Where do you specify the usernam/pw for updb tho ?
updb value should be a string, I though that I need to put it in here, tried with no success. I guess it should be passed during the enrollment ?
What kind of string value is expected in here ?
I believe that string is the login username. You supply the password during enrollment.
Looks like there’s a problem with the openziti_edge_management package, when I import it, I get this error :
>>> import openziti_edge_management
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.8/dist-packages/openziti_edge_management/__init__.py", line 21, in <module>
from openziti_edge_management.api.api_session_api import APISessionApi
File "/usr/local/lib/python3.8/dist-packages/openziti_edge_management/api/__init__.py", line 4, in <module>
from openziti_edge_management.api.api_session_api import APISessionApi
File "/usr/local/lib/python3.8/dist-packages/openziti_edge_management/api/api_session_api.py", line 27, in <module>
from openziti_edge_management.models.detail_api_session_envelope import DetailApiSessionEnvelope
File "/usr/local/lib/python3.8/dist-packages/openziti_edge_management/models/__init__.py", line 23, in <module>
from openziti_edge_management.models.api_session_detail import ApiSessionDetail
File "/usr/local/lib/python3.8/dist-packages/openziti_edge_management/models/api_session_detail.py", line 25
from openziti_edge_management.models.dict[str,_link] import Dict[str, Link]
^
SyntaxError: invalid syntax
@sabedevops Looks like there’s a problem with the generated code, I’ve made an issue for that Import errors · Issue #1 · openziti-test-kitchen/openziti-edge-management-python · GitHub
Yup that fixed the error I previously had. But now, during authentication, I’m having :
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "pydantic/decorator.py", line 40, in pydantic.decorator.validate_arguments.validate.wrapper_function
File "pydantic/decorator.py", line 134, in pydantic.decorator.ValidatedFunction.call
File "pydantic/decorator.py", line 206, in pydantic.decorator.ValidatedFunction.execute
File "/home/ares/.local/lib/python3.8/site-packages/openziti_edge_management/api/authentication_api.py", line 81, in authenticate
return self.authenticate_with_http_info(method, auth, **kwargs) # noqa: E501
File "pydantic/decorator.py", line 40, in pydantic.decorator.validate_arguments.validate.wrapper_function
File "pydantic/decorator.py", line 134, in pydantic.decorator.ValidatedFunction.call
File "pydantic/decorator.py", line 206, in pydantic.decorator.ValidatedFunction.execute
File "/home/ares/.local/lib/python3.8/site-packages/openziti_edge_management/api/authentication_api.py", line 159, in authenticate_with_http_info
_query_params.append(('method', _params['method'].value))
AttributeError: 'str' object has no attribute 'value'
Basically, on file openziti_edge_management/api/authentication_api.py, it’s calling .value property on a str object.
Test code :
from openziti_edge_management import (
Configuration, ApiClient,
AuthenticationApi, Authenticate,
)
import tempfile
import json
with open("/home/ares/dev/openziti/test-id.json") as f:
identity_json = json.load(f)
ca_fp = tempfile.NamedTemporaryFile(buffering=0)
ca_fp.write(identity_json['id']['ca'].encode('UTF-8'))
cert_fp = tempfile.NamedTemporaryFile(buffering=0)
cert_fp.write(identity_json['id']['cert'].encode('UTF-8'))
key_fp = tempfile.NamedTemporaryFile(buffering=0)
key_fp.write(identity_json['id']['key'].encode('UTF-8'))
configuration = Configuration(
host="https://localhost:1280/edge/management/v1",
ssl_ca_cert=ca_fp.name
)
configuration.cert_file = cert_fp.name
configuration.key_file = key_fp.name
api_client = ApiClient(configuration)
api_auth = AuthenticationApi(api_client)
method = "cert"
auth = Authenticate()
session = api_auth.authenticate(method, auth=auth)
print(session.data.token)
Hey @arslane,
My apologies for the turmoil. I’ve reverted to the last version which includes their python-prior generator (which had been since removed in the latest-release version). In my article, I noted this was the best version at our time of testing. I was hoping the newer version would just work and avoid having to do partial rewrites in the future, but alas, their generated code seems to be problematic and unstable.
I will do more testing early tomorrow and post back. If you test now, and it works for you, please let me know.
1 Like
@arslane With the new (old) version of the code, please try with this following test snippet:
"""@arslane test"""
from __future__ import absolute_import, annotations, division, print_function
import json
import tempfile
from openziti_edge_management import ApiClient, Configuration
from openziti_edge_management.api.authentication_api import AuthenticationApi
from openziti_edge_management.model.authenticate import Authenticate
with open("/home/ares/dev/openziti/test-id.json", encoding="UTF-8") as f:
identity_json = json.load(f)
ca_fp = tempfile.NamedTemporaryFile(buffering=0)
ca_fp.write(identity_json['id']['ca'].encode('UTF-8'))
cert_fp = tempfile.NamedTemporaryFile(buffering=0)
cert_fp.write(identity_json['id']['cert'].encode('UTF-8'))
key_fp = tempfile.NamedTemporaryFile(buffering=0)
key_fp.write(identity_json['id']['key'].encode('UTF-8'))
configuration = Configuration(
host="https://localhost:1280/edge/management/v1",
ssl_ca_cert=ca_fp.name
)
configuration.cert_file = cert_fp.name
configuration.key_file = key_fp.name
api_client = ApiClient(configuration)
api_auth = AuthenticationApi(api_client)
method = "cert"
auth = Authenticate()
session = api_auth.authenticate(method, auth=auth)
print(session.data.token)
1 Like
It’s waaay better now, I’m having this error :
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=1280): Max retries exceeded with url: /edge/management/v1/authenticate?method=cert (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:4046)')))
Does that means It’s not using the cert as it should be ?
Nevermind, when looking at the extracted ca,cert and key they all looked like 'pem:-----BEGIN CERTIFICATE-----\..... I removed the pem: part and it’s working great now.
Thanks alot !
Looks like there’s another issue with AuthPolicyApi.
...
from openziti_edge_management.api.auth_policy_api import AuthPolicyApi
auth_policy_api = AuthPolicyApi(api_client)
auth_policy = auth_policy_api.list_auth_policies()
Throws as
raise ApiValueError(
openziti_edge_management.exceptions.ApiValueError: Invalid inputs given to generate an instance of 'AuthPolicyDetailAllOf'. The input data was invalid for the allOf schema 'AuthPolicyDetailAllOf' in the composed schema 'AuthPolicyDetail'. Error=Invalid type for variable 'allowed_signers'. Required value type is list and passed type was NoneType at ['received_data']['data']['value'][0]['primary']['ext_jwt']['allowed_signers']
Guess I’ll just use requests to do the API calls
Hey @arslane, please afford me some time this morning to investigate before pivoting. The error above likely means that our API is not behaving in accordance to our own spec but I need to set up a test case to validate what's going on.
Edit: I had similar issues whe writing code using the openziti-edge-client-python package, most of them resulted in bug reports to one fo the following:
Alright, let me know if you need more information
Hey @arslane, this did identity an issue in the API definition and behavior.
I filed this bug report in reponse: AuthPolicyDetail is incompatible with API response · Issue #41 · openziti/edge-api · GitHub
I’ll ping a colleague to get you unblocked as soon as possible.
As a matter of this process…when developing against the Edge client API, I also went through several iterations of these type of bug reports to get the API endpoints I cared about to behave in accordance with the spec. It was frustrating; however, it’s invaluable to the project to surface these type of issues so that this, and generated clients for other languages work correctly. That being said, you’re breaking new ground with the management API client, so you may encounter other issues like these.
I’d encourage you to continue down this path if possible to keep the approach of the ansible collection consistent and because it’s useful to identify these pain spots.
@arslane I’ve made a temporary patch branch and regenerated the library to unblock you for now until the correct fixes are implemented. If any other issues come up soon, do let us know.
This should be fixed by: fix nil list on auth policy rest model, fixes #1584 by andrewpmartinez · Pull Request #1586 · openziti/edge · GitHub
You’ll have to update to the latest version of ziti to properly fix this or you can continue using the current version of the generated library on GH for now.
Great ! That was fast haha Thanks
Did something change on the authentication API ? Because this exact same code used to work, now it dosn’t, it throws :
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=1280): Max retries exceeded with url: /edge/management/v1/authenticate?method=cert (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1131)')))
Hey @arslane
Can you share any intermediary steps you took? Did this happen after upgrading your ziti components? We can isolate whether this is a ziti issue or a python generated library issue with the following bash script:
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
ID_FILE="$1"
ZT_MGMT_API="$(jq --raw-output '.ztAPI' "$ID_FILE")/edge/management/v1"
ID_DIR="$(mktemp --quiet --directory)"
cleanup() {
[ -d "$ID_DIR" ] && rm --recursive --force "$ID_DIR"
echo "Cleaned up $ID_DIR"
}
trap cleanup EXIT
extractIdFromJson() {
KEYS=("ca" "cert" "key")
for key in "${KEYS[@]}"; do
jq \
--raw-output \
--arg key "$key" \
'.id | .[$key]' "$ID_FILE" > "$ID_DIR"/client."$key"
echo "Extracted $ID_DIR/client.$key"
done
}
zitiEdgeLoginTest() {
curl -sSL \
--cacert "$ID_DIR"/client.ca \
--cert "$ID_DIR"/client.cert \
--key "$ID_DIR"/client.key \
--request POST \
--header 'Content-Type: application/json' \
--url "$ZT_MGMT_API"/authenticate?method=cert
}
main() {
extractIdFromJson
login_json="$(zitiEdgeLoginTest)"
zt_session_token="$(jq --raw-output '.data.token' <<< "$login_json")"
echo "token: $zt_session_token"
}
main
Just run as: bash test.sh [path_to_identity]
@arslane and @sabedevops this error seems consistent with the recent csdk (which the python sdk uses) switch to openssl. I published new quickstart containers last night and published a discourse post yesterday but it didn’t occur to me for some reason to expand it to other sdks in the title. I fixed that just now.
Could you have used a quickstart to deploy the network? Could you check the controller field as listed in the post here PSA - quickstart change for latest tunnelers and c/python/swift/node sdk ?