search

Swirrl / drafter

A clojure service and a client to it for exposing data management operations to PMD
Other
0 stars 0 forks source link

Listing claimable drafts causes MalformedQuery error when m2m user has both old roles and new permissions #653

Closed RickMoynihan closed 1 year ago

RickMoynihan commented 1 year ago

This error occurs on the currently deployed "production" beta PMD deployment for ONS. NOTE that the deployed version where this occurs is https://github.com/Swirrl/drafter/releases/tag/v2.6000001 and is prior to the RBAC changes on master.

This is what the error looks like, when you make a request like this to drafters API /v1/draftsets?include=claimable or /v1/draftsets?include=all.

$ curl --request GET --url "https://idp-beta-drafter.publishmydata.com/v1/draftsets?include=all" -H "authorization: Bearer ${DRAFTER_TOKEN}"  | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2360  100  2360    0     0  15606      0 --:--:-- --:--:-- --:--:-- 17101
{
  "type": "error",
  "error": "unknown-error",
  "message": "{\"message\":\"Encountered \\\" \\\">=\\\" \\\">= \\\"\\\" at line 2, column 1268.\\nWas expecting one of:\\n    \\\"(\\\" ...\\n    \\\"!\\\" ...\\n    \\\"+\\\" ...\\n    \\\"-\\\" ...\\n    \\\"if\\\" ...\\n    \\\"tz\\\" ...\\n    \\\"md5\\\" ...\\n    \\\"str\\\" ...\\n    \\\"sum\\\" ...\\n    \\\"min\\\" ...\\n    \\\"max\\\" ...\\n    \\\"avg\\\" ...\\n    \\\"abs\\\" ...\\n    \\\"day\\\" ...\\n    \\\"now\\\" ...\\n    \\\"IRI\\\" ...\\n    \\\"URI\\\" ...\\n    \\\"ceil\\\" ...\\n    \\\"year\\\" ...\\n    \\\"sha1\\\" ...\\n    \\\"uuid\\\" ...\\n    \\\"lang\\\" ...\\n    \\\"true\\\" ...\\n    \\\"rand\\\" ...\\n    \\\"regex\\\" ...\\n    \\\"false\\\" ...\\n    \\\"bound\\\" ...\\n    \\\"ucase\\\" ...\\n    \\\"lcase\\\" ...\\n    \\\"floor\\\" ...\\n    \\\"isIRI\\\" ...\\n    \\\"isURI\\\" ...\\n    \\\"round\\\" ...\\n    \\\"month\\\" ...\\n    \\\"sample\\\" ...\\n    \\\"hours\\\" ...\\n    \\\"bnode\\\" ...\\n    \\\"strdt\\\" ...\\n    \\\"count\\\" ...\\n    \\\"strlen\\\" ...\\n    \\\"substr\\\" ...\\n    \\\"concat\\\" ...\\n    \\\"sha224\\\" ...\\n    \\\"sha256\\\" ...\\n    \\\"sha384\\\" ...\\n    \\\"sha512\\\" ...\\n    \\\"exists\\\" ...\\n    \\\"minutes\\\" ...\\n    \\\"seconds\\\" ...\\n    \\\"isBlank\\\" ...\\n    \\\"strAfter\\\" ...\\n    \\\"replace\\\" ...\\n    \\\"strlang\\\" ...\\n    \\\"struuid\\\" ...\\n    \\\"strEnds\\\" ...\\n    \\\"datatype\\\" ...\\n    \\\"sameTerm\\\" ...\\n    \\\"timezone\\\" ...\\n    \\\"contains\\\" ...\\n    \\\"coalesce\\\" ...\\n    \\\"not exists\\\" ...\\n    \\\"strStarts\\\" ...\\n    \\\"strBefore\\\" ...\\n    \\\"isLiteral\\\" ...\\n    \\\"isNumeric\\\" ...\\n    \\\"langmatches\\\" ...\\n    \\\"group_concat\\\" ...\\n    \\\"encode_for_URI\\\" ...\\n    <Q_IRI_REF> ...\\n    <AGG_NAME> ...\\n    <PNAME_NS> ...\\n    <PNAME_LN> ...\\n    <VAR1> ...\\n    <VAR2> ...\\n    <INTEGER> ...\\n    <INTEGER_POSITIVE> ...\\n    <INTEGER_NEGATIVE> ...\\n    <DECIMAL> ...\\n    <DECIMAL_POSITIVE> ...\\n    <DECIMAL_NEGATIVE> ...\\n    <DOUBLE> ...\\n    <DOUBLE_POSITIVE> ...\\n    <DOUBLE_NEGATIVE> ...\\n    <STRING_LITERAL1> ...\\n    <STRING_LITERAL2> ...\\n    <STRING_LITERAL_LONG1> ...\\n    <STRING_LITERAL_LONG2> ...\\n    <FUNCTION_NAME> ...\\n    \",\"code\":\"MalformedQuery\"}"
}

See Swirrl slack discussions here and on ONS slack here.

RBAC

It appears that this issue is caused by configuring an m2m user with both the old style monolithic permissions/roles e.g. drafter:editor drafter:publisher, and the new style fine-grained permissions. The RBAC pr #610 attempted for deployments sake to try and ensure that old and new style permissions could be run in tandem (with a migration). We also believed that it should be possible to run old drafters with auth0 permissions configured in both styles, however it may be the case that this combination escaped testing.

@RicSwirrl had added new style permissions to auth0 on the beta site (above) as prep for updating the code and migrating to the granular permissions model. When that occurred the above error started happening. We have currently not identified why this results in the above SPARQL error, as the queries involved are not parameterised in this way (only by email).

I'm writing this bug up to capture it; but it may be that we don't need to fix it, as if we roll forward to a more recent drafter release it is likely no longer to be an issue.

Below are the combination of auth0 permissions which will result in the above error:

Screenshot 2023-02-14 at 16 18 51
RicSwirrl commented 1 year ago

Closing this as this version of the code is not in deployment any more. It looks like the old code didn't like the more granular permissions co-existing with the macro-level perms like drafter:edtior.