leaf icon indicating copy to clipboard operation
leaf copied to clipboard
verified publisher icon uwrit

Testing Authorization.AllowAllAuthenticatedUsers

Open artgoldberg opened this issue 3 years ago • 3 comments

Hello Leaf folks

I'm running Leaf 3.11.1, and testing Authorization.AllowAllAuthenticatedUsers from 3.10. My appsettings.json contains:

  "Authentication": {
    "Mechanism": "SAML2",
  ...
  "Authorization": {
    "AllowAllAuthenicatedUsers": true,
    "Mechanism": "APPDB"
  }

When a user who authenticates against SAML2 logs in, she obtains: Authorized user cannot access

This is her record in leaf-api-20220714.log:

{"Timestamp":"2022-07-14T15:11:43.4321659-04:00","Level":"Error","MessageTemplate":"User is not authorized to use Leaf. Error:{Error} User:{user}","Properties":{"Error":"sheersha.kandwal is not a Leaf user.","user":"System.Security.Claims.ClaimsPrincipal","SourceContext":"API.Controllers.UserController","ActionId":"3a63e8b6-3184-4419-ad40-b19b630d4249","ActionName":"API.Controllers.UserController.GetUser (API)","RequestId":"0HMJ5OCL5TUJO:00000006","RequestPath":"/api/user","SpanId":"|8a6ebbe9-452fa5f59786db92.","TraceId":"8a6ebbe9-452fa5f59786db92","ParentId":"","ConnectionId":"0HMJ5OCL5TUJO","SessionId":null,"User":null}}

By contrast, here's one of my records in leaf-api-20220714.log:

{"Timestamp":"2022-07-14T17:10:34.8940569-04:00","Level":"Information","MessageTemplate":"Authorization was successful.","Properties":{"EventId":{"Id":1,"Name":"UserAuthorizationSucceeded"},"SourceContext":"Microsoft.AspNetCore.Authorization.DefaultAuthorizationService","ActionId":"36a63de9-6622-49dd-9cf4-406bd739cb62","ActionName":"API.Controllers.UserController.Refresh (API)","RequestId":"0HMJ5OCL5TUK6:0000002B","RequestPath":"/api/user/refresh","SpanId":"|8a6ebcfc-452fa5f59786db92.","TraceId":"8a6ebcfc-452fa5f59786db92","ParentId":"","ConnectionId":"0HMJ5OCL5TUK6","SessionId":"53a9e703-b561-4a08-b9ae-f1e3f8dbc58f","User":"[email protected]@urn:leaf:issuer:leaf.mssm.edu"}}

I am listed in auth.UserRole, but she is not.

ScopedIdentity IsUser IsAdmin IsSuper IsIdentified IsFederated Created Updated
[email protected] 1 1 0 0 0 6/7/22 6/7/22

Your thoughts?

Thanks, Arthur

artgoldberg avatar Jul 14 '22 21:07 artgoldberg

Looks like there may be a typo in "AllowAllAuthenicatedUsers": true", where Authenticated is missing the second "t". Could that be the issue?

The AllowAllAuthenticatedUsers property is not required so if not present Leaf would not alert you at startup.

ndobb avatar Jul 14 '22 22:07 ndobb

@ndobb Good catch Nic, and argh!

Why argh? I had caught this error in the Leaf release page, and emailed you about it

From: "Goldberg, Arthur P"
Date: Sunday, May 29, 2022 at 10:02 AM
To: "Nicholas J. Dobbins"
Subject: Spelling correction

Hi Nic

On https://github.com/uwrit/leaf/releases s/AllowAllAuthenicatedUsers/AllowAllAuthenticatedUsers/.

but still got tripped up.

Actually, Authentic ... is spelled Authenic ... in two places on the Leaf release page.

Lastly, while you're right that errors are only raised when required properties are missing, errors (or warnings) could be raised about properties that are never used -- which would have caught this error.

Thanks Arthur

artgoldberg avatar Jul 15 '22 19:07 artgoldberg

And, yes, using AllowAllAuthenticatedUsers fixes this problem.

artgoldberg avatar Jul 15 '22 20:07 artgoldberg