search

cloudfoundry-incubator / admin-ui

Need new main contributor - An application for viewing Cloud Foundry metrics and operations data.
Apache License 2.0
71 stars 44 forks source link

Add support for troubleshooting uaa/cf requests HTTP payload #193

Closed gberche-orange closed 4 years ago

gberche-orange commented 4 years ago

Expected behavior

As an admin-ui operator

Observed behavior

When the admin-ui is running as a cf app

$ cf ssh admin-ui
$cat app/admin_ui.log
[...]
E, [2020-10-14T15:02:21.804262 #7] ERROR -- : [ -- ] : [ -- ] : Authorization failure, redirecting to login...
E, [2020-10-14T15:02:33.735249 #7] ERROR -- : [ -- ] : [ -- ] : Error during /login: #<AdminUI::CCRestClientResponseError: Forbidden>
E, [2020-10-14T15:02:33.735399 #7] ERROR -- : [ -- ] : [ -- ] : /home/vcap/app/lib/admin/cc_rest_client.rb:151:in `block in cf_request'
/home/vcap/app/lib/admin/cc_rest_client.rb:142:in `loop'
/home/vcap/app/lib/admin/cc_rest_client.rb:142:in `cf_request'
/home/vcap/app/lib/admin/cc_rest_client.rb:275:in `sso_login_introspect_token'
/home/vcap/app/lib/admin/cc_rest_client.rb:123:in `sso_login_token_payload_json'
/home/vcap/app/lib/admin/login.rb:21:in `login_user'
/home/vcap/app/lib/admin/web.rb:353:in `block in <class:Web>'
/home/vcap/deps/0/vendor_bundle/ruby/2.7.0/gems/sinatra-2.1.0/lib/sinatra/base.rb:1675:in `call'
/home/vcap/deps/0/vendor_bundle/ruby/2.7.0/gems/sinatra-2.1.0/lib/sinatra/base.rb:1675:in `block in compile!'

Workaround

before doing the cf push, edit lib/admin/utils.rb b/lib/admin/utils.rband add http.set_debug_output $stderr (see https://docs.ruby-lang.org/en/2.0.0/Net/HTTP.html#method-i-set_debug_output)

diff --git a/lib/admin/utils.rb b/lib/admin/utils.rb
index 7c3266bf..5e06515b 100644
--- a/lib/admin/utils.rb
+++ b/lib/admin/utils.rb
@@ -40,6 +40,8 @@ module AdminUI
       http.verify_mode = config.cloud_controller_ssl_verify_none ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
       request          = get_method_class(method).new(path)

+http.set_debug_output $stderr
+
       request.basic_auth(basic_auth_array[0], basic_auth_array[1]) unless basic_auth_array.nil? || basic_auth_array.length < 2
       request['Authorization'] = authorization_header unless authorization_header.nil?
       request['Accept']        = 'application/json'

As a result, cf logs admin-ui now displays http traces (and shows problem fixed in https://github.com/cloudfoundry-incubator/admin-ui/commit/b9b32e0a1c9bb1ffcad19e203a4c55d9655854a7 that the client is missing uaa.resource scope according to https://docs.cloudfoundry.org/api/uaa/version/74.26.0/index.html#introspect-token

AuthorizationOne of the following authentication/authorization mechanisms: Bearer token for a registered client with authority uaa.resource [Recommended]

  2020-10-15T10:56:24.95+0200 [APP/PROC/WEB/0] ERR <- "POST /introspect HTTP/1.1\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nAccept: application/json\r\nUser-Agent: Ruby\r\n
   [...]   
   Authorization: bearer eyJhbGciOiJSUzI1NiIsImprdS
   2020-10-15T10:56:24.96+0200 [APP/PROC/WEB/0] ERR -> "HTTP/1.1 403 Forbidden\r\n"
   2020-10-15T10:56:24.96+0200 [APP/PROC/WEB/0] ERR -> "{\"error\":\"access_denied\",\"error_description\":\"Access is denied\"}"
rboykin commented 4 years ago

@gberche-orange

I will try to get to this issue this week.

In order to enable, I will add a new config option to turn on http debug as you specify above. Default for the option will be false since this is a security exposure.

rboykin commented 4 years ago

@gberche-orange

Support for new config option http_debug added with commit https://github.com/cloudfoundry-incubator/admin-ui/commit/f2869b0d98618162f3ca0216482885bfb3eeb3fe. Default value is false as logging of HTTP calls is a security exposure. HTTP debug logs will be written to the admin UI log file, not to stderr as shown above.

gberche-orange commented 4 years ago

Awesome, thanks @rboykin !