I'm trying to access ejabberd rest api without authentication but always get a 403 Forbidden response with this body :
{
"status": "error",
"code": 32,
"message": "AccessRules: Account does not have the right to perform the operation."
}
I cannot get an OK response on /api/status endpoint which is a command that all users from 127.0.0.1 should be able to use (see "public commands" section under api_permissions in ejabberd.yml).
Here's the request details (via Insomnia REST client):
> POST /api/status HTTP/1.1
> User-Agent: insomnia/5.1.0
> Host: localhost:5280
> Accept: */*
> Accept-Encoding: deflate, gzip
> Content-Type: application/json
> Content-Length: 2
| {}
Ejabberd version is 17.04, installed from a downloaded deb package and running on Debian 8.8 (jessie) x86_64 as ejabberd user.
Post install, I simply added the host "localhost", registered a new user "admin" for localhost and added it to the ACLs.
The only changes I made into ejabberd.yml :
hosts:
- "localhost"
acl:
admin:
user:
- "admin": "localhost"
Otherwise, I can access the webadmin interface which works fine...
What can I do in order to have a 200 OK response ?
Ok I found the solution. Like the message said it was a permission issue.
Here's the default configuration :
api_permissions:
## ...
"public commands":
who:
- ip: "127.0.0.1/8"
what:
- "status"
- "connected_users_number"
This does not allow to access to status or connected_users_number commands with or without authentication (I triple-checked).
For a no authentication usage, use -all :
"public commands":
who:
## This allows to use both commands without having to authenticate
- all
what:
- "status"
- "connected_users_number"
If you want to require a valid user (with basic authentication), replace - all by - access: local.
"public commands":
who:
## This allows to use both commands with basic authentication for local users
- access: local
what:
- "status"
- "connected_users_number"
Related
I'm trying to automatically download a release asset using ansible, but I receive a 400 "Invalid Argument error":
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidArgument</Code>
<Message>
Only one auth mechanism allowed;
only the X-Amz-Algorithm query parameter, Signature query string parameter
or the Authorization header should be specified
</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>Basic XXX</ArgumentValue>
<RequestId>XXXX</RequestId>
<HostId>XXXX</HostId>
</Error>
I have found a corresponding issue on GitHub, but I can't implement the solution using ansible without writing a custom script. My curremt code is:
- name: Download build asset
uri:
url: "{{ asset_url }}"
user: "{{ github_username }}"
password: "{{ github_token }}"
force_basic_auth: yes
headers:
Accept: application/octet-stream
I have also tried passing no headers and using the token in the url
- name: Download build asset
uri:
url: "https://{{ TOKEN }}:#api.github.com/repos/<ORG>/<REPO>/releases/assets/{{ ASSET_ID }}"
headers:
Accept: application/octet-stream
But then I receive an error 404 "Not found" Error (presumably because the authentication did not work (private URL parameters replaced as ):
fatal: [XXX]: FAILED! => changed=false
access_control_allow_origin: '*'
access_control_expose_headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
connection: close
content: '{"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/repos#get-a-release-asset"}'
content_length: '110'
content_security_policy: default-src 'none'
content_type: application/json; charset=utf-8
date: Wed, 18 Nov 2020 15:45:42 GMT
elapsed: 0
json:
documentation_url: https://docs.github.com/rest/reference/repos#get-a-release-asset
message: Not Found
msg: 'Status code was 404 and not [200]: HTTP Error 404: Not Found'
redirected: false
referrer_policy: origin-when-cross-origin, strict-origin-when-cross-origin
server: GitHub.com
status: 404
strict_transport_security: max-age=31536000; includeSubdomains; preload
url: https://<TOKEN>#api.github.com/repos/<ORG>/<REPO>/releases/assets/28089234
vary: Accept-Encoding, Accept, X-Requested-With
x_content_type_options: nosniff
x_frame_options: deny
x_github_media_type: unknown
x_github_request_id: CC26:2942:15E1154:1948AE9:5FB541A6
x_ratelimit_limit: '60'
x_ratelimit_remaining: '58'
x_ratelimit_reset: '1605717756'
x_ratelimit_used: '2'
x_xss_protection: 1; mode=block
This only happens for release assets, other api calls work just fine using the basic auth method. It also works fine with the same request using curl or postman. Scopes for the Personal Access Token I use are:
repo (full access)
workflow
write:packages
read:packages
Update
For now sending the request using curl works, but I would prefer using the uri module:
name: Download build asset
shell: >
curl -J -L -H "Accept: application/octet-stream"
"https://{{ TOKEN }}#api.github.com/repos/<ORG>/<REPO>/releases/assets/{{ ASSET_ID }}"
--output "/tmp/asset.tar.gz"
I am trying a test where I enable CORS for all domains (to be restricted after I get the use-case working correctly).
As far as I can tell, I should be adding --cors-allowed-origins=["http://*"] to my kube-apiserver.manifest
When I try to do that however:
spec:
containers:
- command:
- /bin/sh
- -c
- /usr/local/bin/kube-apiserver --address=127.0.0.1 --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,ResourceQuota
--allow-privileged=true --anonymous-auth=false --apiserver-count=1 --authorization-mode=AlwaysAllow
--basic-auth-file=/srv/kubernetes/basic_auth.csv --client-ca-file=/srv/kubernetes/ca.crt
--cloud-provider=aws --etcd-servers-overrides=/events#http://127.0.0.1:4002
--etcd-servers=http://127.0.0.1:4001 --insecure-port=8080 --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
--proxy-client-cert-file=/srv/kubernetes/apiserver-aggregator.cert --proxy-client-key-file=/srv/kubernetes/apiserver-aggregator.key
--requestheader-allowed-names=aggregator --requestheader-client-ca-file=/srv/kubernetes/apiserver-aggregator-ca.cert
--requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User --secure-port=443 --service-cluster-ip-range=100.64.0.0/13
--storage-backend=etcd2 --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
--token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 2>&1 | /bin/tee -a
--cors-allowed-origins=["https://*"]
I get the following error when trying to use kubectl get pods:
The connection to the server 127.0.0.1 was refused - did you specify the right host or port?
What exactly am I doing wrong for the setup? How do I add CORS domains to Kubernetes?
EDIT: I am now trying this:
- kube-apiserver
--cors-allowed-origins=["https://*"]
My pods no longer crash, however I still have CORS issues in my application.
I am getting errors like this:
[Error] Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load https://example.com/auth/realms/name/protocol/openid-connect/token due to access control checks.
[Error] Failed to load resource: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin. (token, line 0)
[Error] Preflight response is not successful
[Error] XMLHttpRequest cannot load https://example.com/api/v1/users/me/profile? due to access control checks.
Looks like you are trying to access your api-server with the http protocol, try:
--cors-allowed-origins=["http://*"]
As per documentation:
--cors-allowed-origins: List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled.
I have tested this settings (and also http//*) against API and it works:
--cors-allowed-origins=example.com,example2.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-Requested-With, If-Modified-Since
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE, PATCH
Access-Control-Allow-Origin: http://example.com
Those errors looks like problem with settings on your serverside app.
Access-Control-Allow-Origin: specifies the authorized domains to make cross-domain request (you should include the domains of your REST clients or “*” if you want the resource public and available to everyone – the latter is not an option if credentials are allowed during CORS requests)
hope this help.
I have created AWS Machine Learning model with working real-time endpoint. I want to consume created service via HTTP request. For testing purpose I'm using Postman, I've created request according to Amazon's API documentation but every time I get the same exception: UnknownOperationException. While I'm using Python SDK the service is working fine. Below example that gets model info.
That's my request (fake credentials):
POST HTTP/1.1
Host: realtime.machinelearning.us-east-1.amazonaws.com
Content-Type: application/json
X-Amz-Target: AmazonML_20141212.GetMLModel
X-Amz-Date: 20170714T124250Z
Authorization: AWS4-HMAC-SHA256 Credential=JNALSFNLANFAFS/20170714/us-east-1/AmazonML/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=fiudsf9sdfh9sdhfsd9hfsdkfdsiufhdsfoidshfodsh
Cache-Control: no-cache
Postman-Token: hd9sfh9s-idsfuuf-a32c-31ca-dsufhdso
{
"MLModelId": "ml-Hfdlfjdof0807",
"Verbose": true
}
Exception I get:
{
"Output": {
"__type": "com.amazon.coral.service#UnknownOperationException",
"message": null
},
"Version": "1.0"
}
After doing research on AWS forum I've found some similar HTTP requests. Turns out I had 3 incorrect parameters.
Host address should be:
Host: machinelearning.us-east-1.amazonaws.com
Content type:
Content-Type: application/x-amz-json-1.1
In credentials parameters target service has to be specified as machinelearning
Short instruction how to setup Postman's request:
In Authorization tab choose AWS Signature and fill in AccessKey and SecrectKey. In Service Name field write machinelearning. Click Update Request, this will update your header.
In Headers tab add two headers:
Key: X-Amz-Target, Value: AmazonML_20141212.GetMLModel
Key: Content-Type, Value: application/x-amz-json-1.1
Add body:
{ "MLModelId": "YOUR_ML_MODEL_ID", "Verbose": true }
Correct HTTP request below:
POST HTTP/1.1
Host: machinelearning.us-east-1.amazonaws.com
X-Amz-Target: AmazonML_20141212.GetMLModel
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20170727T113217Z
Authorization: AWS4-HMAC-SHA256 Credential=JNALNFAFS/20170727/us-east-1/machinelearning/aws4_request,
SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target,
Signature=fiudsf9sdfh9sdhfsd9hfsdkfdsiufhdsfoidshfodsh
Cache-Control: no-cache
Postman-Token: hd9sfh9s-idsfuuf-a32c-31ca-dsufhdso
{
"MLModelId": "ml-Hfdlfjdof0807",
"Verbose": true
}
Please check following link and validate your sigv4
http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
I'm creating a demo for Actions on Google.
When running the following command:
./gactions --verbose test --action_package action.json --project chatbot-36b55
I'm getting the following error:
Checking for updates...
Successfully fetched update metadata
Finished checking for updates -- no updates available
Pushing the app for the Assistant for testing...
POST /v2/users/me/previews/chatbot-36b55:updateFromAgentDraft?updateMask=previewActionPackage.actionPackage.actions%2Cpre
viewActionPackage.actionPackage.conversations%2CpreviewActionPackage.actionPackage.types%2CpreviewActionPackage.startTime
stamp%2CpreviewActionPackage.endTimestamp HTTP/1.1
Host: actions.googleapis.com
User-Agent: Gactions-CLI/2.0.7 (linux; amd64; stable/6f4c996f8ee63dc5760c7728f674abe37bfe5fc4)
Content-Length: 329
Content-Type: application/json
Accept-Encoding: gzip
{"name":"users/me/previews/chatbot-36b55","previewActionPackage":{"actionPackage":{"actions":[{"fulfillment":{"conversati
onName":"HelloWorld"},"intent":{"name":"actions.intent.MAIN"},"name":"MAIN"}],"conversations":{"HelloWorld":{"name":"Hell
oWorld","url":"http://35.189.xx.xx/"}}},"name":"users/me/previews/chatbot-36b55"}}
Reading credentials from: creds.data
ERROR: Failed to test the app for the Assistant
ERROR: Request contains an invalid argument.
Field Violations:
# Field Description
1 URL is invalid 'http://35.189.xx.xx/'
2017/07/20 14:42:50 Server did not return HTTP 200
I just followed the steps to create the actions package.
This is my actions.json file:
{
"actions": [
{
"name": "MAIN",
"fulfillment": {
"conversationName": "HelloWorld"
},
"intent": {
"name": "actions.intent.MAIN"
}
}
],
"conversations": {
"HelloWorld": {
"name": "HelloWorld",
"url": "http://35.189.xx.xx/"
}
}
}
Do I need to have https set up to test this? Anyone know how I can get around it if that is the issue?
The documentation at https://developers.google.com/actions/reference/rest/Shared.Types/ConversationFulfillment states for the url parameter:
The HTTPS endpoint for the conversation (HTTP is not supported).
Additionally, the URL must be accessible from the public Internet (you don't show the full IP address, for good reason, so I can't tell if this is true or not).
Either way, you may be able to use something like ngrok to create an HTTPS endpoint and secure tunnel to your 35.189.x.x host. This will give you a public DNS entry and HTTPS endpoint. See also https://developers.google.com/actions/tools/ngrok for some details about using ngrok with Actions.
I'm new to the OneDrive for Business REST service and I have no problems creating a file in the root user directory. Unfortunately, I'm trying to create a file in a shared subdirectory with the following code:
post https://foo-my.sharepoint.com/_api/v1.0/me/files
/01PRDMT2S3RER67TKPWRELGF6PPPAUCVZT HTTP/1.1
OData-Version: 4.0;NetFx
OData-MaxVersion: 4.0;NetFx
Accept: application/json;odata.metadata=minimal
Accept-Charset: UTF-8
User-Agent: Microsoft ADO.NET Data Services
Authorization: Bearer .........
X-ClientService-ClientTag: Office 365 API Tools 1.1.0612
Host: foo-my.sharepoint.com
Content-Length: 65
Expect: 100-continue
{"#odata.type":"#Microsoft.FileServices.File","name":"demo1.txt"}
Unfortunately, I continue to get the following error:
98
{"error":{"code":"-1, Microsoft.SharePoint.Client.InvalidClientQueryException","message":"The parameter #odata.type does not exist in method GetById."}}
0
Is it possible to create a file in a sub directory?
try to use address like
https://foo-my.sharepoint.com/_api/v1.0/me/files/{ParentId}/children
also, in the data you pass, specify a "type" member:
{ name: "myfile.txt", type: "File" }