Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Halyard: Login flow redirects to `http` instead of `https` #2414

Closed
spinnaker-release opened this issue Feb 22, 2018 · 13 comments

Comments

@spinnaker-release
Copy link

commented Feb 22, 2018

Migrated from https://github.com/spinnaker/halyard/issues/720

Opened by: @greenkiwi (2018-02-02 19:27:06) I am experiencing an issue where the login redirection flow results in a URL that is not https.

Environment:

  • Halyard: 34
  • Spinnaker: 1.4.1
  • Provider: k8s
  • k8s: deployed in AWS via kops
  • OAuth via Google
  • ELB listeners:
    • HTTPS 443 HTTP 32053
    • HTTPS 9000 HTTP 32053
    • HTTPS 8084 HTTP 30291
  • Security DNS Names:

Problem:

During the sign in process, spinnaker redirects to an http address and this causes the process to halt

https://spinnaker.r.u:8084/auth/redirect?to=https%3A%2F%2Fspinnaker.r.u%2F%23%2Finfrastructure >> 302 >> Location:http://spinnaker.r.u:8084/login

Login proceeds if I manually update the address to be https, but then halts at the next step.

https://spinnaker.r.u:8084/login >> Location:https://accounts.google.com/o/...
https://spinnaker.r.u:8084/login?state=G&code=4b3 >> Location:http://spinnaker.r.u:8084/auth/redirect?to=https%3A%2F%2Fspinnaker.r.u%2F%23%2Finfrastructure

This is the gate.yml file attached to the pod

gate.yml:
 ## WARNING
## This file was autogenerated, and _will_ be overwritten by Halyard.
## Any edits you make here _will_ be lost.

spectator:
  applicationName: ${spring.application.name}
  webEndpoint:
    enabled: true

server:
  ssl:
    enabled: false
  port: '8084'
  address: 0.0.0.0
security:
  basic:
    enabled: true
  user: {}
  oauth2:
    enabled: true
    client:
      clientId: <>
      clientSecret: <>
      accessTokenUri: https://www.googleapis.com/oauth2/v4/token
      userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
      scope: profile email
      preEstablishedRedirectUri: https://spinnaker.r.u:8084/login
      useCurrentUri: false
    userInfoRequirements:
      hd: t.com
    resource:
      userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
    userInfoMapping:
      email: email
      firstName: given_name
      lastName: family_name
    provider: GOOGLE
cors: {}

# halconfig

redis:
  connection: ${services.redis.baseUrl:redis://localhost:6379}

This is the gate configuration from spinnaker.yaml

gate:
    port: 8084
    address: localhost
    host: 0.0.0.0
    scheme: https
    env: {}
    artifactId: gcr.io/spinnaker-marketplace/gate:0.8.0-20170922163003
    overrideBaseUrl: https://spinnaker.r.u:8084
    location: spinnaker
    enabled: true
    monitored: true
    sidecar: false
    safeToUpdate: true
    targetSize: 1
    baseUrl: https://spinnaker.r.u:8084

It looks like there is some place that isn't respecting either the scheme or the url.

Slack discussion: https://spinnakerteam.slack.com/archives/C3YBRLG8H/p1505025367000045

Comments:


@lwander (2017-10-02 20:50:24): Is the google apps auth config pointing at the right redirect URL?


@greenkiwi (2017-10-03 17:41:33): So:

https://spinnaker.r.u:8084/login

Is the only Authorized Redirect URI.

It seems as if this problem is happening inside of spinnaker. For example, if I open a new tab and connect to: https://spinnaker.r.u
It goes through a number of requests and get to this request:

Request URL:https://spinnaker.r.u:8084/auth/user
GET /auth/user HTTP/1.1
Host: spinnaker.r.u:8084
Connection: keep-alive
Accept: application/json, text/plain, */*
Origin: https://spinnaker.r.u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
DNT: 1
Referer: https://spinnaker.r.u/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8

RESPONSE:
---
HTTP/1.1 200
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: x-requested-with, content-type, authorization, X-RateLimit-App
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT, PATCH
Access-Control-Allow-Origin: https://spinnaker.r.u
Access-Control-Expose-Headers: X-AUTH-REDIRECT-URL
Access-Control-Max-Age: 3600
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Mon, 02 Oct 2017 21:34:55 GMT
Expires: 0
Pragma: no-cache
X-Application-Context: gate:test,local:8084
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: keep-alive

The next request is the following

http://spinnaker.r.u:8084/auth/redirect?to=https%3A%2F%2Fspinnaker.r.u%2F%23%2Finfrastructure#

Is this deck interpreting the X-Frame-Options: DENY and issuing a redirect? Is it deck that isn't using https?


@lwander (2017-10-03 13:08:40): Hmm that's surprising. I don't know much about the auth config - maybe @ttomsu has an idea when he's available?


@greenkiwi (2017-10-03 17:42:36): @lwander Thanks.

This is the URL that goes to google's oath:

https://accounts.google.com/signin/v2/challenge/az?client_id=...&destination=https%3A%2F%2Fspinnaker.r.u%3A8084&...&navigationDirection=forward

It clearly says go back to https


@greenkiwi (2017-10-04 20:32:01): I have found a workaround that will let me continue. Instead of having the following mapping:
https://spinnaker.r.u --> deck
https://spinnaker.r.u:8084 --> gate

I split out gate
https://spin-gate.r.u --> gate

This allows me to add an apache service listing on http://spin-gate.r.u that redirects to https.

Still seeing the redirect to http, but it now redirects to https, so it's functioning.

https://spin-gate.r.u/login?state=n7xg17&code=4%2Fe4 >> http://spin-gate.r.u/auth/redirect?to=https%3A%2F%2Fspinnaker.r.u%2F%23%2Finfrastructure

@lwander (2017-10-04 20:31:39): Hmm maybe this is why @ttomsu advocates against using reverse proxies here, he mentioned that strange things stop working


@greenkiwi (2017-10-04 20:33:47): @lwander note that I checked the logs and I'm still seeing the redirect from login + code to http.

Creating a simple apache container with a redirect all to https will let me roll it out to the team.


@FaHeymann (2017-10-06 14:49:39): Did you try patching your gate tomcat so that it respects the ELB forward headers?

server:
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*

in .hal/default/profiles/gate-local.yml that did it for me when I had a similar issue


@nneul (2017-11-05 22:07:28): That does appear to have helped.


@greenkiwi (2017-11-07 06:30:44): This has worked now in two different deployments.


@bhumarevb (2017-11-29 11:28:41): Thanks You guys!! ... I had same redirection problem... got resolved after adding given value in gate-local.yml file


@mnalsup (2018-02-02 19:27:06): This does not seem to fix the issue in my set up. Has anyone validated against a distributed deployment?

@anj00

This comment has been minimized.

Copy link

commented May 22, 2018

I have this issue. And I think I use all the tricks. We are using GKE, terminate SSL on load balancer AND use istio as our ingress controller

logging into gate container I see following configurations which hal applied:
spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat gate-local.yml
server:
tomcat:
protocolHeader: X-Forwarded-Proto
remoteIpHeader: X-Forwarded-For
internalProxies: .*
spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat gate.yml

spectator:
applicationName: ${spring.application.name}
webEndpoint:
enabled: false

server:
ssl:
enabled: false
port: '8084'
address: 0.0.0.0
security:
basic:
enabled: true
user: {}
oauth2:
enabled: true
client:
clientId: .apps.googleusercontent.com
clientSecret:
accessTokenUri: https://www.googleapis.com/oauth2/v4/token
userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
scope: profile email
preEstablishedRedirectUri: https://spinnaker-gate.mycompany.com/login
useCurrentUri: false
resource:
userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
userInfoMapping:
email: email
firstName: given_name
lastName: family_name
provider: GOOGLE
cors: {}

halconfig

redis:
connection: ${services.redis.baseUrl:redis://localhost:6379}

spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat spinnaker.yml
services:
......
deck:
port: 9000
address: localhost
host: 0.0.0.0
scheme: http
env:
API_HOST: http://spin-gate.spinnaker:8084/
artifactId: gcr.io/spinnaker-marketplace/deck:2.2.1-20180507112917
overrideBaseUrl: https://spinnaker.mycompany.com
location: spinnaker
kubernetes:
imagePullSecrets: []
podAnnotations: {}
enabled: true
monitored: false
sidecar: false
safeToUpdate: true
targetSize: 1
skipLifeCycleManagement: false
baseUrl: https://spinnaker.mycompany.com
...
gate:
port: 8084
address: localhost
host: 0.0.0.0
scheme: http
healthEndpoint: /health
env: {}
artifactId: gcr.io/spinnaker-marketplace/gate:0.12.0-20180521101558
overrideBaseUrl: https://spinnaker-gate.mycompany.com
location: spinnaker
kubernetes:
imagePullSecrets: []
podAnnotations: {}
enabled: true
monitored: true
sidecar: false
safeToUpdate: true
targetSize: 1
skipLifeCycleManagement: false
baseUrl: https://spinnaker-gate.mycompany.com

And Istio ingress config
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: spinnaker-istio-gateway
namespace: spinnaker
annotations:
kubernetes.io/ingress.class: "istio"
spec:
rules:
- host: spinnaker.mycompany.com
http:
paths:
- backend:
serviceName: spin-deck
servicePort: 9000
- host: spinnaker-gate.mycompany.com
http:
paths:
- backend:
serviceName: spin-gate
servicePort: 8084

And if I login I end up on this address
http://spinnaker-gate.mycompany.com//auth/redirect?to=https%3A%2F%2Fspinnaker.mycompany.com%2F%23%2Fsearch#

which is correct except http at the beginning . If I manually change it to https all works.

@erancx

This comment has been minimized.

Copy link

commented May 22, 2018

I'm having the same issue.
we bypassed it using a reverse proxy location /auth:

    location /auth {
        rewrite ^(/auth)(.*)$ https://spinnaker.local/gate/auth/$2 last;
    }
@greenkiwi

This comment has been minimized.

Copy link

commented May 25, 2018

After upgrading to 1.6 and now 1.7, we haven't seen this behavior. We have a redirector, but it only gets mistaken http requests to our root.

@lwander

This comment has been minimized.

Copy link
Member

commented May 26, 2018

Closing since it seems to have been resolved in 1.7 -- ping me if it needs to be reopened.

@lwander lwander closed this May 26, 2018

@vide

This comment has been minimized.

Copy link

commented Jul 5, 2018

@lwander I'm seeing the same issue with 1.8.0 :(
Slack thread https://spinnakerteam.slack.com/archives/C091CCWRJ/p1530777520000384

EDIT: it seems that it fails only the first time. After the first GH authorization, it works as expected.
Steps to reproduce:

  1. configure an HTTPS proxy before Deck and Gate
  2. set preEstablishedRedirectUri and overrideBaseUrl so they point to the https enabled URL
  3. open an incognito spinnaker window, type the spinnaker https URL
  4. login in into GitHub
  5. 💥 400 Bad Request
  6. in the same incognito session, type again the spinnaker https URL
  7. it works now, and it will work until you clear your cookies (or the cookie expire, I guess)

EDIT2:
if I enabled authz usign GITHUB as groupMembership provider, it fails every time, not only the first. FIXED: Nope, the problem here was the Fiat microservice wasn't running. With Fiat running and authz enabled the workflow it's still the one described above

@ericjee

This comment has been minimized.

Copy link

commented Sep 11, 2018

I had the same issue with v1.9.0, Exactly the same behavior with @vide.
https://spin-gate.a.com/auth/redirect?to=http%3A%2F%2Fspinnaker.a.com%2F%23%2Fsearch

@MrBlaise

This comment has been minimized.

Copy link

commented Oct 18, 2018

@lwander Same issue with v1.10.0 for me.

#1630 (comment) fixed it for me.

@sergedonaldp

This comment has been minimized.

Copy link

commented Nov 29, 2018

@lwander We are still seeing that issue with v1.10.2

@ericjee

This comment has been minimized.

Copy link

commented Nov 30, 2018

proxy_set_header Host $http_host;
Add this option to reverse proxy config with oauth2 provider can fix my problem

@al-jamf

This comment has been minimized.

Copy link

commented Apr 5, 2019

I have this issue. And I think I use all the tricks. We are using GKE, terminate SSL on load balancer AND use istio as our ingress controller

logging into gate container I see following configurations which hal applied:
spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat gate-local.yml
server:
tomcat:
protocolHeader: X-Forwarded-Proto
remoteIpHeader: X-Forwarded-For
internalProxies: .*
spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat gate.yml

spectator:
applicationName: ${spring.application.name}
webEndpoint:
enabled: false

server:
ssl:
enabled: false
port: '8084'
address: 0.0.0.0
security:
basic:
enabled: true
user: {}
oauth2:
enabled: true
client:
clientId: .apps.googleusercontent.com
clientSecret:
accessTokenUri: https://www.googleapis.com/oauth2/v4/token
userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
scope: profile email
preEstablishedRedirectUri: https://spinnaker-gate.mycompany.com/login
useCurrentUri: false
resource:
userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
userInfoMapping:
email: email
firstName: given_name
lastName: family_name
provider: GOOGLE
cors: {}

halconfig

redis:
connection: ${services.redis.baseUrl:redis://localhost:6379}

spin-gate-f7b895cd7-ccj4j:/opt/spinnaker/config$ cat spinnaker.yml
services:
......
deck:
port: 9000
address: localhost
host: 0.0.0.0
scheme: http
env:
API_HOST: http://spin-gate.spinnaker:8084/
artifactId: gcr.io/spinnaker-marketplace/deck:2.2.1-20180507112917
overrideBaseUrl: https://spinnaker.mycompany.com
location: spinnaker
kubernetes:
imagePullSecrets: []
podAnnotations: {}
enabled: true
monitored: false
sidecar: false
safeToUpdate: true
targetSize: 1
skipLifeCycleManagement: false
baseUrl: https://spinnaker.mycompany.com
...
gate:
port: 8084
address: localhost
host: 0.0.0.0
scheme: http
healthEndpoint: /health
env: {}
artifactId: gcr.io/spinnaker-marketplace/gate:0.12.0-20180521101558
overrideBaseUrl: https://spinnaker-gate.mycompany.com
location: spinnaker
kubernetes:
imagePullSecrets: []
podAnnotations: {}
enabled: true
monitored: true
sidecar: false
safeToUpdate: true
targetSize: 1
skipLifeCycleManagement: false
baseUrl: https://spinnaker-gate.mycompany.com

And Istio ingress config
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: spinnaker-istio-gateway
namespace: spinnaker
annotations:
kubernetes.io/ingress.class: "istio"
spec:
rules:

  • host: spinnaker.mycompany.com
    http:
    paths:
  • backend:
    serviceName: spin-deck
    servicePort: 9000
  • host: spinnaker-gate.mycompany.com
    http:
    paths:
  • backend:
    serviceName: spin-gate
    servicePort: 8084

And if I login I end up on this address
http://spinnaker-gate.mycompany.com//auth/redirect?to=https%3A%2F%2Fspinnaker.mycompany.com%2F%23%2Fsearch#

which is correct except http at the beginning . If I manually change it to https all works.

Did you every end up finding a workaround for your issue?

@tuct

This comment has been minimized.

Copy link

commented Jul 1, 2019

I fixed it by adding --pre-established-redirect-uri=https://api.my-spinnaker.com/login to my oauth2 config:
hal config security authn oauth2 edit --provider google
--client-id $CLIENT_ID
--client-secret $CLIENT_SECRET
--user-info-requirements hd=$DOMAIN
--pre-established-redirect-uri=https://api.my-spinnaker.com/login

@costimuraru

This comment has been minimized.

Copy link

commented Aug 28, 2019

Any workaround for LDAP?
Seeing the same behavior in 1.15.2

https://my-spin-endpoint.net/
redirects to
https://my-spin-endpoint.net/auth/redirect
which redirects to
http://my-spin-endpoint.net/login (notice http instead of https)

@costimuraru

This comment has been minimized.

Copy link

commented Aug 30, 2019

Note that we fixed this by instructing nginx-ingress controller to redirect http back to https.

kubernetes/ingress-nginx#2724 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.