Share page returns 500 without any log

iowaz commented 1 year ago

Description

I'm having a strange issue with our on-premises installation since we changed our S3 secret/key.

The initial page (http://example.com/) loads and shows all workspaces. The same applies for the diagram page (http://example.com/share/7/diagrams), but the configuration/home page for the diagram (http://example.com/share/7) returns an status code 500 with the text:

Error
Sorry, something went wrong.

I tried to debug changing the log4j2 levels to ALL, but nothing is logged:

[INFO ] 2023-09-21 20:16:51.704 [main] ContextLoaderListener - ***********************************************************************************
[INFO ] 2023-09-21 20:16:51.711 [main] ContextLoaderListener -   _____ _                   _              _          
[INFO ] 2023-09-21 20:16:51.711 [main] ContextLoaderListener -  / ____| |                 | |            (_)         
[INFO ] 2023-09-21 20:16:51.711 [main] ContextLoaderListener - | (___ | |_ _ __ _   _  ___| |_ _   _ _ __ _ _____ __ 
[INFO ] 2023-09-21 20:16:51.711 [main] ContextLoaderListener -  \___ \| __| '__| | | |/ __| __| | | | '__| |_  / '__|
[INFO ] 2023-09-21 20:16:51.711 [main] ContextLoaderListener -  ____) | |_| |  | |_| | (__| |_| |_| | |  | |/ /| |   
[INFO ] 2023-09-21 20:16:51.712 [main] ContextLoaderListener - |_____/ \__|_|   \__,_|\___|\__|\__,_|_|  |_/___|_|   
[INFO ] 2023-09-21 20:16:51.712 [main] ContextLoaderListener -                                                       
[INFO ] 2023-09-21 20:16:51.712 [main] ContextLoaderListener - Structurizr on-premises installation
[INFO ] 2023-09-21 20:16:51.715 [main] ContextLoaderListener -  - build: 3080 (2023-06-21T09:31:25Z
[INFO ] 2023-09-21 20:16:51.719 [main] ContextLoaderListener -  - structurizr-java: v1.24.1
[INFO ] 2023-09-21 20:16:51.748 [main] ContextLoaderListener -  - structurizr-dsl: v1.30.2
[INFO ] 2023-09-21 20:16:51.749 [main] ContextLoaderListener -  - structurizr-import: v1.4.1
[INFO ] 2023-09-21 20:16:51.787 [main] ContextLoaderListener - Data directory: /usr/local/structurizr (r: true; w: true; x: true)
[INFO ] 2023-09-21 20:16:51.788 [main] ContextLoaderListener - URL: (removed for privacy)
[INFO ] 2023-09-21 20:16:51.800 [main] ContextLoaderListener - Memory: used=604MB; free=419MB; total=1024MB; max=1024MB
[INFO ] 2023-09-21 20:16:51.800 [main] ContextLoaderListener - 
[INFO ] 2023-09-21 20:16:51.801 [main] ContextLoaderListener - Authentication: file
[INFO ] 2023-09-21 20:16:51.801 [main] ContextLoaderListener - Session: local
[INFO ] 2023-09-21 20:16:51.802 [main] ContextLoaderListener - Data storage: aws-s3
[INFO ] 2023-09-21 20:16:51.802 [main] ContextLoaderListener - Search: lucene
[INFO ] 2023-09-21 20:16:51.802 [main] ContextLoaderListener - dot: true
[INFO ] 2023-09-21 20:16:51.802 [main] ContextLoaderListener - DSL editor: false
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - Safe mode: true
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - ***********************************************************************************
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - MIT License
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - 
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - Copyright (c) 2023 Structurizr Limited
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - 
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - Permission is hereby granted, free of charge, to any person obtaining a copy
[INFO ] 2023-09-21 20:16:51.803 [main] ContextLoaderListener - of this software and associated documentation files (the "Software"), to deal
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - in the Software without restriction, including without limitation the rights
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - copies of the Software, and to permit persons to whom the Software is
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - furnished to do so, subject to the following conditions:
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - 
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - The above copyright notice and this permission notice shall be included in all
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - copies or substantial portions of the Software.
[INFO ] 2023-09-21 20:16:51.804 [main] ContextLoaderListener - 
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
[INFO ] 2023-09-21 20:16:51.805 [main] ContextLoaderListener - SOFTWARE.
[INFO ] 2023-09-21 20:16:51.806 [main] ContextLoaderListener - ***********************************************************************************
21-Sep-2023 20:16:55.794 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/usr/local/tomcat/webapps/ROOT.war] has finished in [11,286] ms
21-Sep-2023 20:16:55.797 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
21-Sep-2023 20:16:55.812 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [11470] milliseconds

My log42j file looks like this:

appender.console.type = Console
appender.console.name = LogToConsole
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n

appender.file.type = File
appender.file.name = LogToFile
appender.file.fileName=${sys:structurizr.dataDirectory}/logs/structurizr.log
appender.file.layout.type=PatternLayout
appender.file.layout.pattern=[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n

logger.app.name = com.structurizr
logger.app.level = ALL
logger.app.additivity = false
logger.app.appenderRef.console.ref = LogToConsole
logger.app.appenderRef.file.ref = LogToFile

logger.springSecurity.name = org.springframework.security
logger.springSecurity.level = ALL
logger.springSecurity.additivity = false
logger.springSecurity.appenderRef.console.ref = LogToConsole
logger.springSecurity.appenderRef.file.ref = LogToFile

rootLogger.level = ALL
rootLogger.appenderRef.stdout.ref = LogToConsole
rootLogger.appenderRef.file.ref = LogToFile

I had this behavior in the past and could debug as something related to trying to access the s3 object history, but could not reproduce this time.

Steps to reproduce

1 - run the Structurizr on premises pointing to S3 bucket; 2 - access the home of the workspace; 3 - get the 500 error page.

Screenshot

No response

Code sample

No response

Configuration

build: 3080 (2023-06-21T09:31:25Z

Severity

Major

Priority

Low

Resolution

I'm willing to fix this myself and raise a PR

More information

No response

simonbrowndotje commented 1 year ago

since we changed our S3 secret/key

Perhaps related to the permissions you've granted this new credential pair?

I'm willing to fix this myself and raise a PR

Thanks!

iowaz commented 1 year ago

@simonbrowndotje I believe you are correct - do you have a list of the needed Actions that should be granted in this credential?

iowaz commented 1 year ago

Update from 3080 to 3142 and now the log4j2 configuration file appers to works - now I can see the error more clearly:

[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "GET /?versions&prefix=workspaces%2F3%2Fworkspace.json&max-keys=30&encoding-type=url HTTP/1.1[\r][\n]"
[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "Host: (removed for privacy)[\r][\n]"
....
[DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "HTTP/1.1 403 Forbidden[\r][\n]"
...
[DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<?xml version="1.0" encoding="UTF-8"?>[\n]"
[DEBUG] 2023-09-22 11:00:02.864 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>(removed for privacy)</RequestId><HostId>(removed for privacy)</HostId></Error>[\r][\n]"

There's two actions that I would like to do:

improve the error handling and logging (maybe a more detailed 5xx error page?) on this function: https://github.com/structurizr/onpremises/blob/main/structurizr-onpremises/src/main/java/com/structurizr/onpremises/component/workspace/AmazonWebServicesS3WorkspaceDao.java#L228;
find out the specific permissions/actions that Structurizr uses - some organizations doesn't allow using the AmazonS3FullAccess.

Sounds in the right direction?

ddelucaenhesa commented 7 months ago

Hi @iowaz FYI: Here is my working S3 Policy config.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::" }, { "Sid": "AllowStatement2B", "Action": [ "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::structurizr" ] }, { "Sid": "AllowStatement4B", "Effect": "Allow", "Action": [ "s3:" ], "Resource": [ "arn:aws:s3:::structurizr/*" ] } ] }

Update from 3080 to 3142 and now the log4j2 configuration file appers to works - now I can see the error more clearly:
[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "GET /?versions&prefix=workspaces%2F3%2Fworkspace.json&max-keys=30&encoding-type=url HTTP/1.1[\r][\n]"
[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "Host: (removed for privacy)[\r][\n]"
....
[DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "HTTP/1.1 403 Forbidden[\r][\n]"
...
[DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<?xml version="1.0" encoding="UTF-8"?>[\n]"
[DEBUG] 2023-09-22 11:00:02.864 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>(removed for privacy)</RequestId><HostId>(removed for privacy)</HostId></Error>[\r][\n]"
There's two actions that I would like to do:

improve the error handling and logging (maybe a more detailed 5xx error page?) on this function: https://github.com/structurizr/onpremises/blob/main/structurizr-onpremises/src/main/java/com/structurizr/onpremises/component/workspace/AmazonWebServicesS3WorkspaceDao.java#L228;

find out the specific permissions/actions that Structurizr uses - some organizations doesn't allow using the AmazonS3FullAccess.

Sounds in the right direction?

structurizr / onpremises