware.StripSlashes.func1({0x7fedd42316a0, 0xc0003a4380}, 0xc0005b0d00)
        /home/runner/go/pkg/mod/github.com/go-chi/chi@v1.5.1/middleware/strip.go:30 +0x127
net/http.HandlerFunc.ServeHTTP(0x412825?, {0x7fedd42316a0?, 0xc0003a4380?}, 0x1550601?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
github.com/go-chi/chi/middleware.Recoverer.func1({0x7fedd42316a0?, 0xc0003a4380?}, 0xc00068ed00?)
        /home/runner/go/pkg/mod/github.com/go-chi/chi@v1.5.1/middleware/recoverer.go:37 +0x78
net/http.HandlerFunc.ServeHTTP(0xc0005b0c00?, {0x7fedd42316a0?, 0xc0003a4380?}, 0x41327a?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
github.com/go-chi/chi/middleware.init.0.RequestLogger.func1.1({0xfe9230, 0xc0001782a0}, 0xc0005b0c00)
        /home/runner/go/pkg/mod/github.com/go-chi/chi@v1.5.1/middleware/logger.go:57 +0x16d
net/http.HandlerFunc.ServeHTTP(0xc0005b0c00?, {0xfe9230?, 0xc0001782a0?}, 0xc0004ce400?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
github.com/go-chi/chi/middleware.RealIP.func1({0xfe9230, 0xc0001782a0}, 0xc0005b0c00)
        /home/runner/go/pkg/mod/github.com/go-chi/chi@v1.5.1/middleware/realip.go:34 +0x95
net/http.HandlerFunc.ServeHTTP(0xfec3a8?, {0xfe9230?, 0xc0001782a0?}, 0xfe0080?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
github.com/go-chi/chi/middleware.RequestID.func1({0xfe9230, 0xc0001782a0}, 0xc0005b0b00)
        /home/runner/go/pkg/mod/github.com/go-chi/chi@v1.5.1/middleware/request_id.go:76 +0x21c
net/http.HandlerFunc.ServeHTTP(0xfec3e0?, {0xfe9230?, 0xc0001782a0?}, 0x1550670?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2136 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00026c0c0, {0xfe9230, 0xc0001782a0}, 0xc0005b0a00)
        /home/runner/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.11/mux.go:90 +0x330
net/http.serverHandler.ServeHTTP({0xc00068ec00?}, {0xfe9230?, 0xc0001782a0?}, 0x6?)
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2938 +0x8e
net/http.(*conn).serve(0xc0005926c0, {0xfec3a8, 0xc00068e450})
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:2009 +0x5f4
created by net/http.(*Server).Serve in goroutine 1
        /opt/hostedtoolcache/go/1.21.7/x64/src/net/http/server.go:3086 +0x5cb

Expected behavior BSS logs:

2024/02/27 18:17:18 Retrieving state info from http://smd-noauth:27779/hsm/v2
2024/02/27 18:17:18 [bss-noauth/RyqDOzRbG5-000002] "GET http://cg10:37778/boot/v1/bootscript?mac=00:00:00:00:00:00 HTTP/1.1" from 172.16.0.10:52306 - 200 138B in 12.692468ms
2024/02/27 18:17:18 WARNING: MAC "00:00:00:00:00:00" did not return any results.
2024/02/27 18:17:18 BSS request delayed for Unknown MAC 00:00:00:00:00:00 while updating state

curl response:

#!ipxe
sleep 10
chain https://api-gw-service-nmn.local/apis/bss/boot/v1/bootscript?mac=00:00:00:00:00:00&arch=${buildarch}&ts=1709057838
synackd commented 4 months ago

This likely falls under the scope of #20.

davidallendj commented 4 months ago

Is this the one failing because BSS needs a token to access certain SMD endpoints?

synackd commented 4 months ago

I believe that is the cause of this particular bug, yes. Getting the state from SMD returns nil likely because the request returns a 401.

davidallendj commented 4 months ago

PR #23 should fix that when it's done.

synackd commented 4 months ago

Confirmed that #23 fixes this. Closing.