by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 01 05:29
    harikarthikPC87 opened #967
  • May 27 08:54
    midnightrun commented #964
  • May 12 08:22
    Informatic commented #966
  • May 12 08:13
    Informatic commented #966
  • May 12 08:07
    Informatic opened #966
  • May 09 17:27
    sbabic commented #963
  • May 07 16:55
    hawkbit[bot] unlabeled #963
  • May 07 16:54
    embexus commented #963
  • May 07 14:18
    schabdo commented #953
  • May 07 12:54
    schabdo labeled #963
  • May 07 12:54
    schabdo labeled #963
  • May 07 12:53
    schabdo commented #963
  • May 06 18:09
    embexus commented #963
  • May 06 18:05
    embexus commented #963
  • May 06 18:03
    hawkbit[bot] unlabeled #963
  • May 06 18:03
    embexus commented #963
  • May 06 17:41
    schabdo commented #963
  • May 06 17:18
    schabdo labeled #963
  • May 06 17:17
    schabdo commented #963
  • May 06 17:02
    schabdo labeled #963
Tikarei
@Tikarei
Response headers:
Content-Type: application/json;charset=utf-8
Date: Thu, 30 Apr 2020 10:56:53 GMT
Pragma: no-cache
Transfer-Encoding: chunked
WWW-Authenticate: Basic realm="hawkBit"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Tikarei
@Tikarei
Actually, I don't think it has to do with the JSESSIONID, I think it has to do with mode: 'no-cors'
Tikarei
@Tikarei
I will try this solution by you: eclipse/hawkbit#708
Bondar Bogdan
@bogdan-bondar
I also don’t think it has something to do with JSESSIONID, because it is used for sticky session if needed. Unfortunately I can’t reproduce your problem, I can only suggest trying the same request with curl/Postman and compare the headers/cookies
Tikarei
@Tikarei
Yes, I actually think it is a CORS related problem
still debugging, will update once I get it
Bondar Bogdan
@bogdan-bondar
:+1:
Tikarei
@Tikarei
It seems like Spring security detects mode: 'no-cors' from fetch API as an XSS attack and blocks it. I got it working after removing that and enabling CORS as you instructed here: eclipse/hawkbit#708
Bondar Bogdan
@bogdan-bondar
Cool, glad that you have found the solution ;)
voyager42
@voyager42
Hi there. In the test server https://hawkbit.eclipse.org/UI/ I see the System Config is set to "Allow targets to download artifacts without security credentials". Therefore I expect that a GET to /DEFAULT/controller/v1/simulated13 should return some data without needing authorization header. But I am getting a 401. What am I missing?
voyager42
@voyager42
I don't have the same issue running the hawkbit-101 stack locally though...
voyager42
@voyager42
Running the hawkbit-101 postman collection against my remote server also works, but only with security token. Looks like this is not optional?
Alexander Dobler
@dobleralex
Hi @voyager42 the option Allow targets to download artifacts without security credentials is strictly limited to the download link for the artifact. This means it is still necessary for the target to authenticate using a token or a certificate to retrieve and change target data, but the download url for assigned artifacts can be reached without (looking like this e.g. DEFAULT/controller/v1/test/softwaremodules/1/artifacts/test.txt). If you really want to allow for anonymous target access for easier testing you could start hawkbit with the parameter --hawkbit.server.ddi.security.authentication.anonymous.enabled=true. But keep in mind that this will allow anyone to connect and act in regard of any target as well as create new ones, it is therefore strongly not recommended for a production environment.
voyager42
@voyager42
@dobleralex Thanks for the clarification.
Alexander Dobler
@dobleralex
You're welcome :)
Stefan Schindler
@dns2utf8
I would like to implement a client that fetches data from hawkbit
But I can not find any documentation on the HTTP API
This https://www.eclipse.org/hawkbit/apis/ddi_api/ does not explain how one gets these tenant and controller ids
Does anyone have any pointers?
voyager42
@voyager42
image.png
@dns2utf8 the tenant is what you see when logged in: DEFAULT in the case of the hawkbit demo server
the controller id is something that you have to assign to your devices
Do you want to fetch data from the managment system? In that case look at the Management API: https://www.eclipse.org/hawkbit/apis/management_api/
Stefan Schindler
@dns2utf8
Thank you @voyager42 it helps a lot
Can the device assign a controller id to itself when it registers itself?
Julian
@JulianFeinauer
@dns2utf8 Id has to be set upfront but you can choose it freely
voyager42
@voyager42
Typical options included the device serial number or MAC address.
@dns2utf8 You should check out the tutorial "hawkbit-101"
Stefan Schindler
@dns2utf8
I am trying to follow the hawkbit-101 tutorial
However, I can not authorize myself to hawkbit
Nevermind, I found the curl snippets
But I would have loved a hint in the API docs that one can use HTTP Basic Auth for the system
Julian
@JulianFeinauer
@dns2utf8 My impression also is that there is room for improvement in the Documentation. But Pull Requests, especially in this area, are always highly welcome
(not speaking for hawkbit as I’m no comitter but rather generally for OSS Projects)
Alexander Dobler
@dobleralex
@dns2utf8 It is mentioned on the Mgmt API page that you have to set an Authorization header for username/password implying Basic Auth usually, it also links to the Security page that describes that Basic Auth is used for authentication against the Mgmt API. But you're right that it might not be clear on the API page alone, as @JulianFeinauer mentioned pull request for documentation changes to help make things clearer are always welcome :-)
You can find the documentation in the hawkbit repo, the pages are written as simple markdown files. :)
Camal Cakar
@midnightrun

@xyklex @schabdo

I trying to setup Keycloak with Hawkbit and are exactly running into the same problems as discuss by you on Feburary this year.

At this point I get the this exception:

[hawkbit-549466896d-bbcs9] 2020-05-25 11:59:53.759 ERROR 1 --- [qtp917277283-18] com.vaadin.server.DefaultErrorHandler    :
[hawkbit-549466896d-bbcs9]
[hawkbit-549466896d-bbcs9] java.lang.ClassCastException: org.springframework.security.oauth2.core.user.DefaultOAuth2User cannot be cast to org.springframework.security.oauth2.core.oidc.user.OidcUser
[hawkbit-549466896d-bbcs9]     at org.eclipse.hawkbit.ui.common.UserDetailsFormatter.getCurrentUser(UserDetailsFormatter.java:196)
[hawkbit-549466896d-bbcs9]     at org.eclipse.hawkbit.ui.common.UserDetailsFormatter.formatCurrentTenant(UserDetailsFormatter.java:152)
[hawkbit-549466896d-bbcs9]     at org.eclipse.hawkbit.ui.menu.DashboardMenu.buildUserMenu(DashboardMenu.java:201)
[hawkbit-549466896d-bbcs9]     at org.eclipse.hawkbit.ui.menu.DashboardMenu.buildContent(DashboardMenu.java:115)
[hawkbit-549466896d-bbcs9]     at org.eclipse.hawkbit.ui.menu.DashboardMenu.init(DashboardMenu.java:108)
[hawkbit-549466896d-bbcs9]     at org.eclipse.hawkbit.ui.AbstractHawkbitUI.init(AbstractHawkbitUI.java:127)
[hawkbit-549466896d-bbcs9]     at com.vaadin.ui.UI.doInit(UI.java:693)

@xyklex you mentioned that you just set the client_secret, do you mean the application settings within the json file SPRING_APPLICATION_JSON. Because this is already set on my system.

I am using the official Helm Chart to render the Manifest files and the cluster is healthy. Thanks for any advice.

To be more precise, when I log in, I get an empty page with a the exception message as the mentioned above.
Bondar Bogdan
@bogdan-bondar

@midnightrun
Hi! I will try to explain what is going on here… While UI is being constructed it tries to get the information regarding the current user from the authentication principal. It recognizes that authentication was made by the OAuth2 token and tries to extract available information out of the OAuth2 principle.

The problem, however, is that the current implementation assumes the OAuth2 identity provider to always come from OpenID Connect 1.0, casting to OidcUser interface directly that leads to the exception being thrown during UI construction.

So in order to fix your issue you could modify the code to explicitly check the type of authentication principle and cast to more general OAuth2User interface.

Btw. pull requests are always welcomed ;)

Camal Cakar
@midnightrun

Hi @bogdan-bondar
Thanks for your reply. I started again from scratch and now I am running into a different problem.

My setup:
Keycloak 10.0.1
Hawkbit:0.3.0M6-mysql

   1   │ {
   2"logging.level.org.springframework.security": "DEBUG",
   34"spring.datasource.password": "xxx",
   5"spring.datasource.username": "xxx",
   67"spring.security.oauth2.client.registration.oidc.client-id": "xxx-hawkbit",
   8"spring.security.oauth2.client.registration.oidc.client-secrect": "xxxx-6cab-485e-xxxx-xxxx",
   9"spring.security.oauth2.client.registration.oidc.scope":"openid email profile",
  1011"spring.security.oauth2.client.provider.oidc.authorization-uri": "https://keycloak.xxxx.de/auth/realms/xxxx/protocol/openid-connect/auth",
  12"spring.security.oauth2.client.provider.oidc.issuer-uri": "https://keycloak.xxxx.de/auth/realms/xxxx",
  13"spring.security.oauth2.client.provider.oidc.jwk-set-uri": "https://keycloak.xxxx.de/auth/realms/xxxx/protocol/openid-connect/certs",
  14"spring.security.oauth2.client.provider.oidc.token-uri": "https://keycloak.xxxx.de/auth/realms/xxxx/protocol/openid-connect/token",
  15"spring.security.oauth2.client.provider.oidc.user-info-uri": "https://keycloak.xxxx.de/auth/realms/xxxx/protocol/openid-connect/userinfo"
  16   │ }

My client is configured in Keycloak to have the Roles TENANT_CONFIGURATION and SYSTEM_ADMIN. Both mapped to my user for the login test.

Now using a HTTP client like httpie is working fine. I get a token back which seems valid but trying to login into the WEB UI now shows me this:

[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.security.web.FilterChainProxy        : /login/oauth2/code/oidc?state=7QEb3SeH3c3mmWF0luJbiUb0yaOF5ZjgHsEbp4pu1eo%3D&session_state=bd820d70-86c0-4f48-99bd-f3506bb11f6f&code=794da429-ed41-4753-ab89-dcc8b8070d02.bd820d70-86c0-4f48-99bd-f3506bb11f6f.87c1def4-254b-4596-830b-0ac1856fd284 at position 6 of 16 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login/oauth2/code/oidc'; against '/oauth2/authorization/{registrationId}'
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.security.web.FilterChainProxy        : /login/oauth2/code/oidc?state=7QEb3SeH3c3mmWF0luJbiUb0yaOF5ZjgHsEbp4pu1eo%3D&session_state=bd820d70-86c0-4f48-99bd-f3506bb11f6f&code=794da429-ed41-4753-ab89-dcc8b8070d02.bd820d70-86c0-4f48-99bd-f3506bb11f6f.87c1def4-254b-4596-830b-0ac1856fd284 at position 7 of 16 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.s.w.util.matcher.AndRequestMatcher   : Trying to match using Ant [pattern='/login/oauth2/code/*']
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login/oauth2/code/oidc'; against '/login/oauth2/code/*'
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.s.w.util.matcher.AndRequestMatcher   : Trying to match using org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$772/918145945@28b23d8b
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] o.s.s.w.util.matcher.AndRequestMatcher   : All requestMatchers returned true
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.663 DEBUG 1 --- [qtp557725225-17] .s.o.c.w.OAuth2LoginAuthenticationFilter : Request is to process authentication
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.664 DEBUG 1 --- [qtp557725225-17] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
[hawkbit-549466896d-4tc2h
As @schabdo mentioned he got it working with Keycloak so I believe things could work out without touching the code?
Full Stacktrace
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.752 DEBUG 1 --- [qtp557725225-17] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.752 DEBUG 1 --- [qtp557725225-17] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
[hawkbit-549466896d-4tc2h] 2020-05-26 07:17:34.753 DEBUG 1 --- [qtp557725225-17] .s.o.c.w.OAuth2LoginAuthenticationFilter : Authentication request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 401 Unauthorized
[hawkbit-549466896d-4tc2h]
[hawkbit-549466896d-4tc2h] org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 401 Unauthorized
Camal Cakar
@midnightrun

Ok, it is working now. For people who come after me:

This blog post showed me my error: https://blog.faktorzehn.de/2019/12/english-faktor-zehn-tutorial-keycloak-spring-boot-2-spring-security-5/?lang=en

I was missing the explicit "openid" scope which is mentioned there.

Bondar Bogdan
@bogdan-bondar
@midnightrun haven’t you already specified the “openid” in spring.security.oauth2.client.registration.oidc.scope=openid email profile before? Or you mean it should be specified as spring.security.oauth2.client.registration.oidc.scope[0]=openid and spring.security.oauth2.client.registration.oidc.scope[1]=email profile?
Camal Cakar
@midnightrun
I did @bogdan-bondar but after removing all blank lines and just add spring.security.oauth2.client.registration.oidc.scope=openid everything is working.
Camal Cakar
@midnightrun

@dometec actually there is: in system configuration you can enable the feature. the proxy has to set two headers. One for the common name and one to identify the cert issuer. The issuer (can be any kind of string) is what you have to put into the textfield in the system configuration. Unfortunately this textfield is non optional. Default headers are X-Ssl-Client-Cn for the common name = controllerId and X-Ssl-Issuer-Hash-%d (e.g. X-Ssl-Issuer-Hash-0) to identify the issuer. However, you can define the two header names by property hawkbit.server.ddi.security.rp.cnHeader and hawkbit.server.ddi.security.rp.sslIssuerHashHeader

Based on this discussion. I setup an nginx on my server. I would like to client auth only the devices, due to the Management UI for example is secured by OpenID Connect.

Does this mean I need to configure my nginx to just match on the path /$TENANT/CONTROLLER to verify the client cert?

Also @schabdo you mentioned that Hawkbit is excepting to Headers the Common Name and the SSL-Issuer-Hash and this also needs to be configured in the text field within the Hawkbit configuration right?

I am new to configuring nginx and didn't find any forwarding mechanism so far to pass just the Hash or should this be hardcoded?

@dometec maybe you could spread some knowledge here because you seemed to solved it already :D

Thanks

Camal Cakar
@midnightrun
Extra round would be, how to test this actually without a real target. Can I just create a dummy target. So far I couldn't figure out how to due this based on the documentation.
Camal Cakar
@midnightrun
Ok, I can confirm since I setup my instance protected by OAuth2 via the SPRING_APPLICATION_JSON the Security Token is not created 🤷
electronicsengineer8
@electronicsengineer8
What the meaning of hawkbit download only?
where the download path destination?
Bondar Bogdan
@bogdan-bondar
@electronicsengineer8
DOWNLOAD_ONLY is used only in the context of assigning the distribution set to target(device). It means that next time the target(device) polls or receives the AMQP message it will get the command to only download the artifacts without trying to install them. Download path destination is the file system of the target(device)