Enable github access via API

Archive Rancher 1.x
1

Hi,
i try to enable github access control via an API call.
To understand which calls needs to be done, i inspect the browser.
I’ve seen that one first call is a POST to /v1/githubconfig
with this body :
{"accessMode":"unrestricted","id":null,"type":"githubconfig","allowedIdentities":[],"clientId":"myclientid","clientSecret":"myclientsecret","enabled":false,"hostname":null,"name":"githubconfig","scheme":"https://"}
But when i execute this request, it returns a 403 response with this message:
InvalidCSRFToken : CSRF header and cookie do not match

Is it possible to configure the rancher server from the start only via API calls?

best regards,

Charles.

2

The UI is 100% static client-side code that just talks to the API. Anything it can do you can do, though some things are admittedly non-obvious or lacking documentation.

So that is the API call, but you’ll want enabled:true. The UI sends false, tries to authenticate, and then sets it to true if everything worked so that it is difficult to lock yourself out with invalid config.

The error message has nothing to do with setting up auth specifically… it means you’re sending a request that looks like it’s from a browser, where we need to protect against cross-site request forgery attacks.

To do that the API requires any non-GET request have the value of the CSRF cookie (which the server provides) sent back as the value of a X-API-CSRF header (which you can’t do if you’re code running from a different domain).

Since you’re (probably?) not a browser you can just remove where you’re sending a User-Agent header, or make it not contain “Mozilla”. If you are a browser, on a page in a different domain than Rancher, then you won’t be able to do this… because you’re trying to execute a CSRF attack against yourself :smile:.

3

Hi @vincent,
i’ve updated the query with enabled: true.

A 400 bad request is returned, but without any details…
here is the curl command

curl 'http://myns:myport/v1/githubconfig' -H 'Host: myns:myport'  -H 'Accept: application/json'  --compressed -H 'Content-Type: application/json'  -d "{"accessMode":"unrestricted","id":null,"type":"githubconfig","allowedIdentities":[],"clientId":"myclientId","clientSecret":"myClientSecret","enabled":true,"hostname":null,"name":"githubconfig","scheme":"https://"}"

In logs, a NullPointerException is thrown:

2016-02-26 23:28:21,195 ERROR [:] [] [] [] [p2029686239-127] [i.g.i.g.s.ApiRequestFilterDelegate  ] Unhandled exception in API for request [io.github.ibuildthecloud.gdapi.request.ApiRequest@8c2f627] java.lang.NullPointerException: null
    at io.cattle.platform.iaas.api.auditing.AuditServiceImpl.logRequest(AuditServiceImpl.java:86) ~[cattle-framework-auditing-0.5.0-SNAPSHOT.jar:na]
    at io.cattle.platform.iaas.api.auditing.AuditLogsRequestHandler.handle(AuditLogsRequestHandler.java:23) ~[cattle-framework-auditing-0.5.0-SNAPSHOT.jar:na]
    at io.github.ibuildthecloud.gdapi.servlet.ApiRequestFilterDelegate.doFilter(ApiRequestFilterDelegate.java:86) ~[cattle-framework-java-server-0.5.0-SNAPSHOT.jar:na]
    at io.cattle.platform.api.servlet.ApiRequestFilter$1.runInContext(ApiRequestFilter.java:90) [cattle-framework-api-0.5.0-SNAPSHOT.jar:na]
    at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) [cattle-framework-managed-context-0.5.0-SNAPSHOT.jar:na]
    at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55) [cattle-framework-managed-context-0.5.0-SNAPSHOT.jar:na]
    at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:108) [cattle-framework-managed-context-0.5.0-SNAPSHOT.jar:na]
    at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52) [cattle-framework-managed-context-0.5.0-SNAPSHOT.jar:na]
    at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) [cattle-framework-managed-context-0.5.0-SNAPSHOT.jar:na]
    at io.cattle.platform.api.servlet.ApiRequestFilter.doFilter(ApiRequestFilter.java:83) [cattle-framework-api-0.5.0-SNAPSHOT.jar:na]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [jetty-servlet-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:83) [jetty-servlets-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:300) [jetty-servlets-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [jetty-servlet-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [jetty-servlet-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) [jetty-security-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [jetty-servlet-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.Server.handle(Server.java:499) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [jetty-server-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) [jetty-io-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [jetty-util-9.2.11.v20150529.jar:9.2.11.v20150529]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [jetty-util-9.2.11.v20150529.jar:9.2.11.v20150529]
    at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95]

Have you any request example?

best regards,

Charles.

4

Using this request

curl 'http://localhost:8080/v1/githubconfig' -H 'Host: localhost:8080'  -H 'Accept: application/json'   --compressed -H 'Content-Type: application/json'    -d  "{"accessMode":"unrestricted","id":null,"type":"githubconfig","allowedIdentities":[],"clientId":"myclientID","clientSecret":"myclientSecrey","enabled":true,"hostname":null,"name":"githubconfig","scheme":"https://"}"

RESP:
{"id":"454b778f-919f-4c67-b677-71500751c52c","type":"error","links":{},"actions":{},"status":400,"code":"InvalidBodyContent","message":"InvalidBodyContent","detail":null}

However if you replace the surrounding " on the data for the request with ' like so:

curl 'http://localhost:8080/v1/githubconfig' -H 'Host: localhost:8080'  -H 'Accept: application/json'   --compressed -H 'Content-Type: application/json'    -d  '{"accessMode":"unrestricted","id":null,"type":"githubconfig","allowedIdentities":[],"clientId":"myClientID","clientSecret":"myClientSecret","enabled":true,"hostname":null,"name":"githubconfig","scheme":"https://"}'

RESP:
{"id":null,"type":"githubconfig","links":{},"actions":{},"accessMode":"unrestricted","allowedIdentities":[],"clientId":"6a13fa4975b853d12458","clientSecret":null,"enabled":true,"hostname":null,"name":"githubconfig","scheme":"https://"}

A 400 is not returned.

5

Hi @wizardofmath,
thank you very much for your support!
It works!
It was a newbie mistake…

best regards,

Charles.

6

(Throwing a null pointer exception in this case is still a problem though, and will be fixed)