search

certtools / intelmq-api

FastAPI-based API for the IntelMQ project
https://docs.intelmq.org/latest/user/api/
1 stars 7 forks source link

wsgi error with intelmq-api #22

Closed MarcosxDeveloper closed 3 years ago

MarcosxDeveloper commented 3 years ago

action => login

http response => internal server error

installation type => python pip

intelmqctl check => No issues found

apache2 logs:

[Fri Mar 05 14:28:49.394030 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]   File "/usr/local/lib/python3.6/dist-packages/intelmq_api/api.py", line 196, in login, referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394035 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]     token = session_store.new_session({"username": username}), referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394043 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]   File "/usr/local/lib/python3.6/dist-packages/intelmq_api/session.py", line 128, in new_session, referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394048 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]     self.set(token, session_data), referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394055 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]   File "/usr/local/lib/python3.6/dist-packages/intelmq_api/session.py", line 124, in set, referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394060 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]     (session_id, json.dumps(session_data))), referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394068 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]   File "/usr/local/lib/python3.6/dist-packages/intelmq_api/session.py", line 105, in execute, referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394078 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980]     return con.execute(stmt, params).fetchone(), referer: https://intelmq.csirt.gob.do/intelmq-manager/
[Fri Mar 05 14:28:49.394103 2021] [wsgi:error] [pid 19059] [client 167.99.148.151:52980] sqlite3.OperationalError: attempt to write a readonly database, referer: https://intelmq.csirt.gob.do/intelmq-manager/
ghost commented 3 years ago

Did you follow the installation steps here? https://intelmq.readthedocs.io/en/maintenance/user/intelmq-api.html

-> Does the webserver have write permissions for /etc/intelmq/api-session.sqlite?

MarcosxDeveloper commented 3 years ago

Yes! I Install it with pip and test it with hug

using the curl command for login does not give any problem

the problem comes when accessing through the webserver

I already tried to give it permissions in various ways with chow and chmod but the problem persists

ghost commented 3 years ago

Please show:

echo $INTELMQ_API_CONFIG
jq .session_store ${INTELMQ_API_CONFIG:-/etc/intelmq/api-config.json}
jq .session_store ${INTELMQ_API_CONFIG:-/etc/intelmq/api-config.json} | tr -d '"' | xargs ls -l
MarcosxDeveloper commented 3 years ago

ok! here you have the result:

  1. /usr/local/lib/python3.6/dist-packages/etc/intelmq/api-config.json
  2. "/etc/intelmq/api-session.sqlite"
  3. -rw-rw-r-- 1 www-data www-data 24576 Mar 5 08:06 /etc/intelmq/api-session.sqlite
MarcosxDeveloper commented 3 years ago

I used the following apache2 conf:

# SPDX-FileCopyrightText: 2020 Birger Schacht
#
# SPDX-License-Identifier: CC0-1.0

#Override the default configuration file path using the
#INTELMQ_API_CONFIG environment variable
#SetEnv INTELMQ_API_CONFIG /etc/intelmq/api-config.json

<IfModule mod_wsgi.c>
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
WSGIScriptAlias / /usr/local/lib/python3.6/dist-packages/intelmq_api/intelmq-api.wsgi
</IfModule>

<Directory /usr/local/lib/python3.6/dist-packages/intelmq_api/>
   Require all granted
</Directory>
ghost commented 3 years ago

/usr/local/lib/python3.6/dist-packages/etc/intelmq/api-config.json looks strange.

But it looks like www-data should have write-access to the actual session file. Let's test it explicitly:

sudo -u www-data namei -l /etc/intelmq/api-session.sqlite
MarcosxDeveloper commented 3 years ago

ok! here you have the result:

drwxr-xr-x root     root     /
drwxr-xr-x root     root     etc
drwxrwxr-x 997      997      intelmq
-rw-rw-r-- www-data www-data api-session.sqlite
ghost commented 3 years ago

Okay, you've got me stumped.

Let's wait for @schacht-certat, I'm sure he has better ideas than I have. But you'd have to wait until Monday.

Anyway: thanks for reporting the issue, I'm sure we can resolve that together :)

MarcosxDeveloper commented 3 years ago

hello @wagner-certat!

I Solved the problem added www-data permission to /etc/intelmq folder and not only api-session.sqlite file.

it seems that sqlite3 creates some temporary files in the folder when reading the api-session.sqlite file,

MarcosxDeveloper commented 3 years ago

command:

sudo -u www-data namei -l /etc/intelmq/api-session.sqlite

result:

f: /etc/intelmq/api-session.sqlite
drwxr-xr-x root     root     /
drwxr-xr-x root     root     etc
drwxrwxr-x www-data www-data intelmq
-rw-rw-r-- www-data www-data api-session.sqlite
ghost commented 3 years ago

Oh, yeah. Right. I actually stumbled over the same issues some weeks ago while testing :/ Great that you could resolve it so fast.

We should add that to the documentation and maybe add some verbose logging to hint into this direction as well.

ghost commented 3 years ago

You can also let intelmq itself own (owner and group) the directory and add www-data to the intelmq group. That's how we do it in the deb/rpm-packages.

ghost commented 3 years ago
MarcosxDeveloper commented 3 years ago

thanks @wagner-certat

I have another bug but I will open another ticket for that