Closed MahdiBaghbani closed 2 months ago
When trying to get provider information from https://revaowncloud1.docker/ocm-provider
it redirects to https://revaowncloud1.docker/.wellknown/ocm
and for some reason /.wellknown/ocm
is a protected path 😨
Confirming it with curl
:
17f0f43e8de2:/# curl -vvvv -L https://revaowncloud1.docker/.wellknown/ocm
* Host revaowncloud1.docker:443 was resolved.
* IPv6: (none)
* IPv4: 172.20.0.6
* Trying 172.20.0.6:443...
* Connected to revaowncloud1.docker (172.20.0.6) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: C=RO; ST=Bucharest; L=Bucharest; O=IT; CN=revaowncloud1.docker
* start date: Mar 3 11:48:34 2024 GMT
* expire date: Feb 8 11:48:34 2124 GMT
* subjectAltName: host "revaowncloud1.docker" matched cert's "revaowncloud1.docker"
* issuer: C=RO; ST=Bucharest; L=Bucharest; O=IT; CN=dev-stock
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://revaowncloud1.docker/.wellknown/ocm
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: revaowncloud1.docker]
* [HTTP/2] [1] [:path: /.wellknown/ocm]
* [HTTP/2] [1] [user-agent: curl/8.9.0]
* [HTTP/2] [1] [accept: */*]
> GET /.wellknown/ocm HTTP/2
> Host: revaowncloud1.docker
> User-Agent: curl/8.9.0
> Accept: */*
>
* Request completely sent off
< HTTP/2 401
< vary: Origin
< www-authenticate: Basic realm="revaowncloud1.docker"
< www-authenticate: Bearer realm="revaowncloud1.docker"
< content-length: 0
< date: Sun, 04 Aug 2024 13:42:26 GMT
<
* Connection #0 to host revaowncloud1.docker left intact
logs on revaowncloud1.docker
:
2024-08-04 13:42:26.24 WRN reva-git/internal/http/interceptors/auth/auth.go:216 > core access token not set or invalid pid=49 pkg=http traceid=e28ebe61-d548-4eed-9e56-8de2f5b9a61b
2024-08-04 13:42:26.241 DBG reva-git/internal/http/interceptors/auth/auth.go:225 > error retrieving credentials error="no basic auth provided" pid=49 pkg=http traceid=e28ebe61-d548-4eed-9e56-8de2f5b9a61b
2024-08-04 13:42:26.241 DBG reva-git/internal/http/interceptors/auth/auth.go:225 > error retrieving credentials error="no bearer auth provided" pid=49 pkg=http traceid=e28ebe61-d548-4eed-9e56-8de2f5b9a61b
2024-08-04 13:42:26.241 DBG reva-git/internal/http/interceptors/auth/auth.go:225 > error retrieving credentials error="no public token provided" pid=49 pkg=http traceid=e28ebe61-d548-4eed-9e56-8de2f5b9a61b
2024-08-04 13:42:26.241 WRN reva-git/internal/http/interceptors/log/log.go:104 > processed http request host=172.20.0.7 method=GET pid=49 pkg=http status=401 traceid=e28ebe61-d548-4eed-9e56-8de2f5b9a61b uri=/.wellknown/ocm
2024-08-04 13:42:26.241 TRC reva-git/internal/http/interceptors/log/log.go:111 > http end="04/Aug/2024:13:42:26 +0000" host=172.20.0.7 method=GET pid=49 pkg=http proto=HTTP/2.0 req_headers={"Accept":["*/*"],"User-Agent":["curl/8.9.0"]} res_headers={"Vary":["Origin"],"Www-Authenticate":["Basic realm=\"revaowncloud1.docker\"","Bearer realm=\"revaowncloud1.docker\""]} size=0 start="04/Aug/2024:13:42:26 +0000" status=401 time_ns=304190 traceid=e28ebe61-d548-4eed-9e56-8de2f5b9a61b uri=/.wellknown/ocm
but somehow this doesn't make sense, since in this file: https://github.com/cs3org/reva/blob/dde65a44013db3c4a8e8e5219a7707674838e410/internal/http/services/wellknown/wellknown.go#L74-L80
this path has been marked as unprotected with the prefix .wellknown
and here they are being applied:
https://github.com/cs3org/reva/blob/dde65a44013db3c4a8e8e5219a7707674838e410/cmd/revad/runtime/http.go#L83-L90
It turns out that the .wellknown
service is listening on port: 42333
instead of 443
:
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: ocs@/ocs pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: dataprovider@/data pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: sciencemesh@/sciencemesh pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: datagateway@/datagateway pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: prometheus@/metrics pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: appprovider@/app pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: metrics@/register_metrics pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: ocm@/ocm pid=49 pkg=http
2024-08-05 10:42:51.872 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: ocdav@/ pid=49 pkg=http
2024-08-05 10:42:51.872 DBG reva-git/cmd/revad/runtime/runtime.go:460 > spawned http server for services listening at tcp:[::]:443 pid=49 services=["ocdav","dataprovider","sciencemesh","ocs","datagateway","prometheus","appprovider","metrics","ocm"]
2024-08-05 10:42:51.877 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: dataprovider@/data pid=49 pkg=http
2024-08-05 10:42:51.878 DBG reva-git/cmd/revad/runtime/runtime.go:460 > spawned http server for services listening at tcp:[::]:36069 pid=49 services=["dataprovider"]
2024-08-05 10:42:51.88 INF reva-git/pkg/rhttp/rhttp.go:185 > http service enabled: wellknown@//.well-known pid=49 pkg=http
2024-08-05 10:42:51.88 DBG reva-git/cmd/revad/runtime/runtime.go:460 > spawned http server for services listening at tcp:[::]:42333 pid=49 services=["wellknown"]
This was due to a misconfiguration:
[http.services.wellknown.ocmprovider]
address = ":443"
@glpatcern suggested that it should be like:
[http.services.wellknown]
address = ":443"
[http.services.wellknown.ocmprovider]
... all other settings ...
These are my finding about the "open" driver for ocmprovider:
The error happens because of an error probing OCM services at the remote server:
since the provider domain doesn't have
http://
orhttps://
scheme prefix.but if the ocmprovider is set to
json
driver:Reva will read the correct endpoint with
https://
orhttp://
from json file and connect to it.