Enabling authentication - infinite OAuth Redirect Loop about janky HOT 6 CLOSED

Issue re: JANKY_AUTH_TEAM_ID - #112

from janky.

Ok, so last bit of diagnosis for the night.

If I take the code returned by GitHub, I'm having a problem getting a token

Note that the original request from Janky to GitHub contains

• response_type: code
• client_id: JANKY_AUTH_CLIENT_ID
• scope: repo
• redirect_uri: https://MY.JANKY.COM/auth/github/callback

I see in the OAuth docs that state is optional, and Janky does not specify it

So if I take the code from auth/github/callback?code=THECODE, and try to Curl for the token... I don't have any luck.

Per the docs, state is optional on the initial request for a code, but mandatory on the request for the token, so I'm not sure what to do with it. (I'm just trying to verify that I can use the production machine to get the token and verify that this is an application issue)

I've tried specifying state as empty like this

curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"client_id":"JANKY_AUTH_CLIENT_ID", "client_secret":"JANKY_AUTH_CLIENT_SECRET","code":"THECODE", "state":""}' https://github.com/login/oauth/access_token

Or simply not in the request like this

curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"client_id":"JANKY_AUTH_CLIENT_ID", "client_secret":"JANKY_AUTH_CLIENT_SECRET","code":"THECODE" }' https://github.com/login/oauth/access_token

Neither work... in both instances I get a

{"error":"bad_verification_code"}

Per the docs

If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter
as well as the state you provided in the previous step in a state parameter. If the states don’t match, 
the request has been created by a third party and the process should be aborted.

If I watch the traffic from my Errbit install, I see that the state parameter is filled in for the request to github.com/login/oauth. The callback to Errbit includes that state, which is then presumably used to acquire a token.

from janky.

/cc @atmos not sure if this is a sinatra_auth_github issue or not?

from janky.

So I've disabled the GitHub OAuth for now, to try and determine why the Janky commands that configure / talk to Jenkins aren't working.

Finally I have something useful in a log. I kind of half wondered if there might be some issue using SSL. It turns out that there is...

When Janky tries to talk to Jenkins, I get:

OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:

Relvant portion of stack

/usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
/usr/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
/usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
/usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
/usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
/usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
/usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
/usr/lib/ruby/1.9.1/net/http.rb:1284:in `request'
/var/lib/gems/1.9.1/gems/rest-client-1.6.7/lib/restclient/net_http_ext.rb:51:in
/var/lib/gems/1.9.1/gems/janky-0.9.13/lib/janky/builder/http.rb:21:in `run'
/var/lib/gems/1.9.1/gems/janky-0.9.13/lib/janky/builder/runner.rb:12:in `run'
/var/lib/gems/1.9.1/gems/janky-0.9.13/lib/janky/builder/client.rb:21:in `run'

This seems to be a pretty well-documented issue where OpenSSL can't find the certs on the machine (or similar)... but I'm still have some issues getting it worked out.

I was hoping to do something like this, where I just export a variable.

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

However, this doesn't seem to work.

There are a number of other solutions involving monkey-patching, etc... For instance, there are suggestions of setting ca_file -- this would be here https://github.com/github/janky/blob/master/lib/janky/github/api.rb#L88 for the GitHub api. But this isn't really a great global solution.

        http.ca_file     = "/etc/ssl/certs/ca-certificates.crt"

I also tried this and it didn't seem to work -- but that might be because it only affects the calls to GitHub, and not the calls to Janky.

So I'm looking for the simplest, least-intrusive manner of getting this working.

If anyone has any suggestions, I'm all ears.

from janky.

Also posted to SO in hopes that someone more Ruby savvy than I can figure this out!
http://stackoverflow.com/questions/13290759/ruby-opensslsslsslerror-on-ubuntu-12-04-1-ruby-1-9-3p0

from janky.

Can you just disable SSL certificate verification and see if that gets you going?

from janky.