search

pulibrary / ruby-for-archivesspace

Ruby for ArchivesSpace Training Sessions
1 stars 0 forks source link

Ensure that the ASpace REST API is accessible for aspace.princeton.edu #12

Open jrgriffiniii opened 2 years ago

jrgriffiniii commented 2 years ago

Ideally, one should be able to authenticate against the ASpace API for the workshop from the Google Cloud Shell.

jrgriffiniii commented 2 years ago

Unfortunately, this does not appear to be stable, as the Google Cloud Shell containers are going to be restricted from accessing the staging server environment:

jrg5@cloudshell:~$ curl -v "https://aspace-staging.princeton.edu/staff/api/"
*   Trying 35.160.138.106:443...
* Connected to aspace-staging.princeton.edu (35.160.138.106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=aspace-staging.princeton.edu
*  start date: Feb 15 02:38:05 2022 GMT
*  expire date: May 16 02:38:04 2022 GMT
*  subjectAltName: host "aspace-staging.princeton.edu" matched cert's "aspace-staging.princeton.edu"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /staff/api/ HTTP/1.1
> Host: aspace-staging.princeton.edu
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Thu, 17 Feb 2022 19:49:29 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 146
< Connection: keep-alive
<
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
jrgriffiniii commented 2 years ago

Using a sample set of 3 Google Cloud containers, I find the following IP addresses:

jrg5@cloudshell:~/cloudshell_open/ruby-for-archivesspace$ curl icanhazip.com
35.196.122.174
jrg5@cloudshell:~/cloudshell_open/ruby-for-archivesspace$ curl icanhazip.com
35.227.53.111
jrg5@cloudshell:~/cloudshell_open/ruby-for-archivesspace$ curl icanhazip.com
34.139.118.209
jrgriffiniii commented 2 years ago

As this range is far to broad in scope to request any firewall permissions, I am going to request that the workshop exercises please do not use the staging environment. Should this prove to be too limiting, it should be noted that this still might not be necessary until the second session (scheduled for 03/03/22).

jrgriffiniii commented 2 years ago

https://github.com/pulibrary/ruby-for-archivesspace/compare/support-openconnect?expand=1 tracks (cleaned) attempts to use mechanize in order to establish a connection to the VPN using Ruby alone. I am currently addressing this now from a different standpoint by just using a Debian package.

jrgriffiniii commented 2 years ago

As is unstable, I am attempting to now advance this (temporarily) with a direct request to Lyrasis with https://lyrasis.zendesk.com/hc/en-us/requests/11235

jrgriffiniii commented 2 years ago

This has been opened for the workshop, and as such, I am going to consider this resolved.

jrgriffiniii commented 2 years ago

Based upon the findings for https://lyrasis.zendesk.com/hc/en-us/requests/11323, this will need to be reopened.