fiware-pep-proxy icon indicating copy to clipboard operation
fiware-pep-proxy copied to clipboard
verified publisher icon ging

Problem to compare AZF response and string 'Permit'

Open gabicavalcante opened this issue 9 years ago • 5 comments

I’m trying make the Level 2 authorization using PEP, IdM and AZF.

I have created a REST web service that exposes one GET service 'service2/list'. I have created a permission to make a GET to the resource service2/list and a role 'developer', and associated the permission to the role ‘developer’. I created a user too, and I assigned 'developer' and ‘provider’ roles to my user.

I have changed the file /horizon/openstack_dashboard/local/local_settings.py to connect the keyrock with authzforce:

    ACCESS_CONTROL_URL = 'http://192.168.99.100:8080'
    ACCESS_CONTROL_MAGIC_KEY = 'undefined'

And my PEP configuration:

    config.azf = {
            enabled: true,
            protocol: 'http',
            host: '192.168.99.100',
            port: 8080,
            custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
    };

The call to the resource is intercepted by PEP, and initially it show me a error:

    pep-proxy_1  | 2016-12-14 16:49:44.474  - INFO: IDM-Client - Checking token with IDM… 
    pep-proxy_1  | 2016-12-14 16:49:44.531  - INFO: AZF-Client - Checking auth with AZF...
    pep-proxy_1  | 2016-12-14 16:49:44.533  - INFO: AZF-Client - Checking authorization to roles [ 'c6653c957bc34b96be0e197b56bb17c1', 'provider' ] to do  GET  on  service2/list and app  9c3cb030636144abaca85ccfdd64c173
    pep-proxy_1  | 2016-12-14 16:49:44.534  - INFO: AZF-Client - Checking auth with AZF…  
    pep-proxy_1  | 2016-12-14 16:49:45.366  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

So I activated the debug from authzforce and I checked that everything was working. Then I look into pep files, and I found the file lib/azf.js:

    log.debug('Decision: ', decision);
    if (decision === 'Permit') {
            success();
    } else {
            error(401, 'User not authorized in AZF for the given action and resource');
    }

I activated the debug from pep too, and I got it:

    pep-proxy_1  | 2016-12-16 21:16:31.684  - DEBUG: AZF-Client - AZF response status:  200
    pep-proxy_1  | 2016-12-16 21:16:31.684  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns3="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://www.w3.org/2005/Atom"><Result><Decision>Permit</Decision></Result></Response>
    pep-proxy_1  | 2016-12-16 21:16:31.697  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
    pep-proxy_1  |    { '$': 
    pep-proxy_1  |       { xmlns: 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
    pep-proxy_1  |         'xmlns:ns2': 'http://authzforce.github.io/core/xmlns/pdp/5.0',
    pep-proxy_1  |         'xmlns:ns3': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
    pep-proxy_1  |         'xmlns:ns4': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6',
    pep-proxy_1  |         'xmlns:ns5': 'http://www.w3.org/2005/Atom' },
    pep-proxy_1  |      Result: [ [Object] ] } }
    pep-proxy_1  | 2016-12-16 21:16:31.698  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
    pep-proxy_1  | 2016-12-16 21:16:31.699  - DEBUG: AZF-Client - Decision:  [ 'Permit' ]
    pep-proxy_1  | 2016-12-16 21:16:31.699  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

As you can see, we received ‘Permit’ as response. After a checked the type of decision, and I saw ‘object’. And for javascript when === is used, object type is different of string type. So I changed the === to == and worked. Another solution is make a parser before compare, to convert the object variable to string.

gabicavalcante avatar Dec 16 '16 22:12 gabicavalcante

Thanks! Could you fix this in a PR?

aalonsog avatar Feb 09 '17 14:02 aalonsog

Hi @aalonsog, I'm testing pep-proxy with my own authzforce server and this problem has returned after the commit 939ff169634ba39b5f61853069d588955eec37e1 The main problem is that decision[0]==='Permit' compares 'P' with 'Permit'. The previous code works, so i ask why you added this change? the SEC-1044 is unknown for me.

carlospg79 avatar Nov 16 '17 09:11 carlospg79

@aalonsog and @carlospg79, The error still persists for me, then i asked this, do you find a solution?

https://stackoverflow.com/questions/49684767/fiware-configure-authzforce-with-pep-proxy

joansrios avatar Apr 06 '18 03:04 joansrios

i checked your stackoverflow questions. What solved my problem is that in keyrock you need to not use admin user. For admin user, all the request are forbidden. also, the authzforce 6.0.0 didn't work also (at least for me) so i used the previous 5.4.0 version. i don't know if it can help you.

Last week, new keyrock version has been released, so maybe the best is change to that version.

carlospg79 avatar Apr 09 '18 13:04 carlospg79

@carlospg79 what do you mean with the forbiden requests for the admin user. I'm using the authzforce 5.4.1. And didnt work.

joansrios avatar Apr 10 '18 10:04 joansrios