Closed Bug 571869 Opened 14 years ago Closed 14 years ago

always getting 403 errors when using bouncer_submitter

Categories

(Release Engineering :: General, defect, P2)

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: bhearsum, Assigned: wenzel)

References

Details

(Whiteboard: [bouncer][automation])

We've played around with the user configuration for 'ffxbld' and even if it has full permissions we get a 403 error back. Here's a log:
Adding product: Firefox-3.7a5
Locales: en-US
FAILED: Tuxedo API error. URL: https://bounceradmin.mozilla.com/api/product_add/
POST data: product=Firefox-3.7a5&languages=en-US
Traceback (most recent call last):
  File "tuxedo-add.py", line 143, in tuxedoRequest
    return urllib2.urlopen(request).read()
  File "/tools/python-2.5.1/lib/python2.5/urllib2.py", line 121, in urlopen
    return _opener.open(url, data)
  File "/tools/python-2.5.1/lib/python2.5/urllib2.py", line 380, in open
    response = meth(req, response)
  File "/tools/python-2.5.1/lib/python2.5/urllib2.py", line 491, in http_response
    'http', request, response, code, msg, hdrs)
  File "/tools/python-2.5.1/lib/python2.5/urllib2.py", line 418, in error
    return self._call_chain(*args)
  File "/tools/python-2.5.1/lib/python2.5/urllib2.py", line 353, in _call_chain
    result = func(*args)
  File "/tools/python-2.5.1/lib/python2.5/urllib2.py", line 499, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 403: FORBIDDEN
Priority: -- → P3
Whiteboard: [bouncer][automation]
Unless I am mistaken, the Tuxedo app never throws a 403 (only 400, 401, 404 and hopefully never 500). Please make sure there is no firewall problem or anything.
From the box in question, try sending an empty POST request using curl to that URL and see what happens (should be a 400 with a readable XML file as error). As I said, it is unlikely your request is actually reaching the app, since Bouncer doesn't currently issue 403 errors.
Looks like Django related (CSRF verification failed):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <title>403 Forbidden</title>
</head>
<body>
  <h1>403 Forbidden</h1>
  <p>CSRF verification failed. Request aborted.</p>
  
  <p><small>More information is available with DEBUG=True.</small></p>

  
</body>
</html>
Argh. We can use csrf_exempt on the API, though then we should probably add an API key in order not to compromise security?
(In reply to comment #5)
> then we should probably add an
> API key in order not to compromise security?

...or disable CSRF checks by adding @csrf_exempt decorator (if I understood correctly after skimming the docs) to API functions.

I'm OK with both solutions, but disabling CSRF is "cheaper" one. :P
Is there any progress or plan to resolve this bug. We make a lot of mistakes adding bouncer entries manually. :)
Yes! Let me push this out, so you can try on staging.
Here you go:
http://github.com/fwenzel/tuxedo/commit/f3bad25

Please try it out on stage in a little while (that auto-updates, right? I don't remember :( ). If it works there, we can have IT push it to prod.
Assignee: nobody → fwenzel
Severity: normal → major
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: P3 → P2
Depends on: 582267
(In reply to comment #9)
> Here you go:
> http://github.com/fwenzel/tuxedo/commit/f3bad25
> 
> Please try it out on stage in a little while (that auto-updates, right? I don't
> remember :( ). If it works there, we can have IT push it to prod.

Got the same error using the staging instance. Probably you should explicitly ask IT for update.
Will do.
Depends on: 582502
Try again! :)
Staging tests passed. I have to fix my own code (client), see bug 582510
 for the details.
Depends on: 582512
Should be resolved now. Thanks for the fix!
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Is there a bug for deploying the change to production ?
bug 582512.
We're not getting the 403s anymore.
Status: RESOLVED → VERIFIED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.