403 error in Chrome when attempting to authenticate Cloud Run developer - google-cloud-run

Background:
I've got a project in Cloud Run with two services, both mapped to custom domains. The production site is mysite.com and the development site is dev.mysite.com. I deployed the development site with the --no-allow-unauthenticated flag to prevent public viewing. I want developers to be able to view the site in a browser though. Based on what I've read the "solution" Google currently has isn't great. You have to run the command gcloud auth print-identity-token to identify your Bearer token then use the ModHeader browser extension to modify the request header. The token is constantly changing and having ModHeader enabled to change the request header breaks authentication on other pages, so it is big PITA, but it works, mostly.
Question:
What doesn't work is having the development site load images from the Google Cloud Storage Bucket. Every resource which should be pulled from the bucket results in a 403 error for that resource, but the page loads fine otherwise. I'm the project owner (i.e. my email address is the "owner") and have admin rights on everything including the bucket in question. The bucket's Access Control is set to "Fine-grained: Object-level ACLs". When I deploy the project using the --allow-unauthenticated the images are accessible. Why isn't the bucket honoring my token?
Update:
I'm not 100% sure, but I think the issue might be related to the fact that ModHeader applies its rules to ALL open tabs. I tried another header modification extension named Requestly which allows rules to be targeted to specific URLs and now my development site is loading images as expected.

Related

SimpleSAMLphp as idp : Metadata not found

I am working on SSO authentification system using SAML2 protocol. Since i do not have the real IDP informations yet, i needed test environment so i used this docker image which worked like a charm. I am able to access it through localhost:8080 without any problem and also to log in with test account.
But then, when i try to log into my SP (the website i am working on), though i am well redirected to the idp at localhost:8080/simplesaml/saml2/idp/SSOService.php, i got an error telling me metadata not found. here is the stack trace :
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'\'')
Backtrace:
3 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:300 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:320 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 modules/saml/lib/IdP/SAML2.php:330 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 www/saml2/idp/SSOService.php:19 (N/A)
Did anybody ever faced the same one ? Because i don't really understand where SimpleSAMLphp try to get those metadata.
NOTE :
I am manually able to find metadata at localhost:8080/simplesaml/saml2/idp/metadata.php
It is an old project i am working for and it is a fork of symfony 1 so i can't use more recent plugins. So for SSO i use this plugin on service provider side.
Finally solved. The Authn Request i sent contained empty "issuer" field and this one was needed on idp side since simpleSAMLphp seemes to store SP Metadata in an array like Metdata['spName']. So of course their was no entry for the empty string as key.

Setting Up a Test Environment For an ASP.NET MVC3 Website

I've been working for a client's website over the past year. I usually test things locally and then deploy straight to the production website. This has caused us some issues lately so I thought I should create a test/staging environment in which we could thoroughly test new features before pushing them into production.
Anyway, we have a VPS hosting account. I usually use remote desktop to manage the website in IIS. So in order to create a test environment, I copy pasted the folder of the production website inside the same directory (so they are both at the same level) and changed the name of the folder. Then I created a new website in IIS and mapped the physical path to the httpdocs folder inside the copied folder. After that, I setup a new application pool which basically has the same settings of the production website's application pool. I also changed the connection string of the test website.
But then when I tried to view the test website, it did not work the way I expected it to do. I keep getting &ReturnUrl=%2f appended to the query string, and the website is stripped out of its styles (the CSS). I remember this used to happen before when we were still using a shared hosting account, but I have no idea how to fix that.
I really do not know what's wrong. I basically have the same exact setup except I'm using a different port and a different database. I even tried running the test website with the application pool of the production website, but that did not work either...
Any suggestions?
looks like permission problem to me, check if your user has correct privileges in the new folder/app pool :)

Make local development work with Facebook/Google APIs

I'm working on implementing omniauth into a Rails project. My problem is that the authentication providers - Twitter, Google, Facebook etc all require me to create an application with a url that limits authentication requests from anywhere other than the url. I need to be able to to test locally but also run code in production, but Facebook for example doesn't allow 2 domains and doesn't allow localhost anyhow.
So what are my options?
At work, we have multiple applications setup for the different environments. On local, add an entry in /etc/hosts (assuming you are on linux) eg: 127.0.0.1 mydomain.local.
On the facebook app setup for the local environment, add this as the url. Most things, except where facebook needs to scrape your site (Like buttons) work.
Here's a blog post with my solution: http://make.bettermistak.es/2012/05/03/how-to-create-a-local-sandbox-facebook-app/
Here's the relevant bit: "Facebook verifies that all requests for your app are coming from the right domain–they don’t allow requests from localhost or 127.0.0.1–and this info can be updated in your apps settings under Hosting URL. Add “local.herokuapp.com” to your Hosting URLs and save this setting. Then edit your /etc/hosts file so that local content is under the domain local.herokuapp.com. This file is hidden, so from the command line enter sudo vi /etc/hosts. (Substitute your favorite editor for vi.) We need to use sudo, because this file is locked. Add the line “127.0.0.1 local.herokuapp.com” below “127.0.0.1 localhost” and save and quit your text editor."
As far as I know, you must sing up two apps for you app.(one for remote side, one for local side)
Fortunately, there is a way to reduce the complication(Assuming you are working on linux):
You can configure you .bash_profile (local machine and remote machine separately):
export YOURAPP_APP_ID="XXXXX"
export YOURAPP_APP_SECRET="XXXXX"
And use ENV['YOURAPP_APP_ID'] and ENV['YOURAPP_APP_SECRET'] in your code.
For example, you can code like this in rails:
config.omniauth :facebook, ENV['YOURAPP_APP_ID'], ENV['YOURAPP_APP_SECRET']
By this way, you can use the same code in both local and remote side. It will be much easier for maintaining.
If you are using Heroku to host your application, you can refer to this page to config the environment variables.
I have created two apps on Facebook one of which i run in sandbox mode for development purposes. Would that be an option for you?

Performance point not working correctly in a SharePoint site

After running a script from the security team that changes files permissions and also isntalls some hotfixes, performance point stopped working on my SHarePoint site. The Dashboard Viewer web part does not show the background of a graph we use, and when adding a new web part of this kind into the page the image icon of it does not appear in the web part list.
Any idea of what folder I should give access to and what user? I believe it has to do with file permissions.
The error happened because UrlScan was installed on the server and Microsoft.PerformancePoint.Scorecards.WebParts directory contains dots in its name. I modified UrlScan config file to let it allow dots in the URL and it started working again.

How can I create a local user profile for the anonymous user of an ASP.Net MVC application under IIS 7?

I've been experimenting with ASP.Net MVC, and have come across a problem that is probably not specifically MVC related. But I cannot get the authentication in the default MVC application (the one created by the wizard when you create a new MVC project) to work properly under IIS 7 on Windows 7.
If I run under the Visual Studio environment, it works, but if I switch the settings to run under IIS instead, I get the following exception trying to submit the login or registration:
Failed to generate a user instance of
SQL Server due to failure in
retrieving the user's local
application data path. Please make
sure the user has a local user profile
on the computer. The connection will
be closed.
I believe that this is because the website runs under my own account in Visual Studio, but under the IUSR account in IIS. Google searches on the exception message have been unhelpful so far.
So, can one create a local user profile for the IUSR account? If so, how? Is there something else I should be doing to get the SQLExpress engine to work under the anonymous account in IIS 7?
I also tried configuring the IIS website to use my account, but since this is my home machine, my account doesn't have a password, and it appears that IIS won't let a website be configured to use an account without a password. Or, since this is my first experience with IIS 7, and configuration feels very different than IIS 5/6, I am just missing the right setting that will let me configure the account to use for anonymous access.
EDIT: Some additional information. If I empty the App_Data folder and try again from IIS, SQLExpress attempts to create my database and fails, but the exception message has further information with the following suggestions.
SQLExpress database file auto-creation
error:
The connection string specifies a
local Sql Server Express instance
using a database location within the
applications App_Data directory. The
provider attempted to automatically
create the application services
database because the provider
determined that the database does not
exist. The following configuration
requirements are necessary to
successfully check for existence of
the application services database and
automatically create the application
services database:
If the applications App_Data directory does not already exist, the
web server account must have read and
write access to the applications
directory. This is necessary because
the web server account will
automatically create the App_Data
directory if it does not already
exist.
If the applications App_Data directory already exists, the web
server account only requires read and
write access to the applications
App_Data directory. This is necessary
because the web server account will
attempt to verify that the Sql Server
Express database already exists within
the applications App_Data directory.
Revoking read access on the App_Data
directory from the web server account
will prevent the provider from
correctly determining if the Sql
Server Express database already
exists. This will cause an error when
the provider attempts to create a
duplicate of an already existing
database. Write access is required
because the web server accounts
credentials are used when creating the
new database.
Sql Server Express must be installed on the machine.
The process identity for the web server account must have a local user
profile. See the readme document for
details on how to create a local user
profile for both machine and domain
accounts.
I've pretty extensively confirmed that the first three suggestions have been satisfied. The fourth seems to be the cause of my problems, but I can't figure out how to do that. And although the suggestion claims there is a readme document that describes it, I have not been able to find that document.
I got this problem as well running under medium trust. The process that creates the database requires at least High trust. You can check this by looking in your Web.Config for
<trust level="TrustLevel" />
If there is no trust specified in your Web.Config, try adding it and set it to either Full or High. If this doesn't work, there is a machine.config in your IIS which you would need to modify.
That being said, the best route I have found to solve this is to just use aspnet_regsql.exe to create the necessary tables and then change the connection string in your Web.Config to look at it directly.
I solved "The directory 'LocalApplicationData' does not exist." error when running an SSIS package through an SQL Job by ensuring the SQL SSIS service and SQL Server Agent service were running under the same account as the swql job was set to use!
This in my case was a domain account.
Solution: Try UNINSTALLING any updates before you started experiencing the issue. I spent countless hours - wasted hours that I will never get back in my life - reading and following every solution possible without success. I uninstalled all SQL Server updates and now everything works fine.

Resources