Connection exception: 'HTTPError' object does not support indexing - GSSAPI Authentication
Closed this issue · 9 comments
I have lost the ability to connect to our internal MediaWiki server. When I attempt to connect the following is logged;
Connecting to "https://wiki.wdc.infra.opentlc.com" .. >>> '''DEBUG''' Get connection from connection manager.
'''DEBUG''' HTTP response: 401 Client Error: Unauthorized for url: https://wiki.wdc.infra.opentlc.com/api.php
'''DEBUG''' Connection exception: 'HTTPError' object does not support indexing
ConnectionFailed exception for get_page: No valid connection available
Looking at the console i see the following;
/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/requests/all/requests/packages/urllib3/connectionpool.py:852: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
Traceback (most recent call last):
File "/Applications/Sublime Text.app/Contents/MacOS/Lib/python33/sublime_plugin.py", line 1488, in run_
return self.run(edit, **args)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 134, in run
panel.get_title(title)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwcommands/mw_utils.py", line 1062, in get_title
self.on_done(title)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwcommands/mw_utils.py", line 1072, in on_done
set_timeout_async(self.callback(title), 0)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 148, in get_section_number
return self.page_open(self.title)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 177, in page_open
if utils.api.page_can_edit(page):
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwcommands/mw_utils.py", line 538, in page_can_edit
return page.can('edit')
AttributeError: 'NoneType' object has no attribute 'can'
I am able to authenticate to the wiki in my browser, as well as using curl.
Here is my site configuration;
"site":
{
"OpenTLC Wiki":
{
"authorization_type": "login",
"cookies_browser": "chrome",
"username": "tcrowe-redhat.com",
"password": "XXXXXXXX",
"host": "wiki.wdc.infra.opentlc.com",
"https": true,
"is_ssl_cert_verify": false,
"is_wikia": false,
"pagepath": "/index.php?title=",
"path": "/",
"preview_custom_head":
[
],
"preview_sandbox": "",
"proxy_host": "",
"retry_timeout": 30,
"search_namespaces": "",
"show_red_links": true,
"summary_fail_buf": "",
"use_http_auth": false,
},
},
The wiki has GSSAPI configured using kerberos, and does with with basic authentication, here is an example with curl;
➜ ~ curl --user tcrowe-redhat.com:"XXXXXXXX" -v https://wiki.wdc.infra.opentlc.com/api.php
- Trying 169.47.20.228...
- TCP_NODELAY set
- Connected to wiki.wdc.infra.opentlc.com (169.47.20.228) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/cert.pem
CApath: none - TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: O=OPENTLC.COM; CN=wiki.wdc.infra.opentlc.com
- start date: May 27 13:51:32 2021 GMT
- expire date: May 28 13:51:32 2023 GMT
- subjectAltName: host "wiki.wdc.infra.opentlc.com" matched cert's "wiki.wdc.infra.opentlc.com"
- issuer: O=OPENTLC.COM; CN=Certificate Authority
- SSL certificate verify ok.
- Server auth using Basic with user 'tcrowe-redhat.com'
GET /api.php HTTP/1.1
Host: wiki.wdc.infra.opentlc.com
Authorization: Basic dGNyb3dlLXJlZGhhdC5jb206aWVuOWdoIyZmag==
User-Agent: curl/7.64.1
Accept: /
< HTTP/1.1 200 OK
< Date: Wed, 28 Jul 2021 19:31:17 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c mod_auth_gssapi/1.6.1
< X-Powered-By: PHP/7.3.20
< X-Content-Type-Options: nosniff
< Content-language: en
< Vary: Accept-Encoding,Cookie
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Frame-Options: DENY
< Content-Disposition: inline; filename=api-help.html
< Cache-Control: private, must-revalidate, max-age=0
< X-Request-Id: YQGwhZiefJRIsJ9K6A727wAAAAo
< Set-Cookie: mediawikidb_mw1_304f3058_session=4nmtcasgmlqkivat2it4mkgn7is46t9n; path=/; secure; HttpOnly
< Set-Cookie: mediawikidb_mw1_304f3058RemoteToken=tcrowe-redhat.com; expires=Fri, 27-Aug-2021 19:31:18 GMT; Max-Age=2592000; path=/; secure; HttpOnly
< Set-Cookie: mediawikidb_mw1_304f3058UserID=6; expires=Mon, 24-Jan-2022 19:31:18 GMT; Max-Age=15552000; path=/; secure; HttpOnly
< Set-Cookie: mediawikidb_mw1_304f3058UserName=Tcrowe-redhat.com; expires=Mon, 24-Jan-2022 19:31:18 GMT; Max-Age=15552000; path=/; secure; HttpOnly
< Set-Cookie: mediawikidb_mw1_304f3058Token=96695a0ab5e9f7ed0b66b0456958d54c; expires=Mon, 24-Jan-2022 19:31:18 GMT; Max-Age=15552000; path=/; secure; HttpOnly
< Set-Cookie: gssapi_session=;Max-Age=0;path=/pathname;httponly;secure;
< Cache-Control: no-cache
< Set-Cookie: gssapi_session=;Max-Age=0;path=/pathname;httponly;secure;
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=utf-8
<
Happy to provide any other output that would be beneficial in getting this working.
Thanks;
Thomas Crowe
I have also tried cookies authentication as well as use_http_auth with http_auth_login and http_auth_pasword set to valid entries.
Another observation, if i intentionally set my credentials to invalid ones, I receive the same errors above.
I manage that Mediawiki instance and have been in communication with @thomas-crowe on this - we use Kerberos for Mediawiki authentication for these instances via the remoteauth plugin in Mediawiki (Apache GSSAPI config). In testing, if I use mwclient directly, I can connect without issue using the http-auth function of the mwclient, but attempting to connect via mediawiker returns an error making an HTTP connection as "Unknown Realm".
Connecting to "https://wiki.wdc.infra.opentlc.com" .. >>> HTTP connection failed: Unknown realm.
>>> failed.
>>> ConnectionFailed exception for get_page: No valid connection available```
Please see the connection output from the python3 CLI client (usernames and passwords changed to protect the guilty)
But using the same config as I have in the Mediawiker settings, and putting it directly into mwclient, I see the following that works.
>>> import mwclient
>>> import requests
>>> site = mwclient.Site(('https','wiki.wdc.infra.opentlc.com'), path='/', httpauth=('mywikiuser','MYWIKIPASSWORD'))
/usr/lib/python3.9/site-packages/mwclient/client.py:378: DeprecationWarning: Specifying host as a tuple is deprecated as of mwclient 0.10.1. Please use the new scheme argument instead.
warnings.warn(
>>> page = site.pages['Main_Page']
/usr/lib/python3.9/site-packages/mwclient/client.py:378: DeprecationWarning: Specifying host as a tuple is deprecated as of mwclient 0.10.1. Please use the new scheme argument instead.
warnings.warn(
>>> page.exists
True
>>> page.text()
/usr/lib/python3.9/site-packages/mwclient/client.py:378: DeprecationWarning: Specifying host as a tuple is deprecated as of mwclient 0.10.1. Please use the new scheme argument instead.
warnings.warn(
"* [[:Category:Accounts]]\n* [[:Category:Architecture]]\n* [[:Category:CloudSandboxes]]\n* [[:Category:CloudForms]]\n* [[:Category:ContentDevelopment]]\n* [[:Category:DailyOps]]\n* [[:Category:Events]]\n* [[:Category:Governance]]\n* [[:Category:Infra]]\n* [[:Category:InstructorLedTraining]]\n* [[:Category:Onboarding]]\n* [[:Category:OperationsManual]]\n* [[:Category:Reporting]]\n* [[:Category:Support]]\n* [[:Category:Team]]\n* [[:Category:Troubleshooting]] \n\n\nConsult the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents User's Guide] for information on using the wiki software."
>>>
I think from trawling the code, that the error we're hitting is from mw_utils.py around line mw_utils.py L993, and is possibly complaining about the WW-Authenticate header? But the headers are standard for Basic authentication from what I can see via curl:
$ curl -vvv https://wiki.wdc.infra.opentlc.com 2>&1 | grep Authent
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="OPEN SSO"
$
Anyway, this is as far as I've been able to get in my troubleshooting. Accessing the same wiki via any standard browser? No issues on Firefox, Chrome, Brave, M$ Edge, or KDE's Konqueror - they all ask for Basic Auth up-front in a popup on accessing the site, I enter the same credentials I use above for Mediawiker and mwclient - and I'm in.
Thanks for the extended info, i'll check it as soon as possible.
Please, set in config:
"debug": trueand try to open any page with site settings:
{
"authorization_type": "login",
"use_http_auth": true,
"http_auth_login": "tcrowe-redhat.com",
"http_auth_password": "XXXXXXXX",
"host": "wiki.wdc.infra.opentlc.com",
"https": true,
"is_ssl_cert_verify": false,
"pagepath": "/index.php?title=",
"path": "/"
}and attach the result from panel/console to issue.
Panel Output
''Site configuration is changed, setup new connection to "OpenTLC Wiki".. '''
Connecting to "https://wiki.wdc.infra.opentlc.com" .. >>> HTTP connection failed: Unknown realm.
>>> failed.
>>> '''DEBUG''' Get connection from connection manager.
>>> '''DEBUG''' HTTP response: 401 Client Error: Unauthorized for url: https://wiki.wdc.infra.opentlc.com/api.php
>>> ConnectionFailed exception for get_page: No valid connection available
Console Output
reloading settings Packages/User/Preferences.sublime-settings
/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/requests/all/requests/packages/urllib3/connectionpool.py:852: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
Traceback (most recent call last):
File "/Applications/Sublime Text.app/Contents/MacOS/Lib/python33/sublime_plugin.py", line 1488, in run_
return self.run(edit, **args)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 134, in run
panel.get_title(title)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwcommands/mw_utils.py", line 1062, in get_title
self.on_done(title)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwcommands/mw_utils.py", line 1072, in on_done
set_timeout_async(self.callback(title), 0)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 148, in get_section_number
return self.page_open(self.title)
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 177, in page_open
if utils.api.page_can_edit(page):
File "/Users/tcrowe/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwcommands/mw_utils.py", line 538, in page_can_edit
return page.can('edit')
AttributeError: 'NoneType' object has no attribute 'can'
Site Config per your recommendations above
"site":
{
"OpenTLC Wiki":
{
"authorization_type": "login",
"use_http_auth": true,
"http_auth_login": "tcrowe-redhat.com",
"http_auth_password": "XXXXXXXXX",
"host": "wiki.wdc.infra.opentlc.com",
"https": true,
"is_ssl_cert_verify": false,
"pagepath": "/index.php?title=",
"path": "/"
}
},
Please, try to extract and replace mwcommands\mw_utils.py with this version - it's a temporary fix - send me a panel output after open some page.
Here is the panel output as requested;
'''Setup new connection to "OpenTLC Wiki".'''
Connecting to "https://wiki.wdc.infra.opentlc.com" .. done.
Login in with authorization type login.. done, without authorization.
>>> '''DEBUG''' Get connection from connection manager.
>>> '''DEBUG''' HTTP response: 401 Client Error: Unauthorized for url: https://wiki.wdc.infra.opentlc.com/api.php
>>> '''DEBUG''' www-authenticate header: Negotiate, Basic realm="OPEN SSO"
>>> '''DEBUG''' Connection: <requests.sessions.Session object at 0x7f9b4a061210>
Page [[TAC-Notes]] was opened successfully from "OpenTLC Wiki".
>>> '''DEBUG''' Get connection from connection manager.
>>> '''DEBUG''' Cached connection: True
Thank you, it's the expected result, the plugin will be updated soon.
https://github.com/tosher/Mediawiker/releases/tag/v3.6.10
The new version with updated authorization.