https://pact.io logo
#pact-python
Title
# pact-python
a

Abhi Nandan

03/28/2022, 5:26 AM
Hi, we have a polyglot scenario, where the consumer service is written in scala and the provider is written in python. We are able to publish the contract to the Pact Broker, however, on the provider side when we are trying to run the provider tests, it is throwing a
403
error. We are using the following command on the provider side
Copy code
pipenv run pact-verifier --provider-base-url=<http://localhost:8000> \
  --pact-url="<server_base_url>/pacts/provider/<provider>/consumer/<consumer>/latest" \
  --provider-app-version $VERSION \
  --pact-broker-username <pact_broker_user_name> \
  --pact-broker-password <pact_broker_pwd> \
  --publish-verification-results
Provider application is running in docker container on
port 8000
. The above command is working fine from the local dev system, however it fails from our CI (GitLab), with the following error -
Copy code
HTTP request failed: status=403 /usr/local/lib/python3.9/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-support-1.17.0/lib/pact/consumer_contract/pact_file.rb:73:in `block in get_remote_with_retry'
on Pact Broker log found this -
Copy code
WARN -- : attack prevented by Rack::protection::IPSpoofing
nginx log shows the following -
Copy code
"GET /pacts/provider/<provider_name>/consumer/<consumer_name>/latest HTTP/1.1" 403 9 "-" "Ruby" "<http://xx.xxx.xx.xxx|xx.xxx.xx.xxx>"
can anyone please help us with what is wrong here?
b

Beth (pactflow.io/Pact Broker/pact-ruby)

03/28/2022, 5:36 AM
Just looking at the IP spoofing check code.
Copy code
def accepts?(env)
        return true unless env.include? 'HTTP_X_FORWARDED_FOR'
        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
        true
      end
do you have ngnix in front of your broker?
a

Abhi Nandan

03/28/2022, 5:37 AM
yes
b

Beth (pactflow.io/Pact Broker/pact-ruby)

03/28/2022, 5:37 AM
your x-forwarded for headers may not be configured properly
On a side note, when you get this all working properly, you'll want to use "consumer version selectors" to select which pacts to verify, rather than a specific URL.
a

Abhi Nandan

03/28/2022, 5:39 AM
Thanks Beth, I will check this 👍
Hi @Beth (pactflow.io/Pact Broker/pact-ruby), I am using the default nginx configuration here -
Copy code
server {
  listen      443 ssl default_server;
  server_name localhost;
  ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_stapling on;
  ssl_stapling_verify on;

  location / {
      proxy_pass <http://pact-broker:9292>;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Scheme "https";
      proxy_set_header X-Forwarded-Port "443";
      proxy_set_header X-Forwarded-Ssl "on";
      proxy_set_header X-Real-IP $remote_addr;
  }
}

server {
  listen      80 default_server;
  server_name localhost;

  location / {
      proxy_pass <http://pact-broker:9292>;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
  }
}
am I missing anything?
b

Beth (pactflow.io/Pact Broker/pact-ruby)

03/29/2022, 2:38 AM
nothing jumps out at me, but I'm not an ngnix expert
they look the same to me however
a

Abhi Nandan

03/29/2022, 2:41 AM
yeah, I checked this one, looks same, I will keep checking. Just wanted to confirm this is caused by nginx right and not by pact-broker?
b

Beth (pactflow.io/Pact Broker/pact-ruby)

03/29/2022, 2:42 AM
ngnix is my guess, but I would never entirely rule out the code.
a

Abhi Nandan

03/29/2022, 2:42 AM
let me try by removing the nginx and check if I still face the issue
👍🏼 1
b

Beth (pactflow.io/Pact Broker/pact-ruby)

03/29/2022, 2:42 AM
given you're the only one currently reporting this issue, my guess would be ngnix/other configuration issue.
👍 1
it's curious that it works from your dev machine but not CI
that to me suggests there's something between your CI and the PB that doesn't exist between you and the PB.
something that does some kind of header/network transform.
👍 1
@Abhi Nandan I've just released a config option in the broker that will allow you to log the requests and responses at debug level
👍 1
if the logs are full of SQL statements, set the sql_log_level to
none
👍 1
a

Abhi Nandan

03/31/2022, 11:03 AM
@Beth (pactflow.io/Pact Broker/pact-ruby) it was caused by the SSL error, which was fixed by replacing the SSL cert with a valid one, that's in our corp domain 👍
👍🏼 1
3 Views