Unclear how to properly authorize get_requests_for_context

GENI-NSF / geni-ch

GENI clearinghouse services

Other

3 stars 6 forks source link

Unclear how to properly authorize get_requests_for_context #536

Closed nbastin closed 7 years ago

nbastin commented 7 years ago

Given the following request data:

req_data = xmlrpclib.dumps((1, '10c88fc8-9d57-4971-8820-5b14323557f5', 0, [context.ucred_api3], {}), methodname="get_requests_for_context")

(context.ucred_api3 is a property that generates the user credential in v3 format, and I am the lead of the project in question)

I get an authorization error:

>>> PP(xmlrpclib.loads(resp.content)[0][0])
{'code': 2,
 'output': "[AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method get_requests_for_context with options {} arguments {'context_type': 1, 'context_id': '10c88fc8-9d57-4971-8820-5b14323557f5', 'status': 0} queries [u'ME.MAY_GET_REQUESTS_FOR_CONTEXT_urn_publicid_IDN_ch_geni_net_project_vts_infra<-CALLER', 'ME.MAY_GET_REQUESTS_FOR_CONTEXT<-CALLER'])",
 'value': None}

get_pending_requests_for_user works fine, so I can mostly work around the problem for common use cases, but if there's a way I could get this call to work that would be useful.

tcmitchell commented 7 years ago

Could you please try this again with an empty list for the "credentials" argument?

I can successfully invoke this method using tools/client.py, which appears to send an empty credentials list. If your call succeeds with an empty credential list, maybe there's a bug in the credential handling with respect to this method.

nbastin commented 7 years ago

Should have mentioned that I tried that first. It has the same problem:

>>> req_data = xmlrpclib.dumps((1, '10c88fc8-9d57-4971-8820-5b14323557f5', 0, [], {}), methodname="get_requests_for_context")
>>> s = requests.Session()
>>> s.mount(url, CH2.GCU.TLSHttpAdapter())
>>> cert = (context.cf.cert, context.cf.key)
>>> resp = s.post(url, req_data, cert=cert, verify=False, headers=CH2.headers())
>>> PP(xmlrpclib.loads(resp.content)[0][0])
{'code': 2,
 'output': "[AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method get_requests_for_context with options {} arguments {'context_type': 1, 'context_id': '10c88fc8-9d57-4971-8820-5b14323557f5', 'status': 0} queries [u'ME.MAY_GET_REQUESTS_FOR_CONTEXT_urn_publicid_IDN_ch_geni_net_project_vts_infra<-CALLER', 'ME.MAY_GET_REQUESTS_FOR_CONTEXT<-CALLER'])",
 'value': None}

tcmitchell commented 7 years ago

This is a bug in the authorization engine. It worked for me above because I was using an operator account and succeeding because operators are explicitly allowed.

The policy assertions for get_requests_for_context are left unbound because $REQUEST_ID and $REQUEST_ROLE are unavailable at the binding phase. We need extra clauses to accommodate the PROJECT_URN subject_type to populate both $REQUEST_ID and $REQUEST_ROLE.

Other calls may be similarly broken as well.