403 when creating a metadata schema draft using the API

[kburger]

What is your question?

When POSTing a metadata schema using the /metadata-schemas I get a 403 Access is denied error. I've provided a Bearer token in the Authorization header (for the admin user), and the body is exactly the same as the client produces. The log output is not showing anything beyond the 403 error either. How can I best proceed from here?

[dennisvang]

Reproduced on develop branch on localhost (with default dev db):

...
2024-10-29 14:56:10,012 25292 [http-nio-8080-exec-1] INFO  org.springframework.web.servlet.DispatcherServlet - Completed initialization in 2 ms
2024-10-29 14:56:10,036 25316 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - Securing POST /metadata-schemas
2024-10-29 14:56:10,052 25332 [http-nio-8080-exec-1] INFO  org.fairdatapoint.api.filter.LoggingFilter - http://localhost:8080/metadata-schemas
2024-10-29 14:56:10,116 25396 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - Secured POST /metadata-schemas
2024-10-29 14:56:10,224 25504 [http-nio-8080-exec-1] DEBUG org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']]
2024-10-29 14:56:10,226 25506 [http-nio-8080-exec-1] ERROR org.fairdatapoint.api.controller.exception.ExceptionControllerAdvice - Access is denied

So we're authenticated, but not authorized.

More detail:

...
2024-10-29 15:40:37,089 37848 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Did not re-authenticate UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=7e64818d-6276-46fb-8bb1-732e6e09f7e9, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER]] before authorizing
2024-10-29 15:40:37,090 37849 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Authorizing ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']]
2024-10-29 15:40:37,094 37853 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']] using AffirmativeBased 
...

Note the Granted Authorities=[ROLE_USER].

[dennisvang]

POST /metadata-schemas requires the ADMIN role, but GET /users/current returns

{
  "uuid": "7e64818d-6276-46fb-8bb1-732e6e09f7e9",
  "firstName": "Albert",
  "lastName": "Einstein",
  "email": "albert.einstein@example.com",
  "role": "USER"
}

Note the "role": "USER".

This holds for both Albert Einstein and Nikola Tesla, even though the readme says Albert is ADMIN:

https://github.com/FAIRDataTeam/FAIRDataPoint/blob/1e33bfdbdd10673370fc5a3a7e819401eb62b685/README.md?plain=1#L106-L110

The dev db migrations show there is a new admin in town:

https://github.com/FAIRDataTeam/FAIRDataPoint/blob/1e33bfdbdd10673370fc5a3a7e819401eb62b685/src/main/resources/dev/db/migration/V0001.1__dev-data-users.sql#L25-L32

Using a token for admin@example.com, POST /metadata-schemas works as expected (using develop branch on localhost with the default dev db).

[dennisvang]

@kburger were you also using the local dev db with default users, or were you using a custom db with real users?

[dennisvang]

@MarekSuchanek I can try to fix the inconsistency between migration and readme, but how do you wish to proceed?

• either add a db migration to reinstate Einstein as admin
• or update the readme to reflect Einstein's demotion to normal user, in favor of the new admin user

[kburger]

@kburger were you also using the local dev db with default users, or were you using a custom db with real users?

Default users, but also a confirmed ADMIN user on a 'real' FDP.

[dennisvang]

[...] but also a confirmed ADMIN user on a 'real' FDP.

Hi @kburger, does the "real" FDP run the develop image or one of the v1.17.x images? (assuming you are running one of the Docker images)

[kburger]

They're all running tagged docker images, mostly the 1.16.2 version to work around the bugs in 1.17.