ansible-community/ara

ARA_CSRF_TRUSTED_ORIGINS is broken

rptaylor opened this issue · 2 comments

rptaylor commented

What is the issue ?

It is documented here: https://ara.readthedocs.io/en/latest/api-configuration.html#ara-csrf-trusted-origins
But it does not work. Running ara with this env var

        - env:
          - name: ARA_CSRF_TRUSTED_ORIGINS
            value: https://ara.example.org

results in pod failure and crashloopbackoff with these logs:

Traceback (most recent call last):
  File "/usr/local/bin/ara-manage", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/site-packages/ara/server/__main__.py", line 27, in main
    if not os.path.exists(settings.ARA_SETTINGS):
                          ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/conf/__init__.py", line 102, in __getattr__
    self._setup(name)
  File "/usr/local/lib/python3.11/site-packages/django/conf/__init__.py", line 89, in _setup
    self._wrapped = Settings(settings_module)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/conf/__init__.py", line 217, in __init__
    mod = importlib.import_module(self.SETTINGS_MODULE)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/usr/local/lib/python3.11/site-packages/ara/server/settings.py", line 269, in <module>
    CSRF_TRUSTED_ORIGINS=CSRF_TRUSTED_ORIGINS.to_list(),
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'to_list'

What should be happening ?

Ara should run with the setting applied correctly. Related to #345

We can't access the admin dashboard anymore due to this error, nor can we run an older version before the CSRF implementation. It doesn't look like there is a way to disable CSRF either ... ?

rptaylor commented

Oops the var is supposed to be a list, not a string, nevermind. To do that with an env var in k8s the syntax has to be like this:

      - env:
        - name: ARA_CSRF_TRUSTED_ORIGINS
          value: '[''https://ara.example.org'']'

or

      - env:
        - name: ARA_CSRF_TRUSTED_ORIGINS
          value: "[''https://ara.example.org']"
dmsimard commented

Hi @rptaylor, that was tricky but I'm happy you figured it out and thanks for coming back with the fix so we don't have this:
wisdom_of_the_ancients

  • 😄1