Can't start Hunt because X-GRR-Unauthorized-Access-Reason doesn't contain a string
See original GitHub issueI tried to start a Hunt on a fresh GRR installation (3.3.0.0 on Ubuntu 16.04.6 LTS with relational DB). We have an approval workflow (“ApiCallRouterWithApprovalChecks”) in place that requires one admin to approve the action. When I press the “Play” button to start the hunt and click “Proceed” on the following modal, the operation fails.
Request:
Host: XXX
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: xxx
X-CSRFToken: xxx
Content-Type: text/plain;charset=UTF-8
Content-Length: 19
Authorization: Basic xxx
Connection: close
Cookie: csrftoken=xxx
{"state":"STARTED"}
Response:
Date: Tue, 02 Jul 2019 13:08:50 GMT
Server: WSGIServer/0.1 Python/2.7.12
Content-Type: text/plain
Content-Length: 59
Strict-Transport-Security: max-age=15768000
Cache-Control: max-age=0, no-store
Connection: close
A server error occurred. Please contact the administrator.
So I started to look in the debug log and changed line 180 in /usr/lib/python2.7/wsgiref/handlers.py
to
assert type(val) is StringType,"Header values must be strings but found {} for Header {}".format(type(val),name)
In order to get more verbose error logging. It resulted in:
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: File "/usr/lib/python2.7/wsgiref/handlers.py", line 85, in run
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: self.result = application(self.environ, self.start_response)
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: File "/usr/share/grr-server/local/lib/python2.7/site-packages/werkzeug/wsgi.py", line 659, in __call__
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: return app(environ, start_response)
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: File "/usr/share/grr-server/local/lib/python2.7/site-packages/werkzeug/wsgi.py", line 40, in <lambda>
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: return update_wrapper(lambda *a: f(*a)(*a[-2:]), f)
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: File "/usr/share/grr-server/local/lib/python2.7/site-packages/werkzeug/wrappers.py", line 1229, in __call__
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: start_response(status, headers)
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: File "/usr/lib/python2.7/wsgiref/handlers.py", line 181, in start_response
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: assert type(val) is StringType,"Header values must be strings but found {} for Header {}".format(type(val),name)
Jul 2 13:50:12 osl-grr-admin grr_server[3666]: AssertionError: Header values must be strings but found <class 'future.types.newbytes.newbytes'> for Header X-GRR-Unauthorized-Access-Reason
I’m guessing that GRR tries to determine if my non-admin user is authorized to perform that action and then adds the header which contains gibberish and throws the stack trace. If I just comment out the assertion, the regular workflow works again (modal for requesting authorization opens and start hunt once authorization is granted).
I’ve seen that there were two bugfix releases meanwhile, but from the release notes, it seems that none addresses an issue that could be related to this one, so I expect that this is still happening in the current version.
Issue Analytics
- State:
- Created 4 years ago
- Comments:5
Top GitHub Comments
Minor release containing the fix (3.3.0.4) is done.
Minor release is pending. Will update the issue when it’s done.