Skip to content
This repository has been archived by the owner on Dec 7, 2023. It is now read-only.

Conjur login succeeds on wrong url on SAAS #340

Open
Conjur-oss opened this issue Nov 24, 2021 · 0 comments
Open

Conjur login succeeds on wrong url on SAAS #340

Conjur-oss opened this issue Nov 24, 2021 · 0 comments
Labels
Bugtype/Functionality kind/bug ONYX-14313 priority/Default severity/high team/Palmtree

Comments

@Conjur-oss
Copy link
Collaborator

Conjur-oss commented Nov 24, 2021
edited by szh
Loading

##Bug description
Reproduced on SAAS only (related to everest) Steps to reproduce:

  1. Run conjur init on wrong url when the url is composed from / and the error is in one of the parts after /, for example for conjur cloud url, the correct url is : [https://eyalandavidocs.integration-cyberark.cloud/api/secretsmgr] and you insert : [https://eyalandavidocs.integration-cyberark.cloud/api/secret]
  2. Run conjur login with correct credentials

Current Results:
init succsedded
login response “Successfully logged in to Conjur”

All the rest of the commands you get 403 altough i'm not authorised and not connect to the relevant machine

 example:
{code:java}
conjur --debug init -u https://sonali.integration-cyberark.cloud/api/secfdasfadsfads/ -a conjur -c ~/work/www.google.com.crt

File /Users/Elad.Kugman/.conjurrc exists. Overwrite? yes/no (Default: yes): yes
Configuration written to /Users/Elad.Kugman/.conjurrc

Successfully initialized the Conjur CLI
To start using the Conjur CLI, log in to the Conjur server by running conjur login
{code}
{code:java}
➜ conjur --debug login
Enter your username: admin
Enter your password or API key (this will not be echoed):
2021-12-08 17:19:05,322 DEBUG: Attempting to fetch 'admin' API key from Conjur...
2021-12-08 17:19:05,326 DEBUG: Starting new HTTPS connection (1): sonali.integration-cyberark.cloud:443
2021-12-08 17:19:06,010 DEBUG: https://sonali.integration-cyberark.cloud:443 "GET /api/secfdasfadsfads/authn/conjur/login HTTP/1.1" 200 715
2021-12-08 17:19:06,011 DEBUG: API key retrieved from Conjur
2021-12-08 17:19:06,011 DEBUG: Attempting to save credentials to the system's credential store 'macOS Keyring'...
2021-12-08 17:19:06,048 DEBUG: Credentials saved to the 'macOS Keyring' credential store
{code}
 
{code:java}
conjur --debug list
2021-12-08 17:35:25,161 DEBUG: Initializing configuration...
2021-12-08 17:35:25,161 DEBUG: Fetching connection details from filesystem '/Users/Elad.Kugman/.conjurrc'...
2021-12-08 17:35:25,161 DEBUG: Fetched connection details: {'conjur_account': conjur, 'conjur_url': https://sonali.integration-cyberark.cloud/api/secfdasfadsfads, 'cert_file': /Users/Elad.Kugman/work/www.google.com.crt}
2021-12-08 17:35:25,162 DEBUG: Attempting to retrieve credentials from the 'macOS Keyring credential store'...
2021-12-08 17:35:25,167 DEBUG: Successfully retrieved credentials from the 'macOS Keyring credential store'
2021-12-08 17:35:25,167 DEBUG: Client initialized
2021-12-08 17:35:25,167 DEBUG: Executing list command with no constraints
2021-12-08 17:35:25,167 DEBUG: API token missing or expired. Fetching new one...
2021-12-08 17:35:25,167 DEBUG: Authenticating to https://sonali.integration-cyberark.cloud/api/secfdasfadsfads...
2021-12-08 17:35:25,171 DEBUG: Starting new HTTPS connection (1): sonali.integration-cyberark.cloud:443
2021-12-08 17:35:25,342 DEBUG: https://sonali.integration-cyberark.cloud:443 "POST /api/secfdasfadsfads/authn/conjur/admin/authenticate HTTP/1.1" 403 919
2021-12-08 17:35:25,344 DEBUG: 403 Forbidden

<TITLE>ERROR: The request could not be satisfied</TITLE>

403 ERROR

The request could not be satisfied.

Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. 
Generated by cloudfront (CloudFront)
Request ID: z9cwI5YHvbtRrsb-DA4LGW-wOWHV3Kc9ajKynEY51cMnJ62bYyAbBw==
2021-12-08 17:35:25,352 DEBUG: Traceback (most recent call last): File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/cli.py", line 546, in run Cli.run_action(resource, args) File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/cli.py", line 754, in run_action Cli.handle_list_logic(list_data, client) File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/cli.py", line 637, in handle_list_logic list_controller.load() File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/controller/list_controller.py", line 29, in load result = self.list_logic.list(self.list_data) File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/logic/list_logic.py", line 27, in list return self.client.list(list_constraints) File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/api/client.py", line 171, in list return self._api.resources_list(list_constraints) File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/api/api.py", line 144, in resources_list api_token=self.api_token, File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/api/api.py", line 86, in api_token self._api_token = self.authenticate() File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/api/api.py", line 128, in authenticate return invoke_endpoint(HttpVerb.POST, ConjurEndpoint.AUTHENTICATE, params, File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/wrapper/http_wrapper.py", line 86, in invoke_endpoint raise http_error File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/conjur/wrapper/http_wrapper.py", line 80, in invoke_endpoint response.raise_for_status() File "/Users/Elad.Kugman/brew/lib/python3.9/site-packages/requests/models.py", line 953, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://sonali.integration-cyberark.cloud/api/secfdasfadsfads/authn/conjur/admin/authenticate

Failed to execute command. Reason: 403 Client Error: Forbidden for url: https://sonali.integration-cyberark.cloud/api/secfdasfadsfads/authn/conjur/admin/authenticate
{code}
We get 200 and this is the message we saw (while running via browser)
{code:java}
{"success":false,"Result":{"Summary":"Failure"},"Message":"Authentication (login or challenge) has failed. Please try again or contact your system administrator.","MessageID":null,"Exception":null,"ErrorID":"dc1cc59f-4e4a-4c69-a43a-8f284db55298:2dcf29dcf4ea459aaeeba76cd4e9d8a5","ErrorCode":null,"IsSoftError":false,"InnerExceptions":null}
{code}
Expected Results:
Failed either on init(preferable) or login

Error Messages:

Logs:

Other Symptoms:

Tenant ID / Pod Number:

##Found in version
12.3

##Workaround Complexity
There's an easy workaround

##Workaround Description
put the correct url

##Affects Version/s

##Link to JIRA bug
ONYX-14313
@Conjur-oss Conjur-oss changed the title Conjur login succeeds on wrong url Conjur login succeeds on wrong url on SAAS Dec 13, 2021
@cyberark cyberark deleted a comment from Conjur-oss Nov 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bugtype/Functionality kind/bug ONYX-14313 priority/Default severity/high team/Palmtree
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Conjur-oss