credential files

[cbrennig]

Hello, I am currently trying to install your app, but I'm failing to link the CMS to the main server (as well as the mobile app).

In order to install and run the services, initial credentials must be provided with the encrypted credentials files. With the main server, a self-created credentials file with some rudimentary data was sufficient for the first attempts. But now I can't get any further. Do I need your master key for the initial setup of the services (that I don't believe)? But if the credentials have to be created all on your own, then a detailed overview of the credentials retrieved in the source code (variable names) would be helpful. Some examples are already provided, but for instance there is no template for the CMS. Please could you provide such an overview/template?

Thank you in advance. Christian

[pwilimzig]

Hi Christian,

thanks for raising the issue. My colleague @donni106 will get back to you shortly!

Best Philipp

[cbrennig]

Hi donni106,

may I ask when I can expect a response?

Regards Christian

[donni106]

Hi @cbrennig, we have added a https://github.com/ikuseiGmbH/smart-village-app-cms/blob/master/config/credentials.yml.tmpl with all the keys you can use to create your own encrypted credential file. Most probably you only need the auth_server.url which is the connection to the main server. Please let me know if this makes you succeed.

[cbrennig]

Hi @donny106

thank you for providing the template.

Unfortunately, the authorization of CMS did not work. Maybe you have a tip for me?

This is my setup: Mainserver and CMS server run as docker compose services, and are exposed via a traefik proxy ("sva-main.localhost" and "sva-cms.localhost" respectively), on a local machine without ssl. On the mainserver an admin and a user (role user) are registered. user has several rights for cms.

When authorising "Zugriff per CMS" for "user", the login page of the cms server is redirected, but the login of "user" ends in the following error message (the same error occurs with admin):

Errno::EADDRNOTAVAIL in SessionController#create
Failed to open TCP connection to sva-main.localhost:80 (Cannot assign requested address - connect(2) for "sva-main.localhost" port 80)
Extracted source (around line #80):
    end
    http.request(request)
  end
def to_s

Rails.root: /app

Application Trace | Framework Trace | Full Trace
app/services/api_request_service.rb:80:in `post_request'
app/models/user.rb:41:in `sign_in'
app/controllers/session_controller.rb:8:in `create'

Exception Causes
Errno::EADDRNOTAVAIL: Cannot assign requested address - connect(2) for "sva-main.localhost" port 80

Request
Parameters:
{"authenticity_token"=>"Z70mOA/gNnUxBxJnhvwkq2ZTbH+7WPf59gRFIv7fpzUgU08/zRZDizLZrkT/RePFFb9XQpUO6J+jsRcKdI1m5w==", "email"=>"user@mail.com", "password"=>"[FILTERED]"}

Toggle session dump
_csrf_token: "tonujy5RGnFMPtlwt+rpGd39Dh2hlJNs7swhc11UMDo="
session_id: "136d57aaae5fef48b50ff01f0bde5e86"

Toggle env dump
HTTP_ACCEPT: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
HTTP_ACCEPT_ENCODING: "gzip, deflate, br"
HTTP_ACCEPT_LANGUAGE: "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
HTTP_CACHE_CONTROL: "max-age=0"
HTTP_ORIGIN: "http://sva-cms.localhost"
HTTP_VERSION: "HTTP/1.0"
HTTP_X_FORWARDED_FOR: "172.19.0.1, 10.0.1.4"
HTTP_X_FORWARDED_HOST: "sva-cms.localhost"
ORIGINAL_SCRIPT_NAME: ""
REMOTE_ADDR: "127.0.0.1"
SERVER_NAME: "sva-cms.localhost"
SERVER_PROTOCOL: "HTTP/1.0"

Response
Headers:

None

I've tried several settings but without success. These are my current settings inside credentials file:

secret_key_base: some_secret_key
auth_server:
  url: http://sva-main.localhost
  callback_url: http://sva-cms.localhost

If you had a tip for me that would be great.

Best regards Christian

[donni106]

Hi, according your docker setup we would need the help of @marcometz. Did you try with callback_url: urn:ietf:wg:oauth:2.0:oob? I think this must not be changed.

[cbrennig]

Thanks for the brief feedback. I just tried it again with your suggestion; without success.

I would like to send you the following log entry from the Main Server. It seems, the CSM server is finally called, but the authorisation code cannot be received. Do you have any advice that could help me to access the cms server via oauth?

Started GET "/oauth/authorize?client_id=Q9gLiiJ5x5jPhVR1Fay02B4pLberfJUAj6YjoPjS0mI&redirect_uri=http%3A%2F%2Fsva-cms.localhost%2F&response_type=code&scope=" for 127.0.0.1 at 2022-09-16 07:36:57 +0200
Cannot render console from 10.0.1.4! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Doorkeeper::AuthorizationsController#new as HTML
  Parameters: {"client_id"=>"Q9gLiiJ5x5jPhVR1Fay02B4pLberfJUAj6YjoPjS0mI", "redirect_uri"=>"http://sva-cms.localhost/", "response_type"=>"code", "scope"=>""}
  ^[[1m^[[36mUser Load (0.4ms)^[[0m  ^[[1m^[[34mSELECT  `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1^[[0m
  ↳ config/initializers/doorkeeper.rb:12
  ^[[1m^[[36mDoorkeeper::Application Load (0.7ms)^[[0m  ^[[1m^[[34mSELECT  `oauth_applications`.* FROM `oauth_applications` WHERE `oauth_applications`.`uid` = 'Q9gLiiJ5x5jPhVR1Fay02B4pLberfJUAj6YjoPjS0mI' LIMIT 1^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[36mDoorkeeper::AccessToken Load (0.6ms)^[[0m  ^[[1m^[[34mSELECT `oauth_access_tokens`.* FROM `oauth_access_tokens` WHERE `oauth_access_tokens`.`application_id` = 1 AND `oauth_access_tokens`.`resource_owner_id` = 1 AND `oauth_access_tokens`.`revoked_at>
  ↳ /usr/local/bundle/bin/unicorn:23
  Rendering doorkeeper/authorizations/new.html.erb within layouts/doorkeeper/application
  Rendered doorkeeper/authorizations/new.html.erb within layouts/doorkeeper/application (2.1ms)
Completed 200 OK in 136ms (Views: 126.9ms | ActiveRecord: 2.3ms)

Started POST "/oauth/authorize" for 127.0.0.1 at 2022-09-16 07:36:59 +0200
Cannot render console from 10.0.1.4! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Doorkeeper::AuthorizationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"Aeeg8+gcPBQ+7lkfDLYhYzy/vGnDE1FpfuziU/wG/el6I1CCkre7vpvPa3nZSFVVVCtd2kXaWRh/van0qFAc+A==", "client_id"=>"Q9gLiiJ5x5jPhVR1Fay02B4pLberfJUAj6YjoPjS0mI", "redirect_uri"=>"http://sva-cms.localhost/", "state"=>"", ">
  ^[[1m^[[36mUser Load (0.4ms)^[[0m  ^[[1m^[[34mSELECT  `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1^[[0m
  ↳ config/initializers/doorkeeper.rb:12
  ^[[1m^[[36mDoorkeeper::Application Load (0.3ms)^[[0m  ^[[1m^[[34mSELECT  `oauth_applications`.* FROM `oauth_applications` WHERE `oauth_applications`.`uid` = 'Q9gLiiJ5x5jPhVR1Fay02B4pLberfJUAj6YjoPjS0mI' LIMIT 1^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[35m (0.2ms)^[[0m  ^[[1m^[[35mBEGIN^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[36mDoorkeeper::AccessGrant Exists (0.5ms)^[[0m  ^[[1m^[[34mSELECT  1 AS one FROM `oauth_access_grants` WHERE `oauth_access_grants`.`token` = BINARY 'wRRyhR7RQd5ntXP7ZdF05iDl6ll1TAcn2PNU3gc9LrI' LIMIT 1^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[36mDoorkeeper::AccessGrant Create (0.3ms)^[[0m  ^[[1m^[[32mINSERT INTO `oauth_access_grants` (`resource_owner_id`, `application_id`, `token`, `expires_in`, `redirect_uri`, `created_at`, `scopes`) VALUES (1, 1, 'wRRyhR7RQd5ntXP7ZdF05iDl6ll1TAcn2PNU3gc9>
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[35m (0.9ms)^[[0m  ^[[1m^[[35mCOMMIT^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
Redirected to http://sva-cms.localhost/?code=wRRyhR7RQd5ntXP7ZdF05iDl6ll1TAcn2PNU3gc9LrI
Completed 302 Found in 15ms (ActiveRecord: 3.2ms)

[cbrennig]

Hello, unfortunately I am still at a dead end. Can anyone give me some suggestions on where to look further? Thank you in advance

[marcometz]

Your CMS does not have to be authorized via oAuth Applications.

You have to create an Account in the Mainserver (Username/Password) and grant some Access for CMS for it:

Check that an application exists (without authorize it, or set callback url to: "urn:ietf:wg:oauth:2.0:oob" and authorize it)

After that you user your username and password to log in into the CMS.

After login, your first assigned Application will be loaded and used to make every graphql call to Mainserver

[cbrennig]

I did it as you described (with authorisation and also without), but in both cases I still get the same error message as before. I am not able to log in the user to the assigned CSM who was previously registered and logged in to the main server. Below are the logs of the main server and the CMS for an authorisation attempt.

# main ... development.log
Started POST "/oauth/authorize" for 127.0.0.1 at 2022-09-20 19:23:50 +0200
Cannot render console from 10.0.1.4! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Doorkeeper::AuthorizationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"xdBcYicvbDIGsP37R1wLOZHIqKTWWh7t+Io3kYJqQwgfqNXEe+hBqUCNcmV93e+iD/m4G2xpl6QTuKGjbnLr2A==", "client_id"=>"G_IQPl8nGoDxhaunkYGb5P3JDfV_Ne0WbxtltntgfFI">
  ^[[1m^[[36mUser Load (0.3ms)^[[0m  ^[[1m^[[34mSELECT  `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1^[[0m
  ↳ config/initializers/doorkeeper.rb:12
  ^[[1m^[[36mDoorkeeper::Application Load (0.2ms)^[[0m  ^[[1m^[[34mSELECT  `oauth_applications`.* FROM `oauth_applications` WHERE `oauth_applications`.`uid` = 'G_IQPl8nGoDxhaunkYGb5P3JDfV_Ne0Wbxtltntg>
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[35m (0.1ms)^[[0m  ^[[1m^[[35mBEGIN^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[36mDoorkeeper::AccessGrant Exists (0.2ms)^[[0m  ^[[1m^[[34mSELECT  1 AS one FROM `oauth_access_grants` WHERE `oauth_access_grants`.`token` = BINARY '__otlv-jXa4kC2ziJhHfvU3awceSeYBaLKM5Rzj_W>
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[36mDoorkeeper::AccessGrant Create (0.2ms)^[[0m  ^[[1m^[[32mINSERT INTO `oauth_access_grants` (`resource_owner_id`, `application_id`, `token`, `expires_in`, `redirect_uri`, `created_at`, `sco>
  ↳ /usr/local/bundle/bin/unicorn:23
  ^[[1m^[[35m (1.1ms)^[[0m  ^[[1m^[[35mCOMMIT^[[0m
  ↳ /usr/local/bundle/bin/unicorn:23
Redirected to http://sva-cms.localhost?code=__otlv-jXa4kC2ziJhHfvU3awceSeYBaLKM5Rzj_WxM
Completed 302 Found in 10ms (ActiveRecord: 2.6ms)

# cms ... development.log
Started GET "/?code=__otlv-jXa4kC2ziJhHfvU3awceSeYBaLKM5Rzj_WxM" for 172.19.0.1 at 2022-09-20 19:23:50 +0200
  ^[[1m^[[35m (0.3ms)^[[0m  ^[[1m^[[34mSELECT sqlite_version(*)^[[0m
Processing by DashboardController#index as HTML
  Parameters: {"code"=>"__otlv-jXa4kC2ziJhHfvU3awceSeYBaLKM5Rzj_WxM"}
Redirected to http://sva-cms.localhost/login
Filter chain halted as :verify_current_user rendered or redirected
Completed 302 Found in 4ms (ActiveRecord: 0.0ms | Allocations: 1273)

Started GET "/login" for 172.19.0.1 at 2022-09-20 19:23:50 +0200
Processing by SessionController#create as HTML
  Rendering layout layouts/application.html.erb
  Rendering session/create.html.erb within layouts/application
  Rendered session/create.html.erb within layouts/application (Duration: 1.7ms | Allocations: 625)
  Rendered layouts/_modal_log_out.html.erb (Duration: 0.2ms | Allocations: 102)
  Rendered layout layouts/application.html.erb (Duration: 1253.3ms | Allocations: 3344182)
Completed 200 OK in 1259ms (Views: 1257.5ms | ActiveRecord: 0.0ms | Allocations: 3345937)

Started POST "/login" for 172.19.0.1 at 2022-09-20 19:24:15 +0200
  ^[[1m^[[35m (0.5ms)^[[0m  ^[[1m^[[34mSELECT sqlite_version(*)^[[0m
Processing by SessionController#create as HTML
  Parameters: {"authenticity_token"=>"tkx6yARyEeGRyYq95YGoBkVXsEoTW/WCwZIzmy7WLyTCwqscM15tqmYVUs9g0aE5ejHW41XFfVD+Z2/fgcDguQ==", "email"=>"admin@mail.com", "password"=>"[FILTERED]"}
Completed 500 Internal Server Error in 7ms (ActiveRecord: 0.0ms | Allocations: 2284)

Errno::EADDRNOTAVAIL (Failed to open TCP connection to sva-main.localhost:80 (Cannot assign requested address - connect(2) for "sva-main.localhost" port 80)):

app/services/api_request_service.rb:86:in `post_request'
app/models/user.rb:41:in `sign_in'
app/controllers/session_controller.rb:8:in `create'

[marcometz]

Native

What happens when you start the CMS and the mainserver local with rails s?

Both applications should be accessible there. The CMS under localhost:3000 and the mainserver localhost:4000.

In the CMS, the URL of the main server is stored in the credentials as auth_server:, so here http://localhost:4000/.

Does the communication between the two apps work then? Can you log in directly on the mainserver? Is there an admin account?

Docker

In the docker setup please test in advance:

Can you log in to the mainserver directly with your credentials? http://server.smart-village.docker.localhost/users/sign_in

If that doesn’t work, maybe the DB is still empty?

The two servers must be accessible to each other. If the two containers are running, they must be accessible to each other via a URL. Especially from the CMS container to the mainserver container

Login to your Container and try to reach it: docker exec -it XXXX bash. ping cms.localhost or whatever your URLs are.

Which ingress application do you use for routing to the app ports? On the servers we use for example a traefik (traefik.io), port 80 is mapped to the outside here. Traefik is running centrally on our Docker-Swarm Setup.

Are the two applications in the same network? Is this network reachable from the outside?

[cbrennig]

Hi

I had tried to get your app running as Docker Services. The containers are started via the docker-compose files provided by you. I have made some modifications with regard to the referenced Docker images, the paths for the config files and the Traefik proxy.

The Docker images were built using the Docker files provided in the repos.

I ran the Traefik both with ssl and without. It always displayed the individual services.

As you suspected, I could see the encrypted credentials in the container, but they were not written into the database. However, the log files from the compose up process did not give any error messages regarding the database. I populated the database manually with the administrator credentials. After that, it was possible to log in and create various other users in the web UI with different permissions.

Both containers (main server and cms) were always accessible to each other via ping and the UI could also be seen from "outside" via the browser. The containers ran in the same Docker network.

I tried the configurations both locally on an Ubuntu 22.04 and on an online Debian 11 server, always with the same error message :-(

[marcometz]

Is there an (OAuth)-Application for the newly created Account ? The Application needs to be connected to the account which is visible by the email in application index view.