Closed Kammy6679 closed 8 years ago
Kemmy, this sounds like a bug that you can potentially investigate and fix?
@munjaldoshi , this is a compatibility issue between MSIPC and RMS SDK for Linux.
@Kammy6679 , I can't reproduce. Could you provide the encrypted PPDF to analyze it?
@AgentRX , for reproducing this issue, please use std::shared_ptr < CustomProtectedStream > to encrypt the PDF files. PPDF also have this problem. I will provide a sample files to your for reproducing this issue.
please use your sample to reproduce this issue:
@Kammy6679. thank you! There is UNICOD Publishing License inside and I added support for it now
Use the latest RMS SDK, we still can reproduce this issue.
@Kammy6679, please check with PR: https://github.com/AzureAD/rms-sdk-for-cpp/pull/82
@AgentRX
If protect a file to PDF format by MSIPC on Windows, this protected PDF file still can't be opened by Linux SDK.
Calling the following code to decrypt the file gets the error: m_pUserPolicyResult = UserPolicy::Acquire(publishLicense, csUserID, m_authenticationCallback, m_consentCallback, POL_None, RESPONSE_CACHE_INMEMORY);
NOTE: If protect a file to PPDF format by MSIPC on Windows, this PPDF file can be opened by Linux SDK.
@Kammy6679 , please provide MSIPC protected file and user credentials to unprotect it that can't be opened with Linux SDK.
please visit the following link to get the MSIPC protected file: Link: http://sync-us.foxitsoftware.com/pm/rms/temp/test.pdf User name: mingjian_chen@msopentechtest01.onmicrosoft.com PSW: Test,123
@Kammy6679 , test.pdf is not protected file.
@AgentRX , test.pdf is a protected file.
You have fixed the PPDF format issue(If protect a file to PPDF format by MSIPC on Windows, this PPDF file can be opened by Linux SDK.). I think there is a same issue in PDF format.
@Kammy6679, is this issue fixed?
@AgentRX , no fixed. PDF format still has this issue.
(If protect a file to PDF format by MSIPC on Windows, this PDF file can't be opened by Linux SDK.).
@AgentRX - this seems a touch odd. Do we know why this is happening? Are you able to repro the issue?
@prvijay, I need the PDF protected file to reproduce it.
@Kammy6679, please provide us the protected PDF file which Linux SDK can't unprotect.
@AgentRX , I have provided the protected PDF file, please see https://github.com/AzureAD/rms-sdk-for-cpp/issues/68#issuecomment-136926881
@Kammy6679 - I think @AgentRX's point is that the pdf file (test.pdf) provided is not protected. I tried opening the document in Windows and I got an error message indicating that the file is not protected.
@prvijay , Please use Foxit Reader for Windiws to open this file: http://cdn01.foxitsoftware.com/pub/foxit/reader/desktop/win/7.x/7.2/en_us/EnterpriseFoxitReader720.0722_enu.msi
@Kammy6679, I couldn't open the pdf document and it kept prompting for the user name again and again. I created a new document and gave view only permissions for chengzhang_lin@msopentechtest01.onmicrosoft.com (Pwd, Test,123). I was able to open this pdf in Windows across two machines using these credentials. Can you try if the file opens in the Linux environment? http://1drv.ms/1EPvznV
@prvijay, thank you for provided file! It wasn't opened by Linux SDK. I've found the reason of error. We used Web platform because Linux is not supported yet:
string platformId(
"AppName=rmscore;AppVersion=1.0;DevicePlatform=Web;SDKVersion=4.1;");
BUT pfiles protected by SDK 2.1 is not supported with Web platform. I've changed platformId to:
string platformId(
"AppName=rmscore;AppVersion=1.0;DevicePlatform=WindowsStore;SDKVersion=4.1;");
and file was unprotected! I've tested it for AD FS/Azure 4.1 version protect/unprotect and all work fine with WindowsStore device! So I've changed platform and created PR: https://github.com/AzureAD/rms-sdk-for-cpp/pull/104
Also my offer is ask Azure Team to add support for Linux platform. What do you thibk about it?
@AgentRX - excellent! Yes, we will make the platform fix and we are tracking it. It requires changes in the service and the agent and haven't gotten around to doing it. Till that point, we would need to set the Web platform. Please resolve the issue as I have merged the changes as well.
@Kammy6679 - please validate the fix and reactivate if required.
@prvijay , @AgentRX , We still can reproduce this issue. But after AgentRX modified, another Microsoft online server(user name : user1@isvtenant006.onmicrosoft.com PSW: Msipcsdk@ ) can be used normally.
@Kammy6679 - as indicated on mail, please validate if the file provided above works in your environment: "I created a new document and gave view only permissions for chengzhang_lin@msopentechtest01.onmicrosoft.com (Pwd, Test,123). I was able to open this pdf in Windows across two machines using these credentials. Can you try if the file opens in the Linux environment? http://1drv.ms/1EPvznV "
I have already indicated that something is either messed up in the file which you had sent earlier (http://sync-us.foxitsoftware.com/pm/rms/temp/test.pdf) or with the user tenant mingjian_chen@msopentechtest01.onmicrosoft.com. I am unable to open the file you had provided in Windows - I am not surprised that it doesn't open in Linux.
@prvijay, I can open http://sync-us.foxitsoftware.com/pm/rms/temp/test.pdf in my browser. It's unprotected file.
@AgentRX, @Kammy6679 - same here, I just put the link in Chrome and it opened the document. If I put a protected pdf, then it opens the RMS Sharing app. I think the issue is fixed and should work fine if the file is protected properly to start off with.
@Kammy6679, @AgentRX - furthermore if you try to open the test.pdf in notepad, it does not show any indication that it's protected. If you open a protected document in notepad, the header will show that the file is protected.
@Kammy6679, @AgentRX - I have created two new docs at http://1drv.ms/1EPvznV which has view-only permissions to - chengzhang_lin@msopentechtest01.onmicrosoft.com; user1@isvtenant006.onmicrosoft.com; mingjian_chen@msopentechtest01.onmicrosoft.com. See if the issue still repros.
@AgentRX , @prvijay ,
If encrypt the new files, we can’t reproduce this issue. If use the previous encrypted PDF files(http://sync-us.foxitsoftware.com/pm/rms/temp/test.pdf), we can reproduce this issue. I don't know why ONLY the previous encrypted files(PPDF and PDF) have this issue. AgentRX has fixed the PPDF issue, please see https://github.com/AzureAD/rms-sdk-for-cpp/issues/68#issuecomment-132501412
"test.pdf" is a RMS protected PDF files, here is a video for opening "test.pdf": http://sync-us.foxitsoftware.com/pm/rms/temp/68.wmv a. Open "test.pdf" in IE with Foxit PhantomPDF. You can see the decryption PDF file. b. Open "test.pdf" in Chrome, you can see a wrapper PDF file. then save "test.pdf" to local computer. c. Copy "test.pdf" to Linux, then open this file, see the error message. d. Open "test.pdf" in Adobe in Windows, you can see a wrapper PDF file.
The password for mingjian_chen@msopentechtest01.onmicrosoft.com has expired. This is the new password: Test@123
@prvijay, can't open files you gave us. The response is - Access Denied for all given users.
@AgentRX, @Kammy6679 - I will recap the status here:
@AgentRX - the trouble could be a newer version of MSIPC which I am using which is an internal build, I will protect using the publicly available build and send across the document shortly.
@Kammy6679 - if you encounter this issue in other files (other than the test.pdf), please reactivate the issue. At this point in time, we don't have any evidence that the issue is still open.
Can we reopen this issue? I do not see the option to allow me to do this?
Reopened it
From: huytran888 [mailto:notifications@github.com] Sent: Friday, April 22, 2016 9:35 AM To: AzureAD/rms-sdk-for-cpp rms-sdk-for-cpp@noreply.github.com Cc: Praveen Vijayaraghavan prvijay@microsoft.com; State change state_change@noreply.github.com Subject: Re: [AzureAD/rms-sdk-for-cpp] Cannot open RMS protected PDF files created by Windows SDK with Linux SDK (#68)
Can we reopen this issue? I do not see the option to allow me to do this?
— You are receiving this because you modified the open/close state. Reply to this email directly or view it on GitHubhttps://github.com/AzureAD/rms-sdk-for-cpp/issues/68#issuecomment-213501030
@prvijay , @AgentRX , @Kammy6679
I see that the problem was reported against protected PDF, and initially also with PPDF. I also see that some of you are saying the file "test.pdf" is a normal PDF. This indicates that there is a misunderstanding.
The Windows MSIPC and I believe the MAC version both implement a form of pdf protection currently only Foxit recognizes. It provides a wrapper that looks normal to all PDF reader implementations. The wrapper is a normal PDF document that directs you to the Foxit Reader download. To decrypt one of these PDF files, you need a Foxit Reader, or a PDF reader that understands and implements the proposed modification to the PDF Spec. Or, the Windows (or MAC) MSIPC knows how to protect and unprotect such files.
Viewing the source code for Linux, I do not see anything implementing this Foxit format. Kammy6679 directed you to use the Foxit PDF reader because that is the only thing on Linux that can read that format AFAIK.
So, when Kammy6679 originally reported the issue, he was speaking of the APIs at a lower level than the PFile. The errors he reports are at the AcquirePolicy api call where Foxit Reader has already extracted the PL. (I have not analysed close enough to see if the PL calls are failing or the decryption calls are failing).
The keys to solving the problem are to 1) use Windows MSIPC to create a protected "PDF" (not a PPDF), then 2) copy it to Linux and use Foxit Reader to read the PDF, and 3) if the problem persists, ask Foxit or use a tool to extract the PL and an encrypted PDF object from the file and use a test jig to work on those.
@lesterpotter - @raeitan made a fix yday to this issue. We could repro the scenario mentioned in your comment to make sure things work. I don't want to go down the path of asking Foxit (or any app built on top of the SDK) to muck around with the PL - the expectation is that it 'just works'.
In the earlier conversation, the test.pdf which we recd from Foxit was unprotected. We were able to open it in Edge, Chrome and any pdf viewer without any interaction with MSIPC. Hence the comment (~Sept 11th 2015) that the file is not properly protected.
@prvijay - No, you misunderstand. The file is protected, it is just not a PFILE. It is FOXIT's own proprietary format. It resembles something that Microsoft supported in the earlier MSIPC (2013 timeframe). Yes, it looks unprotected, but that is by design. The in-the-clear messages directs you to their Reader
I did a little looking, and I don't see that the current MSIPC supports this kind of protected PDF anymore. So, some of my comments above are not based on up-to-date information. But the basic issue is still valid. That is, does the Linux SDK fail to process a valid publishing license?
@Kammy6679 - originally you said that you created the file with MSIPC. Maybe I got a different TEST.PDF file than you originally posted (I couldn't access One Drive, the link was broken). But I did get a file from http://sync-us.foxitsoftware.com/pm/rms/temp/test.pdf. It looks like it was created with Foxit Phantom.
You said the call... m_pUserPolicyResult = UserPolicy::Acquire(publishLicense, csUserID, m_authenticationCallback, m_consentCallback, POL_None, RESPONSE_CACHE_INMEMORY); ...was failing, so you were having trouble processing a publishing license. Right?
You said that the PDF file worked on Windows and Mac, just not on Linux. Obviously, the Linux SDK doesn't support your file format, so you must be doing your own parsing. Even so, the Linux SDK should still be able to process the PL if Windows and Mac can. The SDK should allow you to do the lower level calls on Linux. If you are still having problems with that file (or any like it), try extracting the PL to a binary array, save it to a file and submit that for our analysis.
@lesterpotter - Johnny would need to comment on how he created it - but from my side, the file which was given opened in Edge and Chrome in a vanilla Win 10 box. There was no redirection to a Foxit reader or an authentication prompt. Neither the permission or the rights were enforced on the document.
Please use the new dev branch code to test the issue and see if it still repro's, or provide us an environment / binaries to do the testing. Until then I am closing the issue, please re-open it if still repros else let us know and we will merge to main.
Thanks
@raeitan For this issue, we followed Ran's suggestion(see the following email), it can fix this issue. Can you try this.
1, Protect a PDF file by MSIPC on Windows
Calling the following method, we get the blow error message
Method: m_pUserPolicyResult = UserPolicy::Acquire(publishLicense, csUserID, m_authenticationCallback, m_consentCallback, POL_None, RESPONSE_CACHE_INMEMORY);
Message:
rms_log_201138-2807.log: 20:11:38 INF: +RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="END_USER_LICENSES_UR" 20:11:38 INF: -RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="END_USER_LICENSES_UR" returning 0 result(s) 20:11:38 INF: +RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="PUBLISHING_LICENSES_UR" 20:11:38 INF: -RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="PUBLISHING_LICENSES_UR" returning 0 result(s) 20:11:38 INF: +RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="TEMPLATES_UR" 20:11:38 INF: -RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="TEMPLATES_UR" returning 0 result(s) 20:11:38 INF: +RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="CLOUD_DIAGNOSTICS_UR" 20:11:38 INF: -RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="CLOUD_DIAGNOSTICS_UR" returning 0 result(s) 20:11:38 INF: +RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="PERFORMANCE_UR" 20:11:38 INF: -RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="PERFORMANCE_UR" returning 0 result(s) 20:11:38 INF: +RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="DNS_CLIENT_RESULT" 20:11:38 INF: -RestClientCache::Lookup: cacheName="msopentechtest01.onmicrosoft.com", tag="DNS_CLIENT_RESULT" returning 0 result(s) 20:11:39 INF: ==> HttpClientQt::GET https://api.aadrm.com/my/v1/servicediscovery?email=mingjian_chen@msopentechtest01.onmicrosoft.com 20:11:42 INF: Response StatusCode: 401 20:11:42 ERR: error: Host requires authentication 20:11:42 INF: ==> HttpClientQt::GET https://api.aadrm.com/my/v1/servicediscovery?email=mingjian_chen@msopentechtest01.onmicrosoft.com 20:11:42 INF: Response StatusCode: 200 20:11:42 INF: ==> HttpClientQt::GET https://api.aadrm.com/my/v1/templates 20:11:43 INF: Response StatusCode: 401 20:11:43 ERR: error: Host requires authentication 20:11:43 INF: ==> HttpClientQt::GET https://api.aadrm.com/my/v1/templates 20:11:46 INF: Response StatusCode: 200 20:11:46 INF: ==> HttpClientQt::GET https://api.aadrm.com/my/v1/enduserlicenses 20:11:46 INF: Response StatusCode: 401 20:11:46 ERR: error: Host requires authentication 20:11:46 INF: ==> HttpClientQt::POST https://api.aadrm.com/my/v1/enduserlicenses 20:11:47 INF: Response StatusCode: 400 20:11:47 ERR: error: Error downloading https://api.aadrm.com/my/v1/enduserlicenses - server replied: Bad Request
rmsauth_201138-0728.log: 20:11:38 INF: FileCache: path: /home/ubuntu/.ms-ad/token_cache.dat 20:11:42 INF: AuthenticationContext: AuthenticationContext 20:11:42 INF: Authenticator: detectAuthorityType 20:11:42 INF: Authenticator: isAdfsAuthority: '0' 20:11:42 INF: AuthenticationContext: acquireToken 20:11:42 INF: AuthenticationContext: acquireTokenCommonAsync 20:11:42 INF: AuthenticationContext: createWebAuthenticationDialog 20:11:42 INF: AcquireTokenHandlerBase: AcquireTokenHandlerBase 20:11:42 INF: AcquireTokenHandlerBase: createCallState 20:11:42 INF: AcquireTokenHandlerBase: === Token Acquisition started: Authority: https://sts.aadrm.com/_sts/oauth/ Resource: api.aadrm.com ClientId: f3295a1c-bcfe-4430-80bf-1c0a5636e8e8 CacheType: FileCache (0 items) Authentication Target: 0
20:11:42 INF: AcquireTokenInteractiveHandler: AcquireTokenInteractiveHandler 20:11:42 INF: AcquireTokenHandlerBase: runAsync 20:11:42 INF: AcquireTokenHandlerBase: preRunAsync 20:11:42 INF: Authenticator: updateFromTemplateAsync 20:11:42 INF: AcquireTokenHandlerBase: validateAuthorityType 20:11:42 INF: AcquireTokenHandlerBase: notifyBeforeAccessCache 20:11:42 INF: FileCache: onBeforeAccess 20:11:42 INF: FileCache: readCache 20:11:42 INF: TokenCache: deserialize 20:11:42 INF: AuthenticationResult: deserialize 20:11:42 INF: TokenCacheKey: TokenCacheKey::getHashCode(): authority: https://sts.aadrm.com/_sts/oauth/; resource: api.aadrm.com; clientId: f3295a1c-bcfe-4430-80bf-1c0a5636e8e8 uniqueId: ; tokenSubjectType_: 0; hashcode: 1718433536864167329; 20:11:42 INF: TokenCache: Deserialized 1 items to token cache. 20:11:42 INF: TokenCache: loadFromCache 20:11:42 INF: TokenCache: An item matching the requested resource was found in the cache 20:11:42 INF: TokenCache: Local time UTC: '12:11:42 07.28.15', token expiresOn: 22:10:57 07.28.15 (1438121457) 20:11:42 INF: TokenCache: A matching token was found in the cache 20:11:42 INF: AcquireTokenHandlerBase: postRunAsync 20:11:42 INF: AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned: Access Token Hash: U隨^PI?!,<?Gd保nu?7禋?h糞 Refresh Token Hash: 筿愄@骕@袎 眀鈅碴*⑧L勢?興0T? Expiration Time: 22:10:57 07.28.15 (1438121457) User Hash: nullptr
20:11:42 INF: AcquireTokenHandlerBase: notifyAfterAccessCache 20:11:42 INF: FileCache: onAfterAccess 20:11:43 INF: AuthenticationContext: AuthenticationContext 20:11:43 INF: Authenticator: detectAuthorityType 20:11:43 INF: Authenticator: isAdfsAuthority: '0' 20:11:43 INF: AuthenticationContext: acquireToken 20:11:43 INF: AuthenticationContext: acquireTokenCommonAsync 20:11:43 INF: AuthenticationContext: createWebAuthenticationDialog 20:11:43 INF: AcquireTokenHandlerBase: AcquireTokenHandlerBase 20:11:43 INF: AcquireTokenHandlerBase: createCallState 20:11:43 INF: AcquireTokenHandlerBase: === Token Acquisition started: Authority: https://sts.aadrm.com/_sts/oauth/ Resource: api.aadrm.com ClientId: f3295a1c-bcfe-4430-80bf-1c0a5636e8e8 CacheType: FileCache (1 items) Authentication Target: 0
20:11:43 INF: AcquireTokenInteractiveHandler: AcquireTokenInteractiveHandler 20:11:43 INF: AcquireTokenHandlerBase: runAsync 20:11:43 INF: AcquireTokenHandlerBase: preRunAsync 20:11:43 INF: Authenticator: updateFromTemplateAsync 20:11:43 INF: AcquireTokenHandlerBase: validateAuthorityType 20:11:43 INF: AcquireTokenHandlerBase: notifyBeforeAccessCache 20:11:43 INF: FileCache: onBeforeAccess 20:11:43 INF: FileCache: readCache 20:11:43 INF: TokenCache: deserialize 20:11:43 INF: AuthenticationResult: deserialize 20:11:43 INF: TokenCacheKey: TokenCacheKey::getHashCode(): authority: https://sts.aadrm.com/_sts/oauth/; resource: api.aadrm.com; clientId: f3295a1c-bcfe-4430-80bf-1c0a5636e8e8 uniqueId: ; tokenSubjectType_: 0; hashcode: 1718433536864167329; 20:11:43 INF: TokenCache: Deserialized 1 items to token cache. 20:11:43 INF: TokenCache: loadFromCache 20:11:43 INF: TokenCache: An item matching the requested resource was found in the cache 20:11:43 INF: TokenCache: Local time UTC: '12:11:43 07.28.15', token expiresOn: 22:10:57 07.28.15 (1438121457) 20:11:43 INF: TokenCache: A matching token was found in the cache 20:11:43 INF: AcquireTokenHandlerBase: postRunAsync 20:11:43 INF: AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned: Access Token Hash: U隨^PI?!,<?Gd保nu?7禋?h糞 Refresh Token Hash: 筿愄@骕@袎 眀鈅碴*⑧L勢?興0T? Expiration Time: 22:10:57 07.28.15 (1438121457) User Hash: nullptr
20:11:43 INF: AcquireTokenHandlerBase: notifyAfterAccessCache 20:11:43 INF: FileCache: onAfterAccess 20:11:46 INF: FileCache: path: /home/ubuntu/.ms-ad/token_cache.dat 20:11:46 INF: AuthenticationContext: AuthenticationContext 20:11:46 INF: Authenticator: detectAuthorityType 20:11:46 INF: Authenticator: isAdfsAuthority: '0' 20:11:46 INF: AuthenticationContext: acquireToken 20:11:46 INF: AuthenticationContext: acquireTokenCommonAsync 20:11:46 INF: AuthenticationContext: createWebAuthenticationDialog 20:11:46 INF: AcquireTokenHandlerBase: AcquireTokenHandlerBase 20:11:46 INF: AcquireTokenHandlerBase: createCallState 20:11:46 INF: AcquireTokenHandlerBase: === Token Acquisition started: Authority: https://sts.aadrm.com/_sts/oauth/ Resource: api.aadrm.com ClientId: f3295a1c-bcfe-4430-80bf-1c0a5636e8e8 CacheType: FileCache (0 items) Authentication Target: 0
20:11:46 INF: AcquireTokenInteractiveHandler: AcquireTokenInteractiveHandler 20:11:46 INF: AcquireTokenHandlerBase: runAsync 20:11:46 INF: AcquireTokenHandlerBase: preRunAsync 20:11:46 INF: Authenticator: updateFromTemplateAsync 20:11:46 INF: AcquireTokenHandlerBase: validateAuthorityType 20:11:46 INF: AcquireTokenHandlerBase: notifyBeforeAccessCache 20:11:46 INF: FileCache: onBeforeAccess 20:11:46 INF: FileCache: readCache 20:11:46 INF: TokenCache: deserialize 20:11:46 INF: AuthenticationResult: deserialize 20:11:46 INF: TokenCacheKey: TokenCacheKey::getHashCode(): authority: https://sts.aadrm.com/_sts/oauth/; resource: api.aadrm.com; clientId: f3295a1c-bcfe-4430-80bf-1c0a5636e8e8 uniqueId: ; tokenSubjectType_: 0; hashcode: 1718433536864167329; 20:11:46 INF: TokenCache: Deserialized 1 items to token cache. 20:11:46 INF: TokenCache: loadFromCache 20:11:46 INF: TokenCache: An item matching the requested resource was found in the cache 20:11:46 INF: TokenCache: Local time UTC: '12:11:46 07.28.15', token expiresOn: 22:10:57 07.28.15 (1438121457) 20:11:46 INF: TokenCache: A matching token was found in the cache 20:11:46 INF: AcquireTokenHandlerBase: postRunAsync 20:11:46 INF: AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned: Access Token Hash: U隨^PI?!,<?Gd保nu?7禋?h糞 Refresh Token Hash: 筿愄@骕@袎 眀鈅碴*⑧L勢?興0T? Expiration Time: 22:10:57 07.28.15 (1438121457) User Hash: nullptr
20:11:46 INF: AcquireTokenHandlerBase: notifyAfterAccessCache 20:11:46 INF: FileCache: onAfterAccess