preflight failed

[thehilll]

I'm having trouble getting machines to check in. I have tried to follow your setup instructions, and I have constructed a configuration profile for the santa client with

<key>SyncBaseURL</key>
<string>https://<my-app>.appspot.com/api/santa</string>

When I do this I get:

santactl sync
HTTP Response: 302 found
Preflight failed, aborting run

I have tried adding a trailing /, but that just gives me a 404 error. Looking at this in curl it does seem to be returning 302:

curl -vvv https://<my-app>.appspot.com/api/santa

< location: https://www.google.com/accounts/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://<my-app>.appspot.com/api/santa
< x-cloud-trace-context: 6c130ec3499f2df8b4a48318d3272719;o=1
< date: Wed, 09 May 2018 17:52:41 GMT
< content-type: text/html
< server: Google Frontend
< content-length: 0

But not really sure what mistake I might have made as it doesn't seem like any special settings on the app engine side are required.

[msuozzo]

Hey thanks for reaching out.

tl;dr

1. You do need the trailing slash in the SyncBaseURL config.
2. What do you see in the App Engine logs (link) when you attempt to sync and get the 404? Is there a request? If so, what is the URL reported?
3. Can you successfully curl https://<my-app>.appspot.com/api/santa/ack?

Why a trailing slash?

This is the line in Santa that generates the URL of the first stage in the sync process with the SyncBaseURL value. If your eyes can take reading ObjectiveC, the function it's calling is NSURL's URLWithString:relativeToURL whose documentation can be found here. Strategically far away from the baseURL argument documentation, you'll find the description "construct a URL...by providing the folder’s URL as the base path (with a trailing slash)...".

Request resolution logic

First, as you may have seen in the curl response, the 302 redirect is sending you to a login page. This means that the App Engine config requires that request to be from an authenticated google user.

santa-api shouldn't require this type of authentication since Santa clients won't have google account credentials.

But it might be helpful to step back and go through the logic Upvote uses to resolve e.g. a santa_api request:

• check dispatch.yaml for the module to have handle the request (here)
  • if the requested URL contains "/api/santa_api/", handle the request with santa-api
• check the action to take in santa_api.yaml (here)
  • require an HTTPS connection (secure: always)
  • don't require auth (implicit login: optional)
  • use upvote.gae.modules.santa_api.main.app to handle the request
• check the webapp2 route configurations for a matched handler (here)
  • if a route is matched, call that handler
  • if no route is matched, return a 404

If the trailing slash isn't provided in SyncBaseURL, the URL pattern won't match "/api/santa/" so it will be routed to the default module which requires authentication and you will get a 302. If a URL that isn't valid in santa_api (like "/api/santa" itself), the webapp2 app won't match any routes and the request will fall through and return a 404.

I'm not exactly sure why you're getting 404 in your santactl sync but the App Engine logs should be able to give some clues and if that doesn't work, you can check the system logs on the mac client.

Regardless, let me know if you make any progress or figure out the issue and do feel free to report any other deployment issues you run into. Good luck :)

[thehilll]

Thanks a lot for such a full explanation. I've put the setting back to include the trailing slash (good to know that isn't a variable to worry about), and when I do that (and get the 404) I do feel entries in the App Engine logs:

The URL is /api/santa/preflight/<machine-sn> and I am using machine SN as MachineID in the santa config.

When I look at that error the back trace is:

The resource could not be found. (/base/data/home/apps/d~<my-app>/santa-api:auto.409459141396563161/upvote/gae/shared/common/handlers.py:186)
Traceback (most recent call last):
  File "/base/alloc/tmpfs/dynamic_runtimes/python27/c5586dbb532f7e5f_unzipped/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1505, in __call__
    rv = self.router.dispatch(request, response)
  File "/base/alloc/tmpfs/dynamic_runtimes/python27/c5586dbb532f7e5f_unzipped/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1240, in default_dispatcher
    route, args, kwargs = rv = self.match(request)
  File "/base/alloc/tmpfs/dynamic_runtimes/python27/c5586dbb532f7e5f_unzipped/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1189, in default_matcher
    raise exc.HTTPNotFound()
HTTPNotFound: The resource could not be found.

Also, I can reach:

curl https://<my-app>.appspot.com/api/santa/ack
ACK (santa-api)

Thanks again.

[russellhancox]

I believe this is due to the MachineID you're using not being a valid UUID. The routes in the santa-api require the machine identifier to match a UUID regex.

As Santa's default machine IDs are the hardware UUID, the expectation that the identifiers be a UUID makes sense but Santa allows this to be anything an administrator wishes so it probably makes sense to drop the requirement that the identifier be a UUID, or at least make it configurable.

[thehilll]

Thank you. That is is definitely part of my problem. Also, the regex requires uppercase it seems (I generated a UUID with python's uuid.uuid4() which gave me lowercase, but that regex clearly only includes A-F for the letters).

I'm now hitting:

Unable to determine the current environment (/base/data/home/apps/d~/santa-api:auto.409459141396563161/upvote/gae/shared/common/settings_utils.py:87)

I can't tell if this is an Upvote environment or something related to App Engine.

[thehilll]

Just a comment for anyone following this, the right thing to do to get the UUID on a Mac is system_profiler SPHardwareDataType which does output the UUID in upper case.

[russellhancox]

You can also just not set the MachineID settings in Santa - it'll use the machine UUID by default.

[thehilll]

Thanks, that makes deployment much easier.

The remaining issue was my misunderstanding the instructions when they say

After that configuration is complete, all that's necessary is to redeploy the app

I read that as applying to Bit9 (which we don't use), not any configuration. Once I did that the sync works.