search

jgraph / docker-drawio

Dockerized draw.io based on whichever is the most secure image at the time.
GNU General Public License v3.0
1.48k stars 359 forks source link

OneDrive option fails to load #112

Open Bednaross opened 1 year ago

Bednaross commented 1 year ago

Hi guys! It seems that we are not able to enable the “OneDrive” option when hosting this image on our Rancher/K8s cluster.

image "Refused to load http://drwio.company/js/onedrive/OneDrive.js because it does not appear in the script-src directive of the Content Security Policy. https://drawio.company./js/mermaid.min.js.map Failed to load resource: the server responded with a status of 404 () " image

It works on a Docker though: docker run -it --rm --name="draw" -e DRAWIO_MSGRAPH_CLIENT_ID=< CLIENT_ID > -e DRAWIO_MSGRAPH_CLIENT_SECRET=< CLIENT_SECRET > -p 8080:8080 -p 8443:8443 jgraph/drawio or docker run -it --rm --name="draw" -e DRAWIO_MSGRAPH_CLIENT_ID=< CLIENT_ID > -e DRAWIO_MSGRAPH_CLIENT_SECRET=< CLIENT_SECRET > -e DRAWIO_BASE_URL= -p 8080:8080 -p 8443:8443 jgraph/drawio

In addition: • Ports 8080/8433 are open • Rancher’s Ingress works fine
• We have an APP registration in Azure with a correct redirect URIs, App proxy etc. • No errors in logs:

Init PreConfig.js
(function() {
  try {
        var s = document.createElement('meta');
        s.setAttribute('content', 'default-src \'self\'; script-src \'self\' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src \'self\' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src \'self\' https://*.google.com;');
        s.setAttribute('http-equiv', 'Content-Security-Policy');
        var t = document.getElementsByTagName('meta')[0];
      t.parentNode.insertBefore(s, t);
  } catch (e) {} // ignore
})();
window.DRAWIO_BASE_URL = 'http://localhost:8080';
window.DRAWIO_VIEWER_URL = '';
window.DRAWIO_LIGHTBOX_URL = '';
window.DRAW_MATH_URL = 'math/es5';
window.DRAWIO_CONFIG = null;
urlParams['sync'] = 'manual'; //Disable Real-Time
urlParams['db'] = '0'; //dropbox
urlParams['gh'] = '0'; //github
urlParams['tr'] = '0'; //trello
urlParams['gapi'] = '0'; //Google Drive
window.DRAWIO_MSGRAPH_CLIENT_ID = 'DELETED';
urlParams['gl'] = '0'; //Gitlab
Init PostConfig.js
window.VSD_CONVERT_URL = null;
window.ICONSEARCH_PATH = null;
EditorUi.enableLogging = false; //Disable logging
window.EMF_CONVERT_URL = null;
App.prototype.isDriveDomain = function() { return true; }
Generating Self-Signed certificate
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: selfsigned
Creation date: Apr 6, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=draw.example.com, OU=Cloud Native Application, O=example inc, L=Paris, ST=Paris, C=FR
Issuer: CN=draw.example.com, OU=Cloud Native Application, O=example inc, L=Paris, ST=Paris, C=FR
Serial number: 463d99b6
Valid from: Thu Apr 06 07:35:38 UTC 2023 until: Sat Feb 12 07:35:38 UTC 2033
Certificate fingerprints:
     SHA1: DELETED
     SHA256: DELETED
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
DELETED                                       #...
]
]
*******************************************
*******************************************
Append https connector to server.xml
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /opt/java/openjdk
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
06-Apr-2023 07:35:40.013 WARNING [main] org.apache.catalina.core.StandardContext.setPath A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []
06-Apr-2023 07:35:40.058 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.73
06-Apr-2023 07:35:40.058 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 27 2023 15:33:40 UTC
06-Apr-2023 07:35:40.058 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.73.0
06-Apr-2023 07:35:40.058 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.14.138-rancher
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.18+10
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
06-Apr-2023 07:35:40.059 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
06-Apr-2023 07:35:40.061 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
06-Apr-2023 07:35:40.062 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
06-Apr-2023 07:35:40.062 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
06-Apr-2023 07:35:40.062 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
06-Apr-2023 07:35:40.066 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.36] using APR version [1.7.0].
06-Apr-2023 07:35:40.066 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
06-Apr-2023 07:35:40.066 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
06-Apr-2023 07:35:40.069 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.2 15 Mar 2022]
06-Apr-2023 07:35:40.359 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
06-Apr-2023 07:35:40.381 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Apr-2023 07:35:40.560 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-8443], TLS virtual host [draw.example.com], certificate type [UNDEFINED] configured from [/usr/local/tomcat/.keystore] using alias [tomcat] and with trust store [null]
06-Apr-2023 07:35:40.603 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-8443], TLS virtual host [draw.example.com], certificate type [UNDEFINED] configured from [/usr/local/tomcat/.keystore] using alias [tomcat] and with trust store [null]
06-Apr-2023 07:35:40.605 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [768] milliseconds
06-Apr-2023 07:35:40.645 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
06-Apr-2023 07:35:40.645 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.73]
06-Apr-2023 07:35:41.090 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
06-Apr-2023 07:35:41.109 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/draw]
06-Apr-2023 07:35:41.309 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
06-Apr-2023 07:35:41.313 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/draw] has finished in [203] ms
06-Apr-2023 07:35:41.315 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
06-Apr-2023 07:35:41.325 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-8443"]
06-Apr-2023 07:35:41.328 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [723] milliseconds

Any idea how to troubleshoot this issue or how to enable some kind of detailed logging info? Thanks in advance!

davidjgraph commented 1 year ago

That suggests that "http://drwio.company/js/onedrive/OneDrive.js" is a different domain to the one you're serving the app on and the CSP isn't allowing it.

NotUrNinja commented 11 months ago

I have the same problem. It appears there are two different Azure AD features(?) and I'm only having an issue with one.

I believe I have configured the AAD App ID per instructions. This allows me to force authentication via Azure AD before reaching the draw.io web app. This initially threw a header size error but resolved with scaling the web app container to standard size from basic.

However, now that users can reach the application post initial launch authentication, onedrive option is presented but spins until timeout (like in the post above), which then leaves only local device access.

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. See the FAQ for more information.