search

SURFscz / SBS

Samenwerking Beheer Systeem ↣ Collaboration Management System
Apache License 2.0
3 stars 2 forks source link

Login to Service with Access Rul "Free For All" Fails when user is not provisioned in SBS #1439

Closed HarryKodden closed 4 weeks ago

HarryKodden commented 1 month ago

We want to allow login to a Service to anyone. It is up to the Service to inspect the Userinfo offered by SRAM to validate and decide what this SRAM Authenticated user is allowed to do in the Service. For example: Inspect the entitlements claim of the userinfo, see that the user is missing a certain entitlment and then initiate an invitation to that user to become member of a certain CO.

Expected behavior:

  1. Any user can authenticate via SRAM to the Service
  2. The onboarding of new SRAM users takes automatically place during the SRAM Authentication
  3. Once, authenticated, the user is redirected to the Service
  4. The service makes a backend call to SRAM Userinfo to inspect User details like entitlements

Observed beaviour:

  1. works
  2. works
  3. works for SRAM identies that are member of at least 1 CO anywhere in SRAM, Fails for SRAM users who are not member of any CO in SRAM
  4. works
baszoetekouw commented 1 month ago

I cannot reproduce this. With a fresh demo seed (with the cloud service set to free for all), the user urn:user_suspend_warning is not a member of any CO, yet he is allowed to log in:

╰─▶ curl -u sysread:secret -X POST -H "Content-Type: application/json"  http://localhost:3000/api/users/proxy_authz -d '{"user_id": "urn:user_suspend_warning", "service_id": "https://cloud", "issuer_id": "https://idp.test"}'
{
  "attributes": {
    "eduPersonEntitlement": [],
    "eduPersonPrincipalName": [
      "user_suspend_warning@test.sram.surf.nl"
    ],
    "sshkey": [],
    "uid": [
      "user_suspend_warning"
    ]
  },
  "status": {
    "result": "authorized"
  }
}

It is broken though for users who are unknown in SBS:

╰─▶ curl -u sysread:secret -X POST -H "Content-Type: application/json"  http://localhost:3000/api/users/proxy_authz -d '{"user_id": "urn:gandalf", "service_id": "https://cloud", "issuer_id": "https://idp.test"}'
{
  "status": {
    "error_status": 1,
    "redirect_url": "http://localhost:3000/service-denied?service_name=Cloud&error_status=1&entity_id=https%3A%2F%2Fcloud&issuer_id=https%3A%2F%2Fidp.test&user_id=urn%3Agandalf",
    "result": "unauthorized"
  }
}
baszoetekouw commented 1 month ago

Should be fixed on the SBS side in https://github.com/SURFscz/SBS/tree/feature/login-freeride but there turns out to be a blocking issue in EduTEAMS, causing the user to end up at a "You are already a member of this VO" screen at Perun. Reported to eduTEAMS as TT#2024060534000194

baszoetekouw commented 3 weeks ago

continues in #1463