Open goeddea opened 10 years ago
When requesting authentication as "anonymous", there should be no cookie-based authentication which results in a different authentication being used.
I can confirm this. It's a bug. Here is a log:
AutobahnJS debug enabled
(index):13 Ok, AutobahnJS loaded 0.9.6
autobahn.min.jgz:33 trying to create WAMP transport of type: websocket
autobahn.min.jgz:33 using WAMP transport type: websocket
autobahn.min.jgz:33 WebSocket transport send [1,"realm1",{"roles":{"caller":{"features":{"caller_identification":true,"progressive_call_results":true}},"callee":{"features":{"progressive_call_results":true}},"publisher":{"features":{"subscriber_blackwhite_listing":true,"publisher_exclusion":true,"publisher_identification":true}},"subscriber":{"features":{"publisher_identification":true}}},"authmethods":["anynonymous"],"authid":"joe"}]
autobahn.min.jgz:33 WebSocket transport receive [2,4671093781727030,{"authrole":"frontend","authmethod":"wampcra","authprovider":"cookie","roles":{"broker":{"features":{"publisher_identification":true,"pattern_based_subscription":true,"subscription_meta_api":true,"subscription_revocation":true,"publisher_exclusion":true,"subscriber_blackwhite_listing":true}},"dealer":{"features":{"pattern_based_registration":true,"registration_revocation":true,"shared_registration":true,"caller_identification":true,"registration_meta_api":true,"progressive_call_results":true}}},"authid":"joe"}]
(index):49 connected session with ID 4671093781727030
(index):50 authenticated using method 'wampcra' and provider 'cookie'
(index):51 authenticated with authid 'joe' and authrole 'frontend'
autobahn.min.jgz:33 WebSocket transport send [48,1744880512532480,{},"com.example.add2",[2,3]]
autobahn.min.jgz:33 WebSocket transport receive [50,1744880512532480,{},[5]]
(index):57 call result 5
The client asks for anonymous authentication, and CB answers with "authmethod":"wampcra","authprovider":"cookie"
This is how a log looks now (client wants to authenticate as anyonmous, which isn't even allowed by the node config.):
AutobahnJS debug enabled
(index):13 Ok, AutobahnJS loaded 0.9.6
autobahn.min.jgz:33 trying to create WAMP transport of type: websocket
autobahn.min.jgz:33 using WAMP transport type: websocket
autobahn.min.jgz:33 WebSocket transport send [1,"realm1",{"roles":{"caller":{"features":{"caller_identification":true,"progressive_call_results":true}},"callee":{"features":{"progressive_call_results":true}},"publisher":{"features":{"subscriber_blackwhite_listing":true,"publisher_exclusion":true,"publisher_identification":true}},"subscriber":{"features":{"publisher_identification":true}}},"authmethods":["anynonymous"],"authid":"joe"}]
autobahn.min.jgz:33 WebSocket transport receive [3,{"message":"authentication using method 'anynonymous' denied by configuration"},"wamp.error.not_authorized"]
(index):66 disconnected closed wamp.error.not_authorized Object {reason: "wamp.error.not_authorized", message: "authentication using method 'anynonymous' denied by configuration", retry_delay: null, retry_count: null, will_retry: false}
The node config must include "cookie" based auth, and the client must announce it is willing to auth via cookie. If both conditions apply, then the client will get authenticated, and "authmethod" will be the original authmethod used when the cookie was marked as authenticated. "authprovider" will be set to "cookie".
@oberstet I believe this issue has to be reopened again as we are encountering it with autobahn version 18.3.2 and crossbar version 18.3.1.
Script
var connection = new autobahn.Connection({
url: wsuri,
realm: "RE_acct",
// authmethods: ["cookie", "anonymous"],
authmethods: ["anonymous"],
authid: 'anonymous',
max_retries: 500000000, // -1 is infinity, but does not work
max_retry_delay: 10,
initial_retry_delay: 1,
on_user_error: function (error, customErrorMessage) {
console.error("user error on connect autobahn", error, customErrorMessage);
},
on_internal_error: function (error, customErrorMessage) {
console.eror("autobahn core error on connect", error, customErrorMessage);
}
});
Error:
2018-06-12T10:56:20+0000 [Router 11] internal error:
Traceback (most recent call last):
File "/usr/local/site-packages/autobahn/wamp/websocket.py", line 95, in onMessage
self._session.onMessage(msg)
File "/usr/local/site-packages/crossbar/router/session.py", line 415, in onMessage
d = txaio.as_future(self.onHello, msg.realm, details)
File "/usr/local/site-packages/txaio/tx.py", line 417, in as_future
return maybeDeferred(fun, *args, **kwargs)
File "/usr/local/site-packages/twisted/internet/defer.py", line 150, in maybeDeferred
result = f(*args, **kw)
--- <exception caught here> ---
File "/usr/local/site-packages/crossbar/router/session.py", line 617, in onHello
assert u'cookie' in authmethods
builtins.AssertionError:
@contis2908 can you reproduce that with latest release versions of autobahn and crossbar?
@oberstet tried it with Crossbar v18.6.1 and the autobahn version 18.3.2 which is supposedly the newest. But I do receive the same error as I have posted above
the error cannot be the same, as the code has changed. please post the traceback and the output of crossbar version
Started from docker image based on crossbario/crossbar:pypy3
in dockerfile did
RUN pypy3 -m pip install -U \
letsencrypt \
crossbar
starting container yields
:::::::::::::::::
2018-06-12T15:14:12+0000 [Controller 1] ::::: _____ __
2018-06-12T15:14:12+0000 [Controller 1] ::::: : ::::: / ___/____ ___ ___ ___ / / ___ _ ____
2018-06-12T15:14:12+0000 [Controller 1] ::::::: ::::::: / /__ / __// _ \ (_-< (_-< / _ \/ _ `// __/
2018-06-12T15:14:12+0000 [Controller 1] ::::: : ::::: \___//_/ \___//___//___//_.__/\_,_//_/
2018-06-12T15:14:12+0000 [Controller 1] :::::
2018-06-12T15:14:12+0000 [Controller 1] ::::::::::::::::: Crossbar v18.6.1
2018-06-12T15:14:12+0000 [Controller 1]
2018-06-12T15:14:12+0000 [Controller 1] Copyright (c) 2013-2018 Crossbar.io Technologies GmbH, licensed under AGPL 3.0.
Authenticating with anonymous from autobahn-javascript from browser with an active cookie still gives me:
2018-06-12T15:15:10+0000 [Router 11] internal error:
Traceback (most recent call last):
File "/usr/local/site-packages/autobahn/wamp/websocket.py", line 95, in onMessage
self._session.onMessage(msg)
File "/usr/local/site-packages/crossbar/router/session.py", line 414, in onMessage
d = txaio.as_future(self.onHello, msg.realm, details)
File "/usr/local/site-packages/txaio/tx.py", line 417, in as_future
return maybeDeferred(fun, *args, **kwargs)
File "/usr/local/site-packages/twisted/internet/defer.py", line 150, in maybeDeferred
result = f(*args, **kw)
--- <exception caught here> ---
File "/usr/local/site-packages/crossbar/router/session.py", line 616, in onHello
assert u'cookie' in authmethods
builtins.AssertionError:
the issue still seems to persist. I add some more extensive debug log output here
function onchallenge(session, method, extra) {
console.log('------------>>> challenge ');
var key = CryptoJS.SHA256('xxxxxxxxxxxx')
.toString(CryptoJS.enc.Base64);
return autobahn.auth_cra.sign(key, extra.challenge);
};
connection = new autobahn.Connection({
url: 'wss://cb.repods.io:443/wss',
realm: "reacct",
authmethods: ["wampcra"],
authid: 'marko',
onchallenge: onchallenge,
});
connection.onopen = function(a, b) { console.log('connection good', a, b) }
connection.open()
trying to create WAMP transport of type: websocket
autobahn.min.js:934 using WAMP transport type: websocket
autobahn.min.js:934 (3) [1, "reacct", {…}]
autobahn.min.js:934 WebSocket transport send [1,"reacct",{"roles":{"caller":{"features":{"caller_identification":true,"progressive_call_results":true}},"callee":{"features":{"caller_identification":true,"pattern_based_registration":true,"shared_registration":true,"progressive_call_results":true,"registration_revocation":true}},"publisher":{"features":{"publisher_identification":true,"subscriber_blackwhite_listing":true,"publisher_exclusion":true}},"subscriber":{"features":{"publisher_identification":true,"pattern_based_subscription":true,"subscription_revocation":true}}},"authmethods":["wampcra"],"authid":"marko"}]
autobahn.min.js:934 WebSocket transport receive [3,{"message":"internal error: "},"wamp.error.not_authorized"]
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol]
[('logOctets', False, 'WampWebSocketServerFactory'),
('logFrames', False, 'WampWebSocketServerFactory'),
('trackTimings', False, 'WampWebSocketServerFactory'),
('utf8validateIncoming', False, 'WampWebSocketServerFactory'),
('applyMask', True, 'WampWebSocketServerFactory'),
('maxFramePayloadSize', 8048576, 'WampWebSocketServerFactory'),
('maxMessagePayloadSize', 8048576, 'WampWebSocketServerFactory'),
('autoFragmentSize', 2048576, 'WampWebSocketServerFactory'),
('failByDrop', False, 'WampWebSocketServerFactory'),
('echoCloseCodeReason', False, 'WampWebSocketServerFactory'),
('openHandshakeTimeout', 2.5, 'WampWebSocketServerFactory'),
('closeHandshakeTimeout', 1, 'WampWebSocketServerFactory'),
('tcpNoDelay', True, 'WampWebSocketServerFactory'),
('autoPingInterval', 100.0, 'WampWebSocketServerFactory'),
('autoPingTimeout', 5.0, 'WampWebSocketServerFactory'),
('autoPingSize', 4, 'WampWebSocketServerFactory'),
('versions', [8, 13], 'WampWebSocketServerFactory'),
('webStatus', False, 'WampWebSocketServerFactory'),
('requireMaskedClientFrames', True, 'WampWebSocketServerFactory'),
('maskServerFrames', False, 'WampWebSocketServerFactory'),
('perMessageCompressionAccept',
<function set_websocket_options.<locals>.accept at 0x00007fb46aaa5920>,
'WampWebSocketServerFactory'),
('serveFlashSocketPolicy', False, 'WampWebSocketServerFactory'),
('flashSocketPolicy',
'<cross-domain-policy>\n'
' <allow-access-from domain="*" to-ports="*" />\n'
'</cross-domain-policy>\x00',
'WampWebSocketServerFactory'),
('allowedOrigins', ['*'], 'WampWebSocketServerFactory'),
('allowedOriginsPatterns', [re.compile('^.*$')], 'WampWebSocketServerFactory'),
('allowNullOrigin', True, 'WampWebSocketServerFactory'),
('maxConnections', 0, 'WampWebSocketServerFactory'),
('trustXForwardedFor', 0, 'WampWebSocketServerFactory')]
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:10.132.0.8:61881
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:10.132.0.8:61881
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] received HTTP request:
b'GET /wss HTTP/1.1\r\nHost: cb.repods.io\r\nConnection: Upgrade\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\r\nUpgrade: websocket\r\nOrigin: https://repods.io\r\nSec-Websocket-Version: 13\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\r\nCookie: cbtid=gfYRGhB2IayOJ+shLXgiYcVJ\r\nSec-Websocket-Key: /4cuS8Pm7zsMBz2B2ETjhg==\r\nSec-Websocket-Extensions: permessage-deflate; client_max_window_bits\r\nSec-Websocket-Protocol: wamp.2.json, wamp.2.msgpack\r\n\r\n'
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] received HTTP status line in opening handshake : GET /wss HTTP/1.1
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] received HTTP headers in opening handshake : {'host': 'cb.repods.io', 'connection': 'Upgrade', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36', 'upgrade': 'websocket', 'origin': 'https://repods.io', 'sec-websocket-version': '13', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7', 'cookie': 'cbtid=gfYRGhB2IayOJ+shLXgiYcVJ', 'sec-websocket-key': '/4cuS8Pm7zsMBz2B2ETjhg==', 'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits', 'sec-websocket-protocol': 'wamp.2.json, wamp.2.msgpack'}
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] skipping opening handshake port checking - neither WS URL nor external port set
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] Hybi protocol detected
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.cookiestore.CookieStore] Parsing cookie from {'host': 'cb.repods.io', 'connection': 'Upgrade', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36', 'upgrade': 'websocket', 'origin': 'https://repods.io', 'sec-websocket-version': '13', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7', 'cookie': 'cbtid=gfYRGhB2IayOJ+shLXgiYcVJ', 'sec-websocket-key': '/4cuS8Pm7zsMBz2B2ETjhg==', 'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits', 'sec-websocket-protocol': 'wamp.2.json, wamp.2.msgpack'}
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] Cookie already set
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.cookiestore.CookieStore] Adding proto <crossbar.router.protocol.WampWebSocketServerProtocol object at 0x000000000756d0f8> to cookie gfYRGhB2IayOJ+shLXgiYcVJ
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] Cookie tracking enabled on WebSocket connection <crossbar.router.protocol.WampWebSocketServerProtocol object at 0x000000000756d0f8>
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.cookiestore.CookieStore] Cookie auth info for gfYRGhB2IayOJ+shLXgiYcVJ retrieved: ('marko', 'anonymous', 'anonymous', 'reacct', None)
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] Authenticated client via cookie cbtid=gfYRGhB2IayOJ+shLXgiYcVJ as authid=marko, authrole=anonymous, authmethod=anonymous, authrealm=reacct
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] parsed WebSocket extension 'permessage-deflate' with params '{'client_max_window_bits': [True]}'
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] sending HTTP response:
HTTP/1.1 101 Switching Protocols
Server: Crossbar
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Protocol: wamp.2.json
Sec-WebSocket-Accept: seNxxxxxxxxxxxxxxxxlu0=
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits=11
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] openHandshakeTimeoutCall.cancel
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.session.RouterSession] Client session connected - transport: {'type': 'websocket', 'protocol': 'wamp.2.json', 'peer': 'tcp4:10.132.0.8:61881', 'http_headers_received': {'host': 'cb.repods.io', 'connection': 'Upgrade', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36', 'upgrade': 'websocket', 'origin': 'https://repods.io', 'sec-websocket-version': '13', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7', 'cookie': 'cbtid=gfYxxxxxxxxxxxxxcVJ', 'sec-websocket-key': '/4cuxxxxxxxxxxxxTjhg==', 'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits', 'sec-websocket-protocol': 'wamp.2.json, wamp.2.msgpack'}, 'http_headers_sent': {}, 'websocket_extensions_in_use': [{'extension': 'permessage-deflate', 'is_server': True, 'server_no_context_takeover': False, 'client_no_context_takeover': False, 'server_max_window_bits': 11, 'client_max_window_bits': 11, 'mem_level': 4}], 'cbtid': 'gfYxxxxxxxxxxxcVJ', 'channel_id': '580xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb0d2'}
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] RX compressed [length]: octets
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.session.RouterSession] onHello: ['wampcra'] None
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.session.RouterSession] internal error:
Traceback (most recent call last):
File "/usr/local/site-packages/autobahn/wamp/websocket.py", line 95, in onMessage
self._session.onMessage(msg)
File "/usr/local/site-packages/crossbar/router/session.py", line 414, in onMessage
d = txaio.as_future(self.onHello, msg.realm, details)
File "/usr/local/site-packages/txaio/tx.py", line 429, in as_future
return maybeDeferred(fun, *args, **kwargs)
File "/usr/local/site-packages/twisted/internet/defer.py", line 151, in maybeDeferred
result = f(*args, **kw)
--- <exception caught here> ---
File "/usr/local/site-packages/crossbar/router/session.py", line 622, in onHello
assert u'cookie' in authmethods
builtins.AssertionError:
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.session.RouterSession] internal error:
2018-10-24T09:16:11+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] dropping connection to peer tcp4:10.132.0.8:61881 with abort=False
2018-10-24T09:16:13+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:10.132.0.8:61881 was lost in a non-clean fashion: Connection to the other side was lost in a non-clean fashion: Connection lost.
2018-10-24T09:16:13+0000 [Router 30 crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionLost'>: Connection to the other side was lost in a non-clean fashion: Connection lost.
]
"wss":
{
"type": "websocket",
"cookie":
{
"name": "cbtid",
"store":
{
"type": "file",
"filename": "re_cookies.dat"
}
},
"auth":
{
"wampcra":
{
"type": "dynamic",
"authenticator": "sys.authenticate"
},
"cookie":
{},
"anonymous":
{
"type": "static",
"role": "anonymous"
},
"ticket":
{
"type": "dynamic",
"authenticator": "sys.authenticate.ticket"
}
},
If I use authmethods: ["wampcra", 'cookie'],
in the js above the connection gets established with
authid: "marko", authrole: "anonymous", authmethod: "anonymous",authprovider: "cookie"
The crossbar router has a valid letsencrypt certificate for cb.repods.io
The webserver has a different and valid letsencrypt certificate for www.repods.io
ok, some more investigation:
Opening the websocket connection from www.repods.io in the browser to the server under cb.repods.io leads to a cookie in the browser in the domain cb.repods.io ! (Yes, even if the browser is on location www.repods.io)
If I open the browser on cb.repods.io and remove the cookie there and try the connection again with wampcra, then the "cookie assert" error above does not appear and the wampcra connect goes through successfully.
Some googling tells me that it is not possible to delete the cookie on cb.repods.io while being on domain www.repods.io. So I'm stuck again at this point.
In general however I would still expect crossbar to not use cookie if 'cookie' is not in the authmethods.
I looked at the source code and would propose a simple solution to this:
I would simply add the condition 'cookie' in authmethods to this line and remove the assert line below.
If that sounds good to you I could try to test this and make a PR.
nope not so easy.
When a cookie is set,
authmethods: ["anonymous"]
results in
authmethod: "cookie.mozilla_persona"
being used