I am exploring using HttpBuilder-NG to perform REST calls. My first attempt simply gives me a groovy.net.http.HttpException with a traceback. No other details. Using the previous HttpBuilder I was able to turn on logging to see what is sent and received.
The code is pretty simple:
def jiraUrl = 'https://gpdevjira.broadinstitute.org:8443/rest/api/2'
def username = 'releng'
def password = 'releng'
#Test
void testGetIssue() {
def jira = configure {
request.uri = jiraUrl
request.auth.basic username, password
}
assert jira
String text = jira.get(String){
request.uri.path = "/issue/$testIssue"
}
assert text
}
I think that the question has been answered with the suggestion to use the Apache client implementation of HttpBuilder-NG
Related
I want to implement an http4s server that receives the content from another service, processes it and return the response.
The original service uses redirects so I added the Follow redirect middleware. I also added the Logger middleware to check the logs produced.
The skeleton of the service is:
implicit val clientResource = BlazeClientBuilder[F](global).resource
val wikidataEntityUrl = "http://www.wikidata.org/entity/Q"
def routes(implicit timer: Timer[F]): HttpRoutes[F] = HttpRoutes.of[F] {
case GET -> Root / "e" / entity => {
val uri = uri"http://www.wikidata.org/entity/" / ("Q" + entity)
val req: Request[F] = Request(uri = uri)
clientResource.use { c => {
val req: Request[F] = Request(Method.GET, uri)
def cb(resp: Response[F]): F[Response[F]] = Ok(resp.bodyAsText)
val redirectClient = Logger(true,true,_ => false)(FollowRedirect[F](10, _ => true)(c))
redirectClient.fetch[Response[F]](req)(cb)
}}}}
When I try to access the service with curl as:
curl -v http://localhost:8080/e/33
The response contains the first part of the original content and finnishes with:
transfer closed with outstanding read data remaining
* Closing connection 0
Looking at the logs, they content the following line:
ERROR o.h.s.blaze.Http1ServerStage$$anon$1 - Error writing body
org.http4s.InvalidBodyException: Received premature EOF.
which suggests that there was an error receiving a premature EOF.
I found a possible answer in this issue: but the answers suggest to use deprecated methods like tohttpService.
I think I would need to rewrite the code using a streams, but I am not sure what's the more idiomatic way to do it. Some suggestions?
I received some help in the http4s gitter channel to use the toHttpApp method instead of the fetch method.
I was also suggested also to pass the client as a parameter.
The resulting code is:
case GET -> Root / "s" / entity => {
val uri = uri"http://www.wikidata.org/entity/" / ("Q" + entity)
val req: Request[F] = Request(Method.GET, uri)
val redirectClient = Logger(true,true,_ => false)(FollowRedirect[F](10, _ => true)(client))
redirectClient.toHttpApp.run(req)
}
and now it works as expected.
The toHttpApp method is intended for use in proxy servers.
I need to download a text file using basic authentication (the kind of authentication that prompts the browser to ask you for domain\username and password) using Groovy. I would like to avoid using additional libraries, isn't there anything to do this in in Groovy?
My current code is:
new File("test.txt").withOutputStream { out ->
def url = new URL(myurl).openConnection()
def remoteAuth = "Basic " + "myusername:mypassword".bytes.encodeBase64()
url.setRequestProperty("Authorization", remoteAuth);
out << url.inputStream
}
But the server replies with a 401 error. What should I do?
Groovy uses the java.net.Authenticator API. You can provide a default Authenticator using java.net.Authenticator#setDefault. An Example for an BasicAuth usage can be found in another Answer.
Authenticator.setDefault (new Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication ("username", "password".toCharArray());
}
});
I've gone through plenty of Google documentation and SO Q/A's but with no luck. I wonder if anyone has yet succesfully used the OpenId to OpenId Connect migration as advised by Google.
This is what we used to do:
IAuthenticationResponse response = _openid.GetResponse();
if (response != null) {
//omitted for brevity
} else {
IAuthenticationRequest req = _openid.CreateRequest("https://www.google.com/accounts/o8/id");
req.AddExtension(new ClaimsRequest
{
Country = DemandLevel.Request,
Email = DemandLevel.Request,
Gender = DemandLevel.Require,
PostalCode = DemandLevel.Require,
TimeZone = DemandLevel.Require
});
req.RedirectToProvider();
}
That was done using a version of DotNetOpenAuth that dates back a few years. Because Google has deprecated OpenId authentication we are trying to move over to OpenID Connect. The key question here is: can I somehow get my hands on the OpenId identifier (in the form of https://www.google.com/accounts/o8/id?id=xyz) using the latest version of DotNetOpenAuth library or by any other means?
I have tried the latest DotNetOpenAuth and I can get it to work but it gives me a new Id (this was expected). I have also tried the Javascript way by using this URL (line breaks for readibility):
https://accounts.google.com/o/oauth2/auth?
scope=openid%20profile%20email
&openid.realm=http://localhost/palkkac/
&client_id=//here is the client id I created in google developer console
&redirect_uri=http://localhost/palkkac/someaspxpagehere
&response_type=id_token%20token
I checked (using Fiddler) the realm value that we currently send using the old DotNetOpenAuth code and it is http://localhost/palkkac/. I've put the same realm in the url above. The redirect url starts with the realm value but it is not entirely the same.
When I redirect to a simple page that parses the id_token and decrypts it (using the https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=zyx endpoint) I get this:
audience "client id is here"
email "mikkark#gmail.com"
expires_in 3597
issued_at //some numbers here
issued_to "client id is here"
issuer "accounts.google.com"
user_id "here is a sequence of numbers, my id in the OpenID Connect format that is"
verified_email true
So there is no sign of the openid_id field that you would expect to find here, though the whole structure of the message seems different from the Google docs, there is no field titled sub, for example. I wonder if I'm actually using the wrong endpoint, parameters or something?
What I have been reading is the migration guide: https://developers.google.com/accounts/docs/OpenID. I skipped step 2 because it seemed like an optional step. In step 3 the field openid_id is discussed and I would like to get that to work as a proof-of-concept first.
We registered the app on Google in order to create the client id etc. There are now also numerous allowed redirect url's as well as javascript origins listed in the Google dev console. Let me know if those might mess up the system and I'll post them here for review.
Side note: we are supposed to be moving our app behind a strictly firewalled environment where we would need to open ports in order to do this on the server side. Therefore, a client-side Javascript solution to access Google combined with HTTPS and redirecting the result to the server would be prefered (unless there are other issues that speak against this).
There are other resources on SO regarding this same issue, although all of these seem to use different libraries on the server side to do the job and nobody seems to have made any attempts at using Javascript:
Here (https://stackoverflow.com/questions/22842475/migrating-google-openid-to-openid-connect-openid-id-does-not-match) I think the problem was resolved by setting the realm to be the same as in the old OpenId2.0 flow. This does not seem to work in my case.
over here the openid_id field is also missing, but the problem here is more about how to request the id_token from Google using libraries other than DotNetOpenAuth.
and in here there seem to be similar problems getting Google to return the openid_id field.
You can use the GoogleAuthentication owin middleware.
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
SignInAsAuthenticationType = signAs,
AuthenticationType = "Google",
ClientId = "xxx.apps.googleusercontent.com",
ClientSecret = "xx",
CallbackPath = PathString.FromUriComponent("/oauth2callback"),
Provider = new GoogleOAuth2AuthenticationProvider
{
OnApplyRedirect = context =>
{
context.Response.Redirect(context.RedirectUri + "&openid.realm=https://mydomain.com/"); // DotNetOpenAuth by default add a trailing slash, it must be exactly the same as before
}
},
BackchannelHttpHandler = new MyWebRequestHandler()
}
Then, add a new class called MyWebRequestHandler:
public class MyWebRequestHandler : WebRequestHandler
{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var httpResponse = await base.SendAsync(request, cancellationToken);
if (request.RequestUri == new Uri("https://www.googleapis.com/plus/v1/people/me")) return httpResponse;
var configuration = await OpenIdConnectConfigurationRetriever.GetAsync("https://accounts.google.com/.well-known/openid-configuration", cancellationToken); // read the configuration to get the signing tokens (todo should be cached or hard coded)
// google is unclear as the openid_id is not in the access_token but in the id_token
// as the middleware dot not expose the id_token we need to parse it again
var jwt = httpResponse.Content.ReadAsStringAsync().Result;
JObject response = JObject.Parse(jwt);
string idToken = response.Value<string>((object)"id_token");
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
try
{
SecurityToken token;
var claims = tokenHandler.ValidateToken(idToken, new TokenValidationParameters()
{
ValidAudience = "xxx.apps.googleusercontent.com",
ValidIssuer = "accounts.google.com",
IssuerSigningTokens = configuration.SigningTokens
}, out token);
var claim = claims.FindFirst("openid_id");
// claim.Value will contain the old openid identifier
if (claim != null) Debug.WriteLine(claim.Value);
}
catch (Exception ex)
{
Debug.WriteLine(ex.ToString());
}
return httpResponse;
}
}
If like me you found this not really straightforward, please help by upvoting this issue https://katanaproject.codeplex.com/workitem/359
I am using Apache Mina SSHD to implement a test SFTPServer. I have been able to get things working for simple Password authentication, however I am not able to configure things for PublicKey Authentication. I have a implemented the PublickeyAuthenticator interface as follows,
public class SimpleKeyAuthenticator implements PublickeyAuthenticator {
#Override
public boolean authenticate(String username, PublicKey key, ServerSession session) {
System.out.println("In authenticate");
return false;
}
}
My server implementation is as follows,
...
sshd = SshServer.setUpDefaultServer();
sshd.setPort(2222);
//sshd.setPort(config.getSFTPPort());
//sshd.setKeyPairProvider(new
sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider("hostkey.pem"));
//sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider());
sshd.setPublickeyAuthenticator(new SimpleKeyAuthenticator());
sshd.setFileSystemFactory(new SimpleFileSystemFactory());
List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<NamedFactory<UserAuth>>();
userAuthFactories.add(new UserAuthNone.Factory());
sshd.setUserAuthFactories(userAuthFactories);
sshd.setCommandFactory(new ScpCommandFactory());
List<NamedFactory<Command>> namedFactoryList = new ArrayList<NamedFactory<Command>>();
namedFactoryList.add(new SftpSubsystem.Factory());
sshd.setSubsystemFactories(namedFactoryList);
sshd.setSessionFactory(new SimpleSessionFactory(handler));
try {
sshd.start();
} catch (Exception e) {
e.printStackTrace();
}
However when I try to get a file using my SFTP client everything works. I would expect the authenticate method to fail given that it always returns false. I have tried setting the KeyPairProvider to use both the PEMGeneratorHostKeyProvider and the SimpleGeneratorHostKeyProvider. I have also set the PublicKeyAuthenticator to use my SimpleKeyAuthenticator class. Note, when I look at the console output I never see 'In authenticate' so I know that Authenticate is never being called. Could someone please point me to what I have missed? Any help is appreciated.
Regards,
Mark
// below line will make client login without any validation.
userAuthFactories.add(new UserAuthNone.Factory());
You should change it like this:
userAuthFactories.add(new UserAuthPublicKey.Factory());
I have an ASP.net Webservice (asmx) which returns some secure stuff from my application. I want to create a client application which uses a certificate to connect to this service and calls this method. Using a certificate I want to ensure only this special client application can call this webservice method.
I've read hundreds of complicated articles how to setup the infrastructure but I quited because of annoying setups and very complicated parts (i.E. certificate store setups,...). I decided to manually do the certificate validation within my service method. This way I know what's going on and I don't have to rely on complicated server setups.
But the question is: How can I do that?
This stubs represent what I want to do:
[WebMethod]
public string GetSecureData() {
if(!ValidateClientCertificate()) {
throw new HttpException((int) (HttpStatusCode.BadRequest), "Bad Request");
}
return "i am secure";
}
private bool ValidateClientCertificate() {
HttpClientCertificate cert = HttpContext.Current.Request.ClientCertificate;
if (!cert.IsPresent || !HttpContext.Current.Request.IsSecureConnection) {
return false;
}
bool isValid = /* is cert the almighty client certificate? */
return isValid;
}
On client side I do something like this:
X509Certificate Cert = X509Certificate.CreateFromCertFile("C:\\secure.cer");
ServicePointManager.CertificatePolicy = new CertPolicy();
HttpWebRequest Request = (HttpWebRequest)WebRequest.Create("https://myserver/Secure.asmx/GetSecureData");
Request.ClientCertificates.Add(Cert);
Request.Method = "GET";
HttpWebResponse Response = (HttpWebResponse)Request.GetResponse();
It would be awesome if I can put some sort of "public key" into the application (App_Data) and check if the client certificate received is the one represented by this public key.
The problems are:
How do I do the magic shown as comment in the first code piece?
I guess the IIS and ASP.net will block the unknown/unverified client certificate. I would need to disable this check for this special service method.
Please don't blame me if the answer is easy and already answered thousands of times. There are thousands of articles about this topic with 100 different solutions and variants. I couldn't find the matching one for my problem.