Access control

Vincent Ladeuil v.ladeuil+lp at free.fr
Wed Feb 28 17:31:48 GMT 2007 

>>>>> "Jeff" == Jeffrey Cunningham <jcunningham at medea.sea.boeing.com> writes:

    Jeff> Vincent Ladeuil wrote:
    >> 
    >> First, I was suspicious of the error message because in your
    >> previous mail you had cut the host, now I feel better (just a
    >> little ;).
    >> 
    >> I guess your apache server is somehow misconfigured and refuses
    >> to serve some files.
    >> 
    >> My suspect is '.bzr' but the '~' translation may also come into
    >> play.
    >> 
    Jeff> [jeff:password stands for the correct username:password, of
    Jeff> course, which I verified work in through a browser]
    >> 
    >> Thanks for that verification. From your various tests I suppose
    >> https is not an option for you ?

    Jeff> I could set it up. But how would it make anything different?

As urllib do not handle digest so far that would provide you with
a secured connection.

    Jeff> Users would still have to authenticate through some
    Jeff> mechanizm whether or not the stream was processed
    Jeff> through SSL or not. My understanding is that using SSL
    Jeff> would only encrypt things while in the pipe.

Including the basic authentication. And you will then obtain that
secured connection you're searching.

But anyway, we must solve that 400 problem first.

    >> 
    >> Also, are you able to browse ~jcunningham/docs/.bzr/branch-format
    >> itself ? What is its content ?

    Jeff> Yes. Here's what comes up in Mozilla:

    Jeff> Bazaar-NG meta directory, format 1

Correct. That means Apache accepts to serve '.bzr', that leaves
us with a '~' translation.

    >> Not yet, but if you could provide your $HOME/.bzr.log, anonymized
    >> as you see fit but I think it's ok as is.
    >> 

    Jeff> return code 3
    Jeff> bzr arguments: [u'branch',
    Jeff> u'http+pycurl://jeff:password@medea.sea.boeing.com/~jcunningham/docs']
    Jeff> looking for plugins in /home/jcunningham/lib/python/bzrlib/plugins
    Jeff> Plugin name __init__ already loaded
    Jeff> Plugin name __init__ already loaded
    Jeff> looking for plugins in /home/jcunningham/.bazaar/plugins
    Jeff> encoding stdout as sys.stdout encoding 'ANSI_X3.4-1968'
    Jeff> using pycurl libcurl/7.15.1 GnuTLS/1.4.4 zlib/1.2.3 libidn/0.5.15

<snip/>

    Jeff> "/home/jcunningham/lib/python/bzrlib/transport/http/_pycurl.py",
    Jeff> line 124, in _get
    Jeff>     return self._get_full(relpath)
    Jeff>   File
    Jeff> "/home/jcunningham/lib/python/bzrlib/transport/http/_pycurl.py",
    Jeff> line 167, in _get_full
    Jeff>     self._raise_curl_http_error(
    Jeff>   File
    Jeff> "/home/jcunningham/lib/python/bzrlib/transport/http/_pycurl.py",
    Jeff> line 223, in _raise_curl_http_error
    Jeff>     raise errors.InvalidHttpResponse(
    Jeff> InvalidHttpResponse: Invalid http response for
    Jeff> http://jeff:password@medea.sea.boeing.com/~jcunningham/docs/.bzr/branch-format:
    Jeff> Unable to handle http code 400: expected 200 or 404 for full
    Jeff> response.

Apache send us a 400 error code. The question is why.

    Jeff> return code 3
    Jeff> bzr arguments: [u'branch',
    Jeff> u'http+urllib://jeff:password@medea.sea.boeing.com/~jcunningham/docs']
    Jeff> looking for plugins in /home/jcunningham/lib/python/bzrlib/plugins
    Jeff> Plugin name __init__ already loaded
    Jeff> Plugin name __init__ already loaded
    Jeff> looking for plugins in /home/jcunningham/.bazaar/plugins
    Jeff> encoding stdout as sys.stdout encoding 'ANSI_X3.4-1968'
    Jeff> GET: [http://medea.sea.boeing.com/~jcunningham/docs/.bzr/branch-format]

Unambiguous.

<snip/>

    Jeff> "/home/jcunningham/lib/python/bzrlib/transport/http/_urllib2_wrappers.py",
    Jeff> line 777, in http_error_default
    Jeff>     'Unable to handle http code %d: %s'
    Jeff> InvalidHttpResponse: Invalid http response for
    Jeff> http://medea.sea.boeing.com/~jcunningham/docs/.bzr/branch-format:
    Jeff> Unable to handle http code 401: Authorization Required

Strange, if you use the basic auth, that should work not raise a 401.

    Jeff> return code 3
    Jeff> bzr arguments: [u'branch',
    Jeff> u'http://jeff:password@medea.sea.boeing.com/~jcunningham/docs']
    Jeff> looking for plugins in /home/jcunningham/lib/python/bzrlib/plugins
    Jeff> Plugin name __init__ already loaded
    Jeff> Plugin name __init__ already loaded
    Jeff> looking for plugins in /home/jcunningham/.bazaar/plugins
    Jeff> encoding stdout as sys.stdout encoding 'ANSI_X3.4-1968'
    Jeff> using pycurl libcurl/7.15.1 GnuTLS/1.4.4 zlib/1.2.3 libidn/0.5.15

Now that you have installed pycurl, it is selected as the default
implementation.

<snip/>

    Jeff> Thanks, Vincent.

Except for the 400 error code, nothing suspicious here.

Next step is to check the Apache logs to verify that we try to
get the same file than Mozilla.

You can also try to activate some debug:

- for urllib, in the file
  /home/jcunningham/lib/python/bzrlib/transport/http/_urllib2_wrappers.py
  edit the line 'DEBUG = 0' to 'DEBUG = 1'

- for pycurl, in the file
  /home/jcunningham/lib/python/bzrlib/transport/http/_pycurl.py
  search for a commented line '## curl.setopt(pycurl.VERBOSE, 1)'
  and delete the leading '## ', be careful to align that line
  with the others, python is strict about the lines alignment.

The output will be a bit verbose but will show all headers
exchanged between bzr and Apache, that may reveal something.

          Vincent

More information about the bazaar mailing list