Webui policy with remote-user allowed causing issue

Hi,

I am trying to set up privacyidea with remote-user-allowed policy.
The remote-user header is passed from haproxy load balancer to nginx/wsgi
that serves privacyidea.
However, the request fails with a response stating that "‘Request’ has no
attribute ‘all_data’’.

The traceback points to lib/python2.7/dist-packages/privacyidea/lib/utils.py:
get_client_ip():
mapped_ip = request.all_data.get(“client”)

I changed the line to the below and everything seems work fine now:
mapped_ip = request.all_data.get(“client”) if hasattr(request,‘all_data’)
else None

I am not sure if I am missing something here to make remote-user work?

Best regards,

Hi Quynh,

can you please check for the Request anyway?
This will help track down the problem a lot.
E.g. open the developer view with Ctrl-I and choose the network tab.

It might be the POST /auth request. Can you please verify this?

Thanks a lot
CorneliusAm Mittwoch, den 31.08.2016, 00:02 -0700 schrieb Quynh .Nhat:

Hi Cornelius,

Thanks for the response.
By the request, I just meant normal browsing to the webui with a web
browser. No crafted request.

My goal is to allow client cert login to privacyidea webui. The one
doing the cert authentication for clients is haproxy. The setup is:

Haproxy -> Nginx/uwsgi (privacyidea)
X-Remote-User -> uwsgi_param REMOTE-USER $http_x_remote_webui

A webui policy is added to allow remote-user for all realms/clients.

When browsing to the webui, I received the error response as
mentioned, and the log showed as mentioned.

I will take a look at the calls mentioned in your response and update
here if I find anything.

Best regards,


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hello,

what request are you issuing?
i.e. what are you doing/trying to do?

The all_data gets added to the request object in some before_request
statement. Probably this is missing or disordered in the request you
are sending.

If you are using developer mode in your browser you can identify the
request. This would be quite helpful.

Thanks a lot and kind regards
CorneliusAm Dienstag, den 30.08.2016, 21:45 -0700 schrieb Quynh .Nhat:

Hi,

I am trying to set up privacyidea with remote-user-allowed policy.
The remote-user header is passed from haproxy load balancer to
nginx/wsgi that serves privacyidea.
However, the request fails with a response stating that "‘Request’
has no attribute ‘all_data’’.

The traceback points to lib/python2.7/dist-
packages/privacyidea/lib/utils.py: get_client_ip():
mapped_ip = request.all_data.get(“client”)

I changed the line to the below and everything seems work fine now:
mapped_ip = request.all_data.get(“client”) if
hasattr(request,‘all_data’) else None

I am not sure if I am missing something here to make remote-user
work?

Best regards,

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/3660cb2a-6446-46ba-9c08-
8d97e250b76f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

That is great. Thank you for your help! :slight_smile:

Best regards,On Wednesday, August 31, 2016 at 1:39:22 AM UTC-7, Cornelius Kölbel wrote:

Thanks for the screenshots.

I understand. This is the call to the static webui/login.py.
There was no before_request and thus there was not request.all_data
created.
I opened an issue for this.
https://github.com/privacyidea/privacyidea/issues/499

…and already know the fix.
Kind regards
Cornelius

Am Mittwoch, den 31.08.2016, 00:02 -0700 schrieb Quynh .Nhat:

Hi Cornelius,

Thanks for the response.
By the request, I just meant normal browsing to the webui with a web
browser. No crafted request.

My goal is to allow client cert login to privacyidea webui. The one
doing the cert authentication for clients is haproxy. The setup is:

Haproxy -> Nginx/uwsgi (privacyidea)
X-Remote-User -> uwsgi_param REMOTE-USER $http_x_remote_webui

A webui policy is added to allow remote-user for all realms/clients.

When browsing to the webui, I received the error response as
mentioned, and the log showed as mentioned.

I will take a look at the calls mentioned in your response and update
here if I find anything.

Best regards,


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Fixed it.
So that also this static request will have all_data.


de1fc63c758db660627

You could wait for the automated tests to finish :wink:

Kind regards
CorneliusAm Mittwoch, den 31.08.2016, 01:41 -0700 schrieb Quynh .Nhat:

That is great. Thank you for your help! :slight_smile:

Best regards,

Thanks for the screenshots.

I understand. This is the call to the static webui/login.py.
There was no before_request and thus there was not
request.all_data
created.
I opened an issue for this.
https://github.com/privacyidea/privacyidea/issues/499

…and already know the fix.
Kind regards
Cornelius

Am Mittwoch, den 31.08.2016, 00:02 -0700 schrieb Quynh .Nhat:

Hi Cornelius,

Thanks for the response.
By the request, I just meant normal browsing to the webui with a
web
browser. No crafted request.

My goal is to allow client cert login to privacyidea webui. The
one
doing the cert authentication for clients is haproxy. The setup
is:

Haproxy -> Nginx/uwsgi (privacyidea)
X-Remote-User -> uwsgi_param REMOTE-USER $http_x_remote_webui

A webui policy is added to allow remote-user for all
realms/clients.

When browsing to the webui, I received the error response as
mentioned, and the log showed as mentioned.

I will take a look at the calls mentioned in your response and
update
here if I find anything.

Best regards,


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Thanks for the screenshots.

I understand. This is the call to the static webui/login.py.
There was no before_request and thus there was not request.all_data
created.
I opened an issue for this.

…and already know the fix.
Kind regards
CorneliusAm Mittwoch, den 31.08.2016, 00:02 -0700 schrieb Quynh .Nhat:

Hi Cornelius,

Thanks for the response.
By the request, I just meant normal browsing to the webui with a web
browser. No crafted request.

My goal is to allow client cert login to privacyidea webui. The one
doing the cert authentication for clients is haproxy. The setup is:

Haproxy -> Nginx/uwsgi (privacyidea)
X-Remote-User -> uwsgi_param REMOTE-USER $http_x_remote_webui

A webui policy is added to allow remote-user for all realms/clients.

When browsing to the webui, I received the error response as
mentioned, and the log showed as mentioned.

I will take a look at the calls mentioned in your response and update
here if I find anything.

Best regards,


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi Cornelius,

I attached the screenshots of the capture.
Haproxy is a separate node, and simply add and send the X-Remote-User
header (which is deprived from the client cert info) to nginx.
There is no POST request, I believe.

Please let me know if you need any other information.

Best regards,On Wednesday, August 31, 2016 at 12:07:01 AM UTC-7, Cornelius Kölbel wrote:

Hi Quynh,

can you please check for the Request anyway?
This will help track down the problem a lot.
E.g. open the developer view with Ctrl-I and choose the network tab.

It might be the POST /auth request. Can you please verify this?

Thanks a lot
Cornelius

Am Mittwoch, den 31.08.2016, 00:02 -0700 schrieb Quynh .Nhat:

Hi Cornelius,

Thanks for the response.
By the request, I just meant normal browsing to the webui with a web
browser. No crafted request.

My goal is to allow client cert login to privacyidea webui. The one
doing the cert authentication for clients is haproxy. The setup is:

Haproxy -> Nginx/uwsgi (privacyidea)
X-Remote-User -> uwsgi_param REMOTE-USER $http_x_remote_webui

A webui policy is added to allow remote-user for all realms/clients.

When browsing to the webui, I received the error response as
mentioned, and the log showed as mentioned.

I will take a look at the calls mentioned in your response and update
here if I find anything.

Best regards,


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Cornelius,

Thanks for the response.
By the request, I just meant normal browsing to the webui with a web browser. No crafted request.

My goal is to allow client cert login to privacyidea webui. The one doing the cert authentication for clients is haproxy. The setup is:

Haproxy -> Nginx/uwsgi (privacyidea)
X-Remote-User -> uwsgi_param REMOTE-USER $http_x_remote_webui

A webui policy is added to allow remote-user for all realms/clients.

When browsing to the webui, I received the error response as mentioned, and the log showed as mentioned.

I will take a look at the calls mentioned in your response and update here if I find anything.

Best regards,