FIWARE / tutorials.PEP-Proxy

:closed_book: FIWARE 404: Securing Microservices and IoT Devices with a PEP Proxy
https://fiware-pep-proxy.rtfd.io/
MIT License
7 stars 15 forks source link

Kong-keyrock Authorize issue with Query parameter (type) #23

Closed ravipodila closed 1 year ago

ravipodila commented 1 year ago

I tried to use the Kong image (0.5.3) and install kong successfully and was able to connect with Keyrock

Why am i not able to give Query paramter : type as a filter in keyrock permission so that user with specific permission entity type can only get the data of of that entity type and get denied for rest of the entity types

My keyrock permission configuration is below:

                  **Without using Query parameters**
                  I have set the keyrock permission method: GET, resource : **/ngsi-ld/v1/entities** 
                  when i try to get the entities using postman it works with out issues 

                  **With using Query parameters**
                  But when i set the keyrock permission method: GET, resource: **/ngsi-ld/v1/entities?type=city**

                  This  fails to authorize gives error:
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=debug msg="Delegate decision to Keyrock.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="[Keyrock] Request was not allowed. Response was &
                   {0xc00020ed00 {0 0} false 0xc000022080 <nil> 0x6a1100}.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="Request was not allowed.", context: ngx.timer

Same situation when i try to POST the data

                  **Without using Query parameters**
                  I have set the keyrock permission method: POST, resource : **/ngsi-ld/v1/entityOperations/upsert** 
                  when i try to Post the entities using postman it works with out issues 

                  **With using Query parameters**
                  But when i set the keyrock permission method: POST , resource: **/ngsi-ld/v1/entityOperations/upsert?type=city**

                   This  fails to authorize gives error:
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=debug msg="Delegate decision to Keyrock.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="[Keyrock] Request was not allowed. Response was &
                   {0xc00020ed00 {0 0} false 0xc000022080 <nil> 0x6a1100}.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="Request was not allowed.", context: ngx.timer  

my kong config file:

orion-a

  - host: "orion.fiware.svc.cluster.local"
    name: "orion"
    port: 1026
    protocol: http

    routes:
      - name: orion
        paths:
          - /kong_prefix
        strip_path: true

    plugins:
      - name: rate-limiting
        config: 
          minute: 5

      - name: pep-plugin
        config:
          authorizationendpointtype: Keyrock
          authorizationendpointaddress: http://keyrock.fiware.svc.cluster.local:3005/user
          keyrockappid: 8216*********************************
          pathprefix: /kong_prefix

      - name: request-transformer
        config:
          remove:
            headers:
              - Authorization
              - authorization

how can i give permission based on Query paramter : type .

jason-fox commented 1 year ago

This question is better raised over at https://github.com/FIWARE/kong-plugins-fiware as it is not strictly an issue to do with the tutorial. I see you have already done so, so I'll close this as duplicate of https://github.com/FIWARE/kong-plugins-fiware/issues/25