Problem in interaction between idm,pep and authzforce
Created by: AnotherCodeArtist
There's apparently a problem in the interaction between idm, authzforce and probably pep. Since I cannot tell which component is the actual trouble maker, I've filed an issue at the IdM project as well. So please see this issue for a detailed description. I cannot see any rules in the PAP that correspond to the roles I have defined in IdM, although the IdM creates a valid domain.
As mentioned in the other issue, authentication between my client app and the IdM works perfectly fine. But whenever PEP tries to perform the authorization, things go terribly wrong.
Here's again the log from PEP:
2016-08-18 11:32:30.971 - INFO: IDM-Client - Checking token with IDM...
2016-08-18 11:32:31.001 - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 11:32:31.002 - INFO: AZF-Client - Checking authorization to roles [ 'provider', '4db71b9d39d340f387585ed832c28c78' ] to do GET on v2/entities and app 6806127773ae47fdb777886585358543
2016-08-18 11:32:31.002 - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 11:32:31.006 - ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error
Wireshark revealed the following:
PEP first checks the token with the IdM
Frame 43: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface 0
Ethernet II, Src: AsustekC_86:b6:ea (d8:50:e6:86:b6:ea), Dst: Apple_1f:46:33 (c8:2a:14:1f:46:33)
Internet Protocol Version 4, Src: 10.12.200.84, Dst: 10.12.200.247
Transmission Control Protocol, Src Port: 41769 (41769), Dst Port: 8000 (8000), Seq: 1449, Ack: 1, Len: 76
Source Port: 41769
Destination Port: 8000
[Stream index: 2]
[TCP Segment Len: 76]
Sequence number: 1449 (relative sequence number)
[Next sequence number: 1525 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 32 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 1369
[Calculated window size: 87616]
[Window size scaling factor: 64]
Checksum: 0x98a7 [validation disabled]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
TCP segment data (76 bytes)
[2 Reassembled TCP Segments (1524 bytes): #42(1448), #43(76)]
Hypertext Transfer Protocol
GET /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw HTTP/1.1\r\n]
Request Method: GET
Request URI: /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw
Request Version: HTTP/1.1
Host: 10.12.200.247:8000\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 7 Build/MOB30P; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\r\n
Accept: */*\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US\r\n
[truncated]Cookie: csrftoken=nfAqXttUUjNygfpWdWUBD7DrbANdRstQ; sessionid=".eJyFU8tu3DYUdcdjjyPHdmK3zbOp0yau3MeYpKhXVkWbVQp4kZaINsaAL1lyZqS5I8qoFwKSTYD-Q3-jX9Af6bZ_EUojt4OiQKCFyHvPuee--GbQwEcu262LSpZzrSamfK0LdigUFUJpFCqCaRr4QqBQIyEI9rXSCrF
X-Requested-With: com.ionicframework.myfiwareclient357647\r\n
\r\n
[Full request URI: http://10.12.200.247:8000/user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw]
[HTTP request 1/1]
Then the Idm provides the necessary information about the AFZ domain:
HTTP/1.0 200 OK
Date: Thu, 18 Aug 2016 11:32:19 GMT
Server: WSGIServer/0.1 Python/2.7.6
Vary: Accept-Language, Cookie
X-Frame-Options: SAMEORIGIN
Content-Type: application/json
Content-Language: en
Set-Cookie: sessionid=".eJyFU8tu3DYUdcdjjyPHdmK3zbOp0yau3MeYpKhXVkWbVQp4kZaINsaAL1lyZqS5I8qoFwKSTYD-Q3-jX9Af6bZ_EUojt4OiQKCFyHvPuee--GbQwEcu262LSpZzrSamfK0LdigUFUJpFCqCaRr4QqBQIyEI9rXSCrFRXenFJFfJaG1t7aLMClVqGLDthT7Py2JS8Jk-ZTsTXpts0kOzAdvr3bpQ8zIvTHLfsjNj5s9OTjAJx8h--Jnne354cumdwDrbs9zLXOpqsqQmm5bx85znBYEh218REFza1BU7snUUlbG3zjnu7eOf9FVlykL_0ON2prwyEy5Nfpmbqxd__v7HK7bRlS__E6EN7_zSehzYOH4Lmw2MXLapyplNA7YauOGyQa7AOWXDtnDYPq3Zbp_4j9zwaXkON89gp4FdN7lhC7iuvzqDPbeBW26ybq31Ygq3s_UOYZ16kXKpYT_Zur4XfNrVv2wFHGTDDts31Wbw8Up7kkFLU_BJcmgPGPu-FwYi8r2Aklhy6hNClY-8iFKJeN3Ap252-wMDyfaTDQvgapYX2cGKWLaqnC0lqeIhkgRFAeEUqUikfojaJEgYEx4IK3mnlbz3f5I-QqhXbAPPazHN5Ycl7WqGItXaDxXlSkYxkphEXNoiI-GRWidDCzNXc73sqtKFsdO_pqdxEFKCYs82KUUxj1KayhB5KVECyyW5m_Ddjv66X6mas41FOdUV3DuD-w08cPuAoUSppwIUehGmOhUiCFI_DrEkMfalr7O7__bTBtntFnm5V-04H3avS-mU11MDn7Fbq_4uj0cd4nmP-JyN9K_zfGETOZSKG23ymXb-OcBj5oz-2tq_-dBZ__s3mVdlFCA87v8OM9KBL45fwpfvXsITNpovygstDTxt4MjNnGS7a9hscm3_Ktvu1tbawK3ZsE0Ojhv42oKzgXW2hAv1vdGVGctyVneP5Bt2iGIU45TjgGNBhd3AIOICpxGNcEQJxfAt2zS64IWB77KjWtTj9wRqWnM:1baLYZ:YyDjkSAR3VR82PFrrTF29kTd5zE"; httponly; Path=/
{"organizations": [], "displayName": "johndoe", "roles": [{"name": "Provider", "id": "provider"}, {"name": "Restaurant-Viewer", "id": "4db71b9d39d340f387585ed832c28c78"}], "app_id": "6806127773ae47fdb777886585358543",
"email": "jd@test.com", "id": "johndoe", "app_azf_domain": "-XUmQmUdEeatWgJCrBEABg"}
After this I cannot make out a valid http request sent from PEP to AFZ, nevertheless the following response pops up:
Frame 67: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) on interface 9
Null/Loopback
Internet Protocol Version 4, Src: 10.12.200.247, Dst: 10.12.200.247
Transmission Control Protocol, Src Port: 8282 (8282), Dst Port: 62035 (62035), Seq: 1, Ack: 329, Len: 144
Source Port: 8282
Destination Port: 62035
[Stream index: 3]
[TCP Segment Len: 144]
Sequence number: 1 (relative sequence number)
[Next sequence number: 145 (relative sequence number)]
Acknowledgment number: 329 (relative ack number)
Header Length: 32 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 12749
[Calculated window size: 407968]
[Window size scaling factor: 32]
Checksum: 0xa6bd [validation disabled]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
Hypertext Transfer Protocol
HTTP/1.1 400 Bad Request\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
Request Version: HTTP/1.1
Status Code: 400
Response Phrase: Bad Request
Server: Apache-Coyote/1.1\r\n
Transfer-Encoding: chunked\r\n
Date: Thu, 18 Aug 2016 11:32:31 GMT\r\n
Connection: close\r\n
\r\n
[HTTP response 1/1]
HTTP chunked response
End of chunked encoding
Chunk size: 0 octets
\r\n
So maybe there's something wrong with the request sent from PEP. Nevertheless, could you please check whether the XML stored in AFZ looks ok (https://github.com/ging/fiware-idm/issues/70)?
The permissions for role "Restaurant-Viewer" should be "GET" , "/v2/entities".