Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use proxy which requires authentication #78

Open
rkoster opened this issue Dec 21, 2017 · 4 comments
Open

Unable to use proxy which requires authentication #78

rkoster opened this issue Dec 21, 2017 · 4 comments
Labels
unscheduled

Comments

@rkoster
Copy link

rkoster commented Dec 21, 2017
edited

In our environment we need to access an oidc1.0 identity provider over our corporate proxy.
This proxy requires authentication.
I have configured the proxy like so:

jobs:
  - name: uaa
     properties:
       env:
         http_proxy: http://user:password@example.com:8080

but I get the following error:

[2017-12-21 14:15:24.977] uaa - 23341 [https-jsse-nio-8443-exec-4] ....  WARN --- ExpiringUrlCache: Unable to fetch metadata for https://idp.example.com/openid-configuration
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://idp.example.com/openid-configuration": user: Name or service not known; nested exception is java.net.UnknownHostException: user: Name or service not known
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:628)
        at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:303)
        at org.cloudfoundry.identity.uaa.cache.ExpiringUrlCache.getUrlContent(ExpiringUrlCache.java:62)
        at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthProviderConfigurator.overlay(XOAuthProviderConfigurator.java:67)
        at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthProviderConfigurator.lambda$retrieveAll$2(XOAuthProviderConfigurator.java:167)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
        at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthProviderConfigurator.retrieveAll(XOAuthProviderConfigurator.java:164)
        at org.cloudfoundry.identity.uaa.login.LoginInfoEndpoint.getOauthIdentityProviderDefinitions(LoginInfoEndpoint.java:525)
        at org.cloudfoundry.identity.uaa.login.LoginInfoEndpoint.login(LoginInfoEndpoint.java:315)
        at org.cloudfoundry.identity.uaa.login.LoginInfoEndpoint.loginForHtml(LoginInfoEndpoint.java:267)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)

I think it breaks here since the : gets replace by a space.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/153850388

The labels on this github issue will be updated when the story is started.

@DennisDenuto
Copy link
Contributor

Hi @rkoster
Thanks for the feedback. I see two areas of improvement for this issue:

allow proxy authentication:

Currently, it looks like the bosh uaa proxy job does not allow configuration for proxy authentication (We do not provide a way to configure: -Dhttp.proxyUser=someUserName and -Dhttp.proxyPassword=somePassword)

I think one idea would be we extract the username/password from the uaa bosh property env.http_proxy. i.e. http://user:password@example.com:8080 results in the proxy template parsing the username / password / hostname / port to the correct java properties.

Another option would be to introduce separate bosh properties for the proxy username / password. i.e. env.http_proxy_username and env.http_proxy_password

template validation

It would be nice to move away from using bash scripting such as tr and instead use the ruby uri library for parsing and validating the env.http_proxy bosh property. (the template should not render if the uri is invalid)

@rkoster
Copy link
Author

rkoster commented Jan 31, 2018

For ease of deployment it would be nice if username and password would be pick up from env.http_proxy.

@DennisDenuto
Copy link
Contributor

fyi: we have created a story in our backlog to track this work: https://www.pivotaltracker.com/story/show/153850388

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
unscheduled
Projects
Foundational Infrastructure Working Group
Status: Inbox
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rkoster @DennisDenuto @cf-gitbot