[nginx] regression: proxied compliance requests get HTTP 404 #1253
Conversation
The compliance proxy no longer included the owner or profile name in
the upstream requests because of a bad rewrite rule. This corrects
the rewrite rule.
*Testing*
Since there are no tests for this endpoint, I've tested it manually
using the following procedure:
1. Configure /etc/opscode/chef-server.rb as follows:
data_collector['token'] = 'foobar'
profiles['root_url'] = 'http://localhost:9998'
2. Use `socat` to start an SSL listener on 9998:
socat OPENSSL-LISTEN:9998,reuseaddr,fork,verify=0,\
cert=/var/opt/opscode/nginx/ca/api.chef-server.dev.crt,\
key=/var/opt/opscode/nginx/ca/api.chef-server.dev.key,\
dhparam=/var/opt/opscode/nginx/ca/dhparams.pem - | grep 'GET'
3. Use `knife raw` to make reqeusts and check the URL recieved by (2)
knife raw /organizations/testorg/owners/foobar/compliance/bob -c /etc/opscode/pivotal.rb
knife raw /compliance/organizations/testorg/owners/foobar/compliance/bob -c /etc/opscode/pivotal.rb
Before this change, the following two requests were recieved:
GET /compliance/profiles/ HTTP/1.0
GET /compliance/profiles/ HTTP/1.0
After this change:
GET /compliance/profiles/foobar/bob HTTP/1.0
GET /compliance/profiles/foobar/bob HTTP/1.0
Signed-off-by: Steven Danna <steve@chef.io>
|
cc @chef/chef-server-maintainers @chef/compliance-core This is still WIP as I work out how we want to test this in a more auotmated way, but I'd love for someone to verify those are the redirects we want now. |
stevendanna
changed the title
This adds tests for our nginx proxy config for compliance requests. It starts a stub compliance server on the configured port. If the requests are rewritten as expected, the stub service will return 200. Since this requires the chef-server.rb to contain proxy config, we disable these tests by default, but can enable them in our CI configuration. Signed-off-by: Steven Danna <steve@chef.io>
|
Now with tests |
|
To enable these tests in wilson, we will need to modify the test config in opscode-ci and add |
stevendanna
changed the title
| context "GET /compliance/organizations/ORG/owners/OWNER/compliance/PROFILE" do | ||
| let(:request_url) { "#{platform.server}/compliance/organizations/#{platform.test_org.name}/owners/foobar/compliance/testprofile" } | ||
| it "retuns 200" do | ||
| get(request_url, admin_user).should look_like({:status => 200, |
There was a problem hiding this comment.
Non-blocking nit: We're moving generally expect instead of should
There was a problem hiding this comment.
Moving /very slowly/ it seems :D:
sdanna@thrace ~/oc/code/opscode/chef-server/oc-chef-pedant (ssd/compliance-proxy-regression) > rg '\.should ' spec/ | wc -l
1272
sdanna@thrace ~/oc/code/opscode/chef-server/oc-chef-pedant (ssd/compliance-proxy-regression) > rg 'expect\w*[({]' spec/ | wc -l
252
| @@ -101,12 +101,12 @@ | |||
| # /organizations/ORG/owners/OWNER/compliance[/PROFILE] | |||
| # Supports the legacy(chef-gate) URLs as well: | |||
| # /compliance/organizations/ORG/owners/OWNER/compliance[/PROFILE] | |||
| location ~ (?:/compliance)?/organizations/([^/]+)/owners/([^/]+)/compliance(.*) { | |||
| location ~ <%= @compliance_proxy_regex -%> { | |||
There was a problem hiding this comment.
Can ee keep this in $variable in the config template itself? Or .maybe assign the ruby variable value in here instead of passing it in? I'd prefer to keep this in code , since to my knowledge none of the other expressions come out oof the recipe - this way there's one source of truth.
There was a problem hiding this comment.
Unfortunately, it doesn't seem like we can use variables in the location block, unless I've messed up in my local tests.
stevendanna
force-pushed
the
ssd/compliance-proxy-regression
branch
from
e26b81a
to
e532aaf
Compare
Signed-off-by: Steven Danna <steve@chef.io>
stevendanna
force-pushed
the
ssd/compliance-proxy-regression
branch
from
e532aaf
to
0f0e806
Compare
| set $request_org $1; | ||
| access_by_lua_block { validator.validate("GET") } | ||
| proxy_set_header x-data-collector-token $data_collector_token; | ||
| proxy_set_header x-data-collector-auth "version=1.0"; | ||
| rewrite ^ "/compliance/profiles/$2$3" break; | ||
| rewrite ^<%= @compliance_proxy_regex -%> "/compliance/profiles/$2$3" break; |
There was a problem hiding this comment.
@stevendanna I'd also remove the quotes from the rewritten route. That was another inconsistency that triggered warning signs for me. It's probably fine, but you don't see that pattern anywhere in our code or in nginx docs. I think it's a holdover from translating this bit out of the Lua code.
None of the documented examples use quotes around the second argument: http://nginx.org/en/docs/http/ngx_http_rewrite_module.html Signed-off-by: Steven Danna <steve@chef.io>
|
opscode-ci config update https://github.com/chef-cookbooks/opscode-ci/pull/707 Once this is applied, we can additionally add --compliance-proxy-tests to our run_tests.sh script. |
|
I've verified that this is in fact the standard way to rewrite URLs for a proxy. I personally think it's ugly, but oh well. From: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass |
|
Just for posterity, here are the routes that we expose in automate: @stevendanna 👀 here to doublecheck that these line up? FWIW, we might not need the to all line up, since what we're proxying is just profile storage. |
|
@sdelano Hrm. The previous comment doesn't mention supporting all of those. I think these all work: For this one is I don't think the post will pass validation. |
|
@chris-rock @arlimus @vjeffrey - Can any of you chime in here about what needs to be supported by the chef-server proxy? |
|
Oh, I lied, this one doesn't work |
|
@stevendanna to be clear, I don't think it has to. We saw this change working end-to-end yesterday with the audit cookbook, so I'm fairly sure it works, but since we're now in the process of translating comments to enforceable tests, we might as well make sure we're testing the correct thing. |
|
k all those endpoints you mentioned need to be supported; ie what's here: https://github.com/chef/automate/blob/master/cookbooks/delivery/templates/default/nginx-internal.conf.erb#L52 (in the next week that's going to be changing to something more along the lines of https://github.com/chef/automate/blob/master/nginx/conf/nginx.conf#L114) |
|
@vjeffrey do they need to be supported by the Chef Server, which IIRC is only supporting the audit cookbook? |
|
oh geez. we're getting to the edges of my knowledge base atm.... |
|
I would prefer to keep the Chef Server dump and add additional routes to automate. But we can go with the current approach for now. I have not tested it in a real setup though. |
|
@chris-rock last time we chatted about this you made a story in compliance to address it on the automate end: https://github.com/chef/chef-compliance/issues/1171 We're going to move forward with this change. |
The compliance proxy no longer included the owner or profile name in
the upstream requests because of a bad rewrite rule. This corrects
the rewrite rule.
Testing
Since there are no tests for this endpoint, I've tested it manually
using the following procedure:
Configure /etc/opscode/chef-server.rb as follows:
Use
socatto start an SSL listener on 9998:Use
knife rawto make reqeusts and check the URL recieved by (2)Before this change, the following two requests were recieved:
After this change:
Signed-off-by: Steven Danna steve@chef.io