I am trying to interface with ejabberdctl remotely so my nodeJS client can send commands to a remote jabber server, using the mod_restful plugin with the ejabberd REST API. I am able to send a request using postman to test, with admin user and password sent in the header of the POST requests. I have edited my ejabberd.yml to include:
api_permissions:
"API used from localhost allows all calls":
- who:
- ip: "127.0.0.1/8"
- what:
- "*"
commands_admin_access:
- allow:
- user: "admin#localhost"
commands:
- "*"
- create_room: "*"
- register: "*"
# Tokens are valid for a year as default:
auth_expire: 31536000
oauth_access: all
and my ejabberd.cfg config file includes:
{mod_restful, [
{api,
[
{["admin"], mod_restful_admin, [
{key, "secret"},
{allowed_commands, [register, unregister,create_room]}
]},
{["register"], mod_restful_register, [{key, "secret"}]}
]}
]}
I am accessing my admin api at /api/admin and for some reason all the commands i try are succesfully authenticating, but I continually receive the error as response in postman:
"command_unknown"
I must have just incorrectly configured something, but I'm really not sure what. Im a bit confused of the overlap of settings between the YML and CFG files.
Related
I have configure ejabberd on my server but when i tried to access ejabberd i am getting the error the port 4560/rpc2 is not responding.I have uncomment out XML-RPC in ejabberd.yml file but after uncomment the ejabberd stop working.Here is the code which i uncomment.
-
## port: 4560
## module: ejabberd_xmlrpc
## maxsessions: 10
## timeout: 5000
## access_commands:
## admin:
## commands: all
## options: []
i have search almost everything what else i have to install or uncomment to enable this port and function.
I have configure ejabberd on my server
You don't mention what ejabberd version you are using. I guess the latest released, ejabberd 19.09.1
but when i tried to access ejabberd i am getting the error the port 4560/rpc2 is not responding.
That may be because you must configure a listener for port 4560 in ejabberd.yml
I have uncomment out XML-RPC in ejabberd.yml file but after uncomment the ejabberd stop working.Here is the code which i uncomment.
You don't mention what error messages are shown in the ejabberd log files. Was it like this?
11:22:26.482 [critical] Failed to start ejabberd application: Invalid value of option listen->3: Unknown option: maxsessions.
It means the option maxsessions is no longer supported by ejabberd_xmlrpc.
I configure it like this:
-
port: 4560
module: ejabberd_xmlrpc
Then I do a simple test, visiting this website:
http://localhost:4560/
And the ejabberd_xmlrpc replies as expected that this GET query is not supported:
400 Bad Request
I have installed the latest version of ejabberd-20.01 so now i am not getting xml-rpc error any more.But now i am facing user register error.
Summary of the question: How can we let the FIWARE IdM Keyrock and the FIWARE Authzforce set properly the AZF domains, thus without getting "AZF domain not created for application XYZ" response?
I'm trying to configure a server with FIWARE Orion, FIWARE PepProxy Wilma, FIWARE IdM Keyrock, FIWARE Authzforce properly.
I arrived at the point in which the first 3 components work properly and interact with each other, but now I'm trying to insert autorization and I obtain the following error:
AZF domain not created for application.
I've already tried all the solutions presented at the following links but no one works:
https://fiware-pep-proxy.readthedocs.io/en/latest/user_guide/#level-2-basic-authorization
https://www.youtube.com/watch?v=coxFQEY0_So
How to configure the Fiware PEP WILMA proxy to use a Keyrock and Orion instance on my own servers
Fiware IDM+AuthZForce+PEP-Proxy-Wilma
Fiware - how to connect PEP proxy to Orion and configure both with HTTPS?
Fiware AuthZForce error: "AZF domain not created for application"
AuthZForce Security Level 2: Basic Authorization error "AZF domain not created for application"
https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma
“AZF domain not created for application” AuthZforce
Fiware AuthZForce error: "AZF domain not created for application"
Fiware suitable Components
https://www.slideshare.net/FI-WARE/adding-identity-management-and-access-control-to-your-app-70523086
Official documentation not usable because refers to (maybe) old python version of IdM
In the following you can find the instructions to reproduce my scenario:
Install Orion by using the Docker container
Create a directory on your system on which to work (for example, /home/fiware-orion-docker).
Create a new file called docker-compose.yml inside your directory with the following contents:
mongo:
image: mongo:3.4
command: --nojournal
orion:
image: fiware/orion
links:
- mongo
ports:
- "1026:1026"
command: -dbhost mongo -logLevel DEBUG
dns:
- 208.67.222.222
- 208.67.220.220
PAY ATTENTION: without the DNS it will never send notifications!!!
PAY ATTENTION 2 (source ): Connections from docker containers get routed into the (iptables) FORWARD chain, this needs to be configured to allow connections through it. The default is to DROP the connections. Thus if you use a firewall you have to change it:
sudo nano /etc/default/ufw
Set DEFAULTFORWARDPOLICY to “ACCEPT”.
DEFAULT_FORWARD_POLICY="ACCEPT"
Save the file.
Reload ufw
sudo ufw reload
Within the directory you created, type the following command in the command line: sudo docker-compose up -d.
After a few seconds you should have your Context Broker running and listening on port 1026.
Check that everything works with
curl localhost:1026/version
Install FIWARE IdM Keyrock (used for authentication over the Orion Context Broker):
https://github.com/ging/fiware-idm
WARNING -1: (if the next command doesn't work:
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu artful stable" )
WARNING 0: if you have a firewall: DISABLE IT, otherwise docker-compose will not work
sudo apt-get install docker-compose
mkdir fiware-idm
cd fiware-idm
create docker-compose.yml
nano docker-compose.yml
version: "3.5"
services:
keyrock:
image: fiware/idm:7.6.0
container_name: fiware-keyrock
hostname: keyrock
networks:
default:
ipv4_address: 172.18.1.5
depends_on:
- mysql-db
ports:
- "3000:3000"
environment:
- DEBUG=idm:*
- IDM_DB_HOST=mysql-db
- IDM_HOST=http://localhost:3000
- IDM_PORT=3000
# Development use only
# Use Docker Secrets for Sensitive Data
- IDM_DB_PASS=secret
- IDM_DB_USER=root
- IDM_ADMIN_USER=admin
- IDM_ADMIN_EMAIL=admin#test.com
- IDM_ADMIN_PASS=1234
mysql-db:
restart: always
image: mysql:5.7
hostname: mysql-db
container_name: db-mysql
expose:
- "3306"
ports:
- "3306:3306"
networks:
default:
ipv4_address: 172.18.1.6
environment:
# Development use only
# Use Docker Secrets for Sensitive Data
- "MYSQL_ROOT_PASSWORD=secret"
- "MYSQL_ROOT_HOST=172.18.1.5"
volumes:
- mysql-db:/var/lib/mysql
networks:
default:
ipam:
config:
- subnet: 172.18.1.0/24
volumes:
mysql-db: ~
sudo docker-compose up -d (This will automatically download the two images and run the IdM Keyrock service. (-d is used to run it in background)).
Now you should be able to access the Identity Management tool through the website http://localhost:3000
username: admin#test.com
password: 1234
Register a new user and enable it through the interface
Then use the GUI to:
Create an "Organization" (e.g., ORGANIZ1)
Create an "application"
Step 1:
Name: Orion Idm
Description: Orion Idm
URL: http://localhost
Callback URL: http://localhost
Grant Type: Authorization Code, Implicit, Resource Owner Password, Client Credentials, Refresh Token
Provider: newuser
Step 2: leave empty
Step 3: choose "Provider"
Step 4:
click on "OAuth2 Credentials" and take notes of "Client ID" (94480bc9-43e8-4c15-ad45-0bb227e42e63) and "Client Secret" (4f6ye5y7-b90d-473a-3rr7-ea2f6dd43246)
Click on "PEP Proxy" and then on "Register a new PEP Proxy"
take notes of "Application Id" (94480bc9-43e8-4c15-ad45-0bb227e42e63), "Pep Proxy Username" (pep_proxy_dad356d2-dasa-4f95-a9hf-9ab06tccf929), and "Pep Proxy Password" (pep_proxy_a33667ec-57y1-498k-85aa-ef77ue5f6234)
Click on "Authorize" (Users) and authorize all the existing users with both roles (Purchaser and Provider for all the options)
Click on "Authorize" (Organizations) and authorize all the existing organizations with both roles (Purchaser and Provider for all the options)
Install the FIWARE Authzforce
sudo docker pull authzforce/server:latest (latest was 8.1.0 at the moment of writing)
sudo docker run -d -p 8085:8080 --name authzforce_server authzforce/server
Install the FIWARE PEP Proxy Wilma (used to enable https and authentication for Orion):
git clone https://github.com/ging/fiware-pep-proxy.git
cd fiware-pep-proxy
cp config.js.template config.js
nano config.js
var config = {};
// Used only if https is disabled
config.pep_port = 5056;
config.https = undefined
config.idm = {
host: 'localhost',
port: 3000,
ssl: false
}
config.app = {
host: 'localhost',
port: '1026',
ssl: false // Use true if the app server listens in https
}
config.response_type = 'code';
// Credentials obtained when registering PEP Proxy in app_id in Account Portal
config.pep = {
app_id: '91180bc9-43e8-4c14-ad45-0bb117e42e63',
username: 'pep_proxy_dad356d2-dasa-4f95-a9hf-9ab06tccf929',
password: 'pep_proxy_a33667ec-57y1-498k-85aa-ef77ue5f6234',
trusted_apps : []
}
// in seconds
config.cache_time = 300;
// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];
config.magic_key = undefined;
module.exports = config;
config.authorization = {
enabled: true,
pdp: 'authzforce', // idm|authzforce
azf: {
protocol: 'http',
host: 'localhost',
port: 8085,
custom_policy: undefined, // use undefined to default policy checks (HTTP verb + path).
}
}
install all the dependencies
npm install
run the proxy
sudo node server
Create a user role:
Reconnect to the IdM http://localhost:3000:
click on your application
click on Manage rules at the top of the page
click on the + button near Roles
Name: "trial"
Save
click on the + button near Permission
Permission Name: trial1
Description: trial1
HTTP action: GET
Resource: version
Save
come back to the application
Click on "Authorize" near "Authorized users"
Assign the "trial" role to your user
Now use PostMan to get a token:
connect to localhost:3000/oauth2/token and send the following parameters
Body:
username:
password:
grant_type: password
Header:
Content-Type: application/x-www-form-urlencoded
Authorization: BASIC
take note of the obtained access_token
Try to connect to Orion though http://localhost:5056/version with the following parameters:
Header:
X-auth-token:
You will obtain the following response:
AZF domain not created for application 91180bc9-43e8-4c14-ad45-0bb117e42e63
You appear to have a timing issue with your local set up. More specifically, it appears that the timing for docker-compose on your machine is not waiting for Keyrock to be available before the PEP Proxy times out.
There are multiple strategies for dealing with these issues such as adding a wait in the start-up entrypoint, adding restart:true within the docker-compose amending the infrastructure or using some third party script. A good list of strategies can be found in the answer here.
I am trying to subscribe a test user to a test room using the Ejabberd API. I am sure I just misconfigured something but I can't seem to find the issue.
I am running Ejabberd 16.09 and trying to use mod_http_api
My configuration is the following:
hosts:
- "localhost"
- "my.personal.host"
listen:
-
port: 5285
module: ejabberd_http
request_handlers:
"/api": mod_http_api
acl:
admin:
user:
- "#localhost"
modules:
mod_muc:
mam: true
default_room_options:
allow_subscription: true
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
mod_muc_admin: {}
mod_http_api:
admin_ip_access: admin_ip_access_rule
api_permissions:
"API used from localhost allows all calls":
- who:
- ip: "127.0.0.1/8"
- what:
- "*"
- "!stop"
- "!start"
access:
admin_ip_access_rule:
admin:
- create_room
- register
- subscribe_room
I did successfully create a user test1 and a room testroom1 through the api. I then try to subscribe the user to that rum by a POST with curl:
curl -X POST -H "Cache-Control: no-cache" -d '{"user":"test1#my.personal.host/something","nick":"test1","room":"testroom1#my.persoal.host","nodes":"urn:xmpp:mucsub:nodes:messages"}' "http://localhost:5285/api/subscribe_room"
And yet I get this response:
"Subscriptions are not allowed"
So what am I doing wrong?
Ohh, I found so many problems in your setup with just a quick look:
From what I know, mod_muc doesn't have an option called 'mam'
In the call, the room attribute has a spelling error when it says persoal.
Also, the room JID can't be "testroom1#my.persoal.host", it may be something like "testroom1#conference.my.personal.host"
Try creating the room with a user, then check it is configured correctly (has subscriptions allowed), then try to subscribe with another account. It worked for me with this call:
$ ejabberdctl subscribe_room test2#my.personal.host Test2
testroom1#conference.my.personal.host urn:xmpp:mucsub:nodes:messages
I typically configure my projects by settings configuration variables in vars/main.yml and rendering a subset of those out to a JSON via to_nice_json.
Consider an example of the vars/main.yaml like the one below:
# Application Configuration Settings.
config:
dev:
# General Settings.
logger_level: DEBUG
# PostgreSQL Server Configuration Settings.
sql_host: "localhost"
sql_port: 5432
sql_username: "someuser"
sql_password: "somepassword"
sql_db: "somedb"
which I render out via a Jinja2 template and the template module with the following content:
{{ config.dev | to_nice_json }}
Recently I tried to use Ansible Vault to encrypt the sensitive bits, e.g., the sql_password through the encrypt_string command as such:
ansible-vault encrypt_string --vault-id .ansible-vault-password "somepassword" --name 'sql_password'
and inline the encrypted version directly in the YAML file like this:
# Application Configuration Settings.
config:
dev:
# General Settings.
logger_level: DEBUG
# PostgreSQL Server Configuration Settings.
sql_host: "localhost"
sql_port: 5432
sql_username: "someuser"
sql_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35383832623937353934636538306539623336633336643430396662323161333838333463653764
3839653635326166303636643664333466376236626137310a323839373862626237643162303535
35333966383834356239376566356263656635323865323466306362323864356663383661333262
3165643733633262650a663363653832373936383033306137633234626264353538356630336131
3063
sql_db: "somedb"
However, when the to_nice_json filter is applied I get the following error:
fatal: [myrole]: FAILED! => {"changed": false, "msg": "AnsibleError: Unexpected templating type error occurred on ({{ config.dev | to_nice_json }}\n): somepassword' is not JSON serializable"}
As can be see, the variable is property decrypted but it errors out when serialising to JSON. If I wrap the inline vault variable in double-quotes, however, the decryption doesn't happen and the resulting JSON contains the entire vault blob.
Am I missing something? Is this issue with the to_nice_json filter or am inlining it the wrong way?
As a workaround for such problems extract the vaulted value to a separate variable (as opposed to a value of a key in a dictionary):
vars:
my_sql_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
5383832623937353934636538306539623336633336643430396662323161333838333463653764
3839653635326166303636643664333466376236626137310a323839373862626237643162303535
35333966383834356239376566356263656635323865323466306362323864356663383661333262
3165643733633262650a663363653832373936383033306137633234626264353538356630336131
3063
# Application Configuration Settings.
config:
dev:
# General Settings.
logger_level: DEBUG
# PostgreSQL Server Configuration Settings.
sql_host: "localhost"
sql_port: 5432
sql_username: "someuser"
sql_password: "{{ my_sql_password }}"
sql_db: "somedb"
Can some please explain me how to configure ejabberd rest api support, I could not find any sufficient resource regarding this.
I'm using linux (ubuntu 16.04), so till now I've done apt-get -y install ejabberd and please tell me is there any need to change in config file /etc/ejabberd/ejabberd.yml file.
<pre>
listen:
## To handle ejabberd commands using XML-RPC
-
port: 4560
module: ejabberd_xmlrpc
access_commands: {}
-
port: 5280
## ip: "::"
ip: "0.0.0.0"
module: ejabberd_http
request_handlers:
"/websocket": ejabberd_http_ws
# OAuth support:
"/oauth": ejabberd_oauth
# ReST API:
"/api": mod_http_api
## "/pub/archive": mod_http_fileserver
web_admin: true
http_bind: true
register: true
captcha: true
tls: false
certfile: "/etc/ejabberd/ejabberd.pem"
# Allow OAuth authentication and token generation
commands_admin_access: configure
commands:
- add_commands: [user, admin, open]
# Tokens are valid for a year as default:
oauth_expire: 31536000
oauth_access: all
api_permissions:
- "admin access":
- who:
- admin
- what:
- "*"
- "!stop"
</pre>
well, I tried as given in the doc, but when I entered the user, server and password at
http://ipaddress:5280/oauth/authorization_token?response_type=token&client_id=localhost&redirect_uri=http://www.razrcorp.com/&scope=get_roster+sasl_auth
i can see Authorization request Application localhost wants to access scope get_roster sasl_auth
but when i fill from user - test#localhost server - ipaddress password - test
It redirect to http://ipaddress:5280/oauth/authorization_token with response
This page isn’t working
ipaddress didn’t send any data.
ERR_EMPTY_RESPONSE
If check the logs it says
2018-04-06 11:33:49.136 [error] <0.671.0> CRASH REPORT Process <0.671.0> with 0 neighbours crashed with reason: call to undefined function oauth2:authorize_password({<<"test#localh
ost">>,<<"35.18.18.32">>}, <<"localhost">>, <<"http://www.razrcorp.com/">>, [<<"get_roster">>,<<"sasl_auth">>], {password,<<"test">>})
You are missing the oauth2 modules in your installation. It seems the package you are using may be incorrect. Maybe you should try with ProcessOne packages: https://www.process-one.net/en/ejabberd/downloads/
They should be complete and contains all the required dependencies.