Closed servomac closed 9 years ago
@servomac - this has already been mentioned (and fixed) by Roger in this thread I think: https://github.com/mitro-co/mitro/issues/123 https://github.com/mitro-co/mitro/issues/56
Yep - You need the patch offered by @teh ( https://github.com/WeAreWizards/passopolis-extensions/commit/b0fcf31da4d6828671ddf9759f7664a1c9bcbe19 ) for the lru_cache bug. I found the same bug and fixed it independently of @teh but his patch was more elegant so I've not uploaded mine.
The basic problem is that the Web Extension is trying to generate a key and store it in the browser cache. Once it has the key, it can connect to the Mitro server. Unfortunately, without the lru_cache patch, the Web Extension cannot store the key in the cache and the code fails. This results in the sign up never completing and you just get the activity spinner icon forever.
If you are running just the mitro server without any other web system in front of it, be aware that the some processes will appear to fail because once the appropriate mitro-api action completes, the response from the mitro server is a redirect to a static web page. Unfortunately, these are not provided by the mitro server in its current state and you get a 404 web error. This makes you think that the action has failed but in fact it has worked.
One simple fix is to patch the Main.java thread to add a resource handler for static files then put suitable default files in the appropriate folder.
My code for this was:
diff --git a/mitro-core/java/server/src/co/mitro/core/server/Main.java b/mitro-core/java/server/src/co/mitro/core/server/Main.java
index 7ff7b94..2abd624 100644
--- a/mitro-core/java/server/src/co/mitro/core/server/Main.java
+++ b/mitro-core/java/server/src/co/mitro/core/server/Main.java
@@ -50,6 +50,7 @@ import org.eclipse.jetty.server.Slf4jRequestLog;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.HandlerCollection;
import org.eclipse.jetty.server.handler.RequestLogHandler;
+import org.eclipse.jetty.server.handler.ResourceHandler;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.component.LifeCycle;
@@ -394,9 +395,15 @@ public class Main {
requestLog.setLogTimeZone("UTC");
requestLogHandler.setRequestLog(requestLog);
- // Install both the servlet handler and the logging handler
+ // Handle static file requests
+ ResourceHandler staticFiles = new ResourceHandler();
+ staticFiles.setDirectoriesListed(true);
+ staticFiles.setWelcomeFiles(new String[]{"index.html"});
+ staticFiles.setResourceBase("html");
+
+ // Install the servlet handler, logging handler and static file support
HandlerCollection handlers = new HandlerCollection();
- handlers.setHandlers(new Handler[]{context, requestLogHandler});
+ handlers.setHandlers(new Handler[]{context, requestLogHandler, staticFiles});
OldJsonData ojd = OldJsonData.createFromStream(
Main.class.getResourceAsStream("service_list.json"));
You then just need simple static pages in mitro-core/html
for the following files:
index.html
verified-device.html
verified.html
e.g. verified.html
<HTML>
<HEAD>
<TITLE>Password verified</TITLE>
</HEAD>
<BODY BGCOLOR="FFFFFF">
<HR>
<P><CENTER>Thank you, your password has been verified.</CENTER>
<HR>
</BODY>
</HTML>
You may well find that additional files are required for some actions... but I've not done those actions yet so haven't discovered that the files are missing :smiley: .
I've also used the mitro-core/html
folder so store my built extension files for Firefox and a ZIP'd archive of the extension files for Chrome. I've modified the index.html
file with links to these so that users can be pointed at the mitro server, download the appropriate files directly from there and install them in their browser. That makes the process much easier for them.
Thanks a lot for your responses!
I have been able to avoid the infinite spinning on the loader after applying @teh patch, but now I have another problem; after filling the signup form an error missage appears sentencing "Sorry, an error has occurred. Already have an account?"
Obviously the database is still empty.
@servomac Did you add the mitro database before starting the mitro server?
psql -c 'create database mitro;' postgres
If you followed the install flow I detailed in https://github.com/mitro-co/mitro/issues/56, it should "just work"...
Yes, of course I have created the database (and the ant server created the respective tables). I will repeat the process for Nth time with your references from #56.. thanks a lot!
@servomac If it is any consolation, it took me a lot of attempts to get it working too. If I've missed a step from my notes in #56 then I apologise in advance... but I think they are complete...
I have been working on a docker image solution (containing both postgres and the ant server inside the same container; not exactly following the docker guidelines but it's a first iteration) following your documentation and extending from centos (i'm a "debian flavoured" guy, so maybe I made some distribution-specific mistake :P). I share it, but its obviously still a work in progress. The Dockerfile explains the procedure followed:
https://github.com/servomac/mitro/tree/master/centos
You can build it (docker build -t mitro .) and run the container (docker run --name mitro -d mitro) and copy to your machine from the inside the release dir (i.e. docker exec -it mitro scp -r /srv/mitro/browser-ext/login/build/chrome/release tpiza@192.168.1.X:), and you should load the chrome extension. After pointing preferences.html to the docker container ip (docker inspect -f '{{ .NetworkSettings.IPAddress }}' mitro) at port 8443, I try to sign up with the same error: "Sorry, an error has occurred. Already have an account?"
I'm clearly missing something...
Did you comment out the line <sysproperty key="generateSecretsForTest" value="true"/>
in mitro-core/build.xml
?
For testing, ant generates random secrets each time the server starts. You don't want this on a real system as you want its secrets to be persistent across restarts. Comment out (or delete) the line in the XML (don't try to set it to false
as the server doesn't like that) then reset your database and try to sign up again with the client.
What I suspect is happening is that you've restarted the server and the client is confused because the server keys have changed but the user account is still there.
Thanks a lot again, you are right! I have deleted the refered line of code setting generateSecretsForTest as true, but now I'm unable to generate correctly the keys :P
On /srv/mitro/mitro-core I do:
[root@e9e8969a84d2 mitro-core]# export CLASSPATH="java/server/lib/keyczar-0.71f-040513.jar:java/server/lib/gson-2.2.4.jar:java/server/lib/log4j-1.2.17.jar"
[root@e9e8969a84d2 mitro-core]# export KEYS_PATH="mitrocore_secrets/sign_keyczar"
[root@e9e8969a84d2 mitro-core]# mkdir -p $KEYS_PATH
[root@e9e8969a84d2 mitro-core]# java -cp $CLASSPATH org.keyczar.KeyczarTool create --location=$KEYS_PATH --purpose=sign
[root@e9e8969a84d2 mitro-core]# java -cp $CLASSPATH org.keyczar.KeyczarTool addkey --location=$KEYS_PATH --status=primary
log4j:WARN No appenders could be found for logger (org.keyczar.GenericKeyczar).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
I think that the log warning it's not a problem, just a warning message to explain that the app cannot log it's steps, but i'm not sure. This generates the following dir structure and files (with a correct content, the file 1 contains the hmacKeyString -i.e. {"hmacKeyString":"8wblahblah3SWqH-LXkmW1uwLJKVi-MOI_MoA6L92Xy_TRVw","size":256}-, and meta contains the metainfo; i.e {"name":"","purpose":"SIGN_AND_VERIFY","type":"HMAC_SHA1","versions":[{"exportable":false,"status":"PRIMARY","versionNumber":1}],"encrypted":false}):
[root@e9e8969a84d2 mitro-core]# pwd
/srv/mitro/mitro-core
[root@e9e8969a84d2 mitro-core]# tree mitrocore_secrets/
mitrocore_secrets/
└── sign_keyczar
├── 1
└── meta
But unfortunately seems that the ant server is not able to read the generated keys.
[root@e9e8969a84d2 mitro-core]# ant server Buildfile: build.xml compile: jar: [delete] Deleting: /srv/mitro/mitro-core/build/mitrocore.jar [exec] Result: 128 [propertyfile] Updating property file: /srv/mitro/mitro-core/build/java/src/build.properties [echo] Built build/mitrocore.jar server: [java] INFO [2015-08-12 07:39:36,669Z] co.mitro.core.server.SecretsBundle: loading signing key from mitrocore_secrets/sign_keyczar [java] Exception in thread "main" java.lang.RuntimeException: Unable to load signing key [java] at co.mitro.core.server.SecretsBundle.(SecretsBundle.java:54) [java] at co.mitro.core.server.Main.main(Main.java:302) [java] Caused by: org.keyczar.exceptions.KeyczarException: Error reading file: mitrocore_secrets/sign_keyczar/meta [java] at org.keyczar.KeyczarFileReader.readFile(KeyczarFileReader.java:69) [java] at org.keyczar.KeyczarFileReader.getMetadata(KeyczarFileReader.java:58) [java] at org.keyczar.Keyczar. (Keyczar.java:81) [java] at org.keyczar.Verifier. (Verifier.java:62) [java] at org.keyczar.Signer. (Signer.java:58) [java] at co.mitro.core.server.SecretsBundle. (SecretsBundle.java:52) [java] ... 1 more [java] Caused by: java.io.FileNotFoundException: mitrocore_secrets/sign_keyczar/meta (No such file or directory) [java] at java.io.RandomAccessFile.open(Native Method) [java] at java.io.RandomAccessFile. (RandomAccessFile.java:241) [java] at java.io.RandomAccessFile. (RandomAccessFile.java:122) [java] at org.keyczar.KeyczarFileReader.readFile(KeyczarFileReader.java:63) [java] ... 6 more [java] Java Result: 1 BUILD SUCCESSFUL Total time: 3 seconds
Any idea in which step I'm being wrong? Do you generate the same kind of key files?
You have to manually generate the keys for the server. This is described in section 5 of mitro-core/production/ansible/README.md
. Basically, just do:
cd ~/mitro/mitro-core
mkdir -p mitrocore_secrets/sign_keyczar
java -cp build/mitrocore.jar org.keyczar.KeyczarTool create --location=mitrocore_secrets/sign_keyczar --purpose=sign
java -cp build/mitrocore.jar org.keyczar.KeyczarTool addkey --location=mitrocore_secrets/sign_keyczar --status=primary
That will give you a persistent set of keys. If you lose the keys then you will confuse the clients because the server identity has changed. I don't know any way to recover from that situation so I've made sure my keys are well backed up! :smile:
My problem was the path! My build.xml specified that the directory of the server was root (/), so I needed that mitrocore_secrets directory to be on root. Now i'm gonna try the client browser extension :-) Thanks a lot!
I'm finally able to use the chrome extension!! But actually I'm unable to add to chrome the certificated using during the self-signing process as a trusted certificate authority.. I will keep looking this, because to use it I need to add a security exception, and this is not exactly my idea of "security" :P
Thanks a lot for your feedback. I will work a little on the dockerized solution, with an external postgres container and another one for the emailer. I will share it with the community, because it seems that there is not an easy deployment strategy for the project.
If you are prepared to pay... then you can send the CSR that you generated with the openssl req ...
command to the 3rd party authority (e.g. Verisign, Thawte, GoDaddy) and they will sign it for you. Your browser will then accept it without complaint.
Alternatively, for Chrome, follow the instructions below to add the Mitro server certificate to your Chrome instance as a trusted certificate:
You will have to add the server certificate as a trusted authority or Chrome will not allow the Mitro extension to automatically connect to the Mitro server when you restart Chrome. Instead, the Mitro extension will not be able to connect until you explicitly connect to your Mitro server and accept the security exception.
Hello! I have a running mitro server, that has connected correctly to the postgres database and created the necessary tables. I have compiled the browser-ext, and i'm using it from chrome. I have pointed the preferences.html to the new server (172.17.0.49:8443), but I'm unable to Sign Up. During the sign up process the process seems to not end. I have been looking at email_queue table, but it's completely empty.
Does anybody has any hint about what could be failing? Thanks a lot for your time (and for licensing this software as GPL :+1:).