Addon Configurator - Policy not fulfilled

DavidFW1960 · June 24, 2018, 10:34pm

I’m getting no auth header error. Policy not fulfilled is usually an SSL error I thought.

danielperna84 · June 24, 2018, 10:39pm

No auth header is directly related to some failure while authenticating. At the point where the authentication is checked you already have passed the IP-check. The only SSL errors you can get would be the usual warning that the certificate is somehow invalid, or you get a response / content that doesn’t match the protocol. Often times the browser then says something like “Empty response” or similar.

DavidFW1960 · June 24, 2018, 10:45pm

of crap! I just tried to update and it won’t update so I tried uninstalling and now it won’t reinstall.

danielperna84 · June 24, 2018, 10:49pm

Do you get any error messages? And maybe wait a few minutes. My PR just has been merged a few minutes ago. Maybe there are still some images that have to created. I’m unsure about the prerequisites and how long it takes for an update to be successful. Sorry for the inconvenience.

DavidFW1960 · June 24, 2018, 10:50pm

sure. no worries. it was showing an update available. i’ll try again to install it in a bit

DavidFW1960 · June 24, 2018, 11:07pm

still won’t install…

I wonder if this is related… Hassio Docker/Addon Registry Broken?

danielperna84 · June 24, 2018, 11:11pm

Jup, that would be a valid explanation.

DavidFW1960 · June 24, 2018, 11:11pm

seems there are people on Discord with a store issue as well

and now it’s back and installed

DavidFW1960 · June 24, 2018, 11:29pm

OK I think I know one of the reasons for the error Daniel. If I click on open webui from the addin, it seems to be hardwired to port 3218 and my duckdns address but I’m using caddy and a different port number… It works in my iFrame…

johnflorin · November 15, 2018, 7:13am

This addon is driving me nuts, I’m trying to use it from outside the network, my config looks like this, so with everything very much left open:

I’m trying to access it via various PCs and mobile devices and every single one of them gives me this error:

INFO:2018-11-15 07:07:41,901:main:x.x.x.x - “GET / HTTP/1.1” 401 -
WARNING:2018-11-15 07:07:53,370:main:Client IP not within allowed networks.
INFO:2018-11-15 07:07:53,370:main:x.x.x.x - “GET / HTTP/1.1” 420 -
WARNING:2018-11-15 07:07:53,754:main:Client IP banned.

Who is doing the banning if all the above stuff is disabled?? In the browser I just get asked for the password and get a Policy Not Fulfilled message every time.

danielperna84 · November 15, 2018, 2:55pm

That’s the problem. You have to add “0.0.0.0/0” to your list of allowed networks. With the allowed networks empty you either have to use the sesame or sesame_totp_secret options to whitelist your client IP. Using the sesame feature adds security, because without it an attacker would have direct access and could brute force the credentials.

johnflorin · November 15, 2018, 3:17pm

But 0.0.0.0/0 is what I tried before and it still didn’t work…in any case, I installed the Cloud9-based IDE addon and am a happy camper, it worked flawlessly without any config required except for the port forwarding

koekerdt · February 4, 2019, 6:37pm

@danielperna84, can the ‘sesame_totp_secret’ be used in combination with Hassio and configurator plugin (I assume so)? How will the configuration look like? I’ve got this working for the ‘sesame’ but this seems to always end up in a ‘Policy not fulfilled’ page.

What I’ve done so far is change the plugin config with the following:

"sesame_totp_secret":"C00LIcanaccessthisnow"

And created a password (manually) with the same string in the google authenticator.
Opening the web page with the ‘sesame_totp_secret’ string, the google authenticator time code or a combination of both does not work.

btw, the following two different network configurations return me this error:

__main:Invalid value for ALLOWED_NETWORKS. Using empty list.

 "allowed_networks": [""],
 "allowed_networks": ["192.168.1.1/8"],

Any idea why I can’t use an empty list (as suggested earlier in your posts) or white list my internal network range?

Thanks!

danielperna84 · February 4, 2019, 10:32pm

Well, what should work would be something like https://yourdomain.com/path/to/configurator/123456, where 123456 is the code from the authenticator.
When you get a “policy not fulfilled” error, there also will be an error in the log of the configurator that tell’s you the exact reason. That’s what we need to know.

Those are both incorrect values for the allowed networks. An empty list would be just [], and assuming your private network is 192.168.1.x, the correct value would be 192.168.1.0/24.
Although with hassio I believe the network actually has to be 172.30.0.0/16, which is the internal network hassio is using. Add that to the list and keep the 192.168.1.0/24 as well.

koekerdt · February 5, 2019, 5:23pm

I did try this as well (forgot to mention in previous post); the result however is the same (Invalid value…)

At this point I get and ‘empty response’ and the configurator logging in showing me the below:

----------------------------------------
----------------------------------------
Exception happened during processing of request from ('192.168.1.1', 52705)
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/socketserver.py", line 651, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/local/lib/python3.6/socketserver.py", line 361, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/local/lib/python3.6/socketserver.py", line 721, in __init__
    self.handle()
  File "/usr/local/lib/python3.6/http/server.py", line 418, in handle
    self.handle_one_request()
  File "/usr/local/lib/python3.6/http/server.py", line 406, in handle_one_request
    method()
  File "/configurator.py", line 4708, in do_GET
    super().do_GET()
  File "/configurator.py", line 3721, in do_GET
    if TOTP and TOTP.verify(chunk):
  File "/usr/local/lib/python3.6/site-packages/pyotp/totp.py", line 68, in verify
    return utils.strings_equal(str(otp), str(self.at(for_time)))
  File "/usr/local/lib/python3.6/site-packages/pyotp/totp.py", line 35, in at
    return self.generate_otp(self.timecode(for_time) + counter_offset)
  File "/usr/local/lib/python3.6/site-packages/pyotp/otp.py", line 33, in generate_otp
    hasher = hmac.new(self.byte_secret(), self.int_to_bytestring(input), self.digest)
  File "/usr/local/lib/python3.6/site-packages/pyotp/otp.py", line 50, in byte_secret
    return base64.b32decode(self.secret, casefold=True)
  File "/usr/local/lib/python3.6/base64.py", line 246, in b32decode
    raise binascii.Error('Incorrect padding')
binascii.Error: Incorrect padding
----------------------------------------
----------------------------------------

danielperna84 · February 5, 2019, 7:26pm

Hhmm, don’t know why that is happening. People usually at least have their local network whitelisted by default, so this problem doesn’t get to the surface usually.

That indicates, that the secret you are using is not valid base32. You can use this tool to convert your secret into base32 (leave out the possible equal-signs). That’s also what you have to enter in the authenticator app.

koekerdt · February 5, 2019, 8:17pm

Thanks for helping out; works like a charm!

mshafiksh · March 11, 2019, 6:21am

Try to restart configurator addon and see log , you should find an ip inside
copy it
and paster in allowed networks and restart the configurator addon , It will works
note:::::::: don’t forget to update the addon

hope it works good

DavidFW1960 · March 11, 2019, 6:25am

Um… well it’s worked fine since last June…

pretious · March 11, 2019, 6:34am

Could anyone point me in the right direction here, my Configurator add-on doesn’t work and hasn’t for some time, I couldn’t figure out why so I just left it. I can see all of the files, but can’t see any code in them. Where should I look first to try and resolve this? This is what I see instead of the code, is it something to do with the ‘._’ before the configuration.yaml? ;