VNG-Realisatie / gemma-zaken

Samen ontwikkelen van API's voor Zaakgericht werken
https://vng-realisatie.github.io/gemma-zaken/
Other
41 stars 27 forks source link

Cannot create rol through API because of 403 when validating roltype #1375

Closed bartjkdp closed 4 years ago

bartjkdp commented 5 years ago

It seems that when creating a new role through the ZRC API, calls to the ZTC are not correctly authenticated:

A call to POST /api/v1/rollen with body:

{'betrokkene': 'https://www.haalcentraal.nl/haalcentraal/api/brp/ingeschrevenpersonen/999993318',
 'betrokkeneType': 'Natuurlijk persoon',
 'roltoelichting': '',
 'roltype': 'https://gemma-ztc.zgw.somedomain.dev/api/v1/roltypen/8b8a05e8-9b2f-4b46-8b2f-a3e0ae8849c9',
 'zaak': 'https://gemma-zrc.zgw.somedomain.dev/api/v1/zaken/29da6006-987f-4ea0-ba9a-d91ff4c7c975'}

Results in the following error:

{'code': 'invalid',
 'detail': '',
 'instance': 'urn:uuid:63917d38-44b7-4708-9170-68b914e39f70',
 'invalidParams': [{'code': 'bad-url',
                    'name': 'roltype',
                    'reason': 'De URL '
                              'https://gemma-ztc.zgw.somedomain.dev/api/v1/roltypen/8b8a05e8-9b2f-4b46-8b2f-a3e0ae8849c9 '
                              'gaf als antwoord HTTP 403. Geef een geldige URL '
                              'op.'}],
 'invalid_params': None,
 'status': 400,
 'title': 'Invalid input.',
 'type': 'https://gemma-zrc.zgw.somedomain.dev/ref/fouten/ValidationError/'}

In the ZRC the external credentials of https://gemma-ztc.zgw.somedomain.dev/api/v1/ are configured correctly and a direct call to https://gemma-ztc.zgw.somedomain.dev/api/v1/roltypen/8b8a05e8-9b2f-4b46-8b2f-a3e0ae8849c9 with the same credentials succeeds.

Version used: 1.0.0-rc1

joeribekker commented 5 years ago

@bartjkdp We cannot reproduce this behaviour.

We tried with the latest Dockers (ZTC digest: 44eee8f373c0, ZRC digest: caec4fd51344) and setup the proper authentications. We also tried it against the deployed reference implementation.

Here's the steps we took:

Create a Zaak Zaaktype: Melding openbare ruimte

POST /api/v1/zaken
Authorization: Bearer <TOKEN>
Content-Type: application/json
Accept-Crs: EPSG:4326
Content-Crs: EPSG:4326

{
    "bronorganisatie": "509381406",
    "omschrijving": "test",
    "zaaktype": "https://catalogi-api.vng.cloud/api/v1/zaaktypen/c2f952ca-298e-488c-b1be-a87f11bd5fa2",
    "verantwoordelijkeOrganisatie": "245122461",
    "startdatum": "2018-12-06",
    "toelichting": "Zaak aanmaken test"
}

HTTP 201
{
    "url": "https://zaken-api.vng.cloud/api/v1/zaken/7765c44d-528d-46d9-8589-4bb0a90819fe",
    "uuid": "7765c44d-528d-46d9-8589-4bb0a90819fe",
    "identificatie": "ZAAK-2019-0000000663",
    "bronorganisatie": "509381406",
    ...
}

If the above step succeeds, there should be no reason for ROL-create to fail since the authorizations that are used are the same. If the above fails, your config is wrong. If this succeeds and ROL-create fails something is off :/

Create a Status Status: Leeg

POST /api/v1/statussen
Authorization: Bearer <TOKEN>
Content-Type: application/json

{
    "zaak": "https://zaken-api.vng.cloud/api/v1/zaken/7765c44d-528d-46d9-8589-4bb0a90819fe",
    "statustype": "https://catalogi-api.vng.cloud/api/v1/statustypen/b59f487b-74c3-45f3-9130-24b2040bb1f6",
    "datumStatusGezet": "2019-10-14T04:56:48+02:00",
    "statustoelichting": "Test"
}

HTTP 201
...

Just for sanity reasons. We give it a Status of Statustype "Leeg" which is part of this Zaaktype!

Create a Rol Roltype: Behandelaar

POST /api/v1/rollen
Authorization: Bearer <TOKEN>
Content-Type: application/json

{
    "zaak": "https://zaken-api.vng.cloud/api/v1/zaken/7765c44d-528d-46d9-8589-4bb0a90819fe",
    "betrokkene": "",
    "betrokkeneType": "natuurlijk_persoon",
    "roltype": "https://catalogi-api.vng.cloud/api/v1/roltypen/e25850c8-8ae8-4b73-b000-5d22229dc70d",
    "omschrijving": "Aanvrager",
    "omschrijvingGeneriek": "initiator",
    "roltoelichting": "De melder van de Zaak",
    "betrokkeneIdentificatie": {
        "inpBsn": "900106505",
        "anpIdentificatie": "",
        "inpA_nummer": "",
        "geslachtsnaam": "",
        "voorvoegselGeslachtsnaam": "",
        "voorletters": "",
        "voornamen": "",
        "geslachtsaanduiding": "",
        "geboortedatum": "",
        "verblijfsadres": null,
        "subVerblijfBuitenland": null
    }
}

HTTP 201
...

We add a Betrokenne to the Zaak with Roltype "Behandelaar" which is part of this Zaaktype! If it's not part of this Zaaktype, you'll get a HTTP 400 error.

joeribekker commented 5 years ago

This might or might not be related but @bartjkdp indicated he got this response if he deletes the External API credentials.

{
    "type": "https://gemma-zrc.zgw.s-hertogenbosch.dev/ref/fouten/ValidationError/",
    "code": "invalid",
    "title": "Invalid input.",
    "status": 400,
    "detail": "",
    "instance": "urn:uuid:2691feac-e88b-4c05-8333-048177cdcc72",
    "invalidParams": [
        {
            "name": "roltype",
            "code": "bad-url",
            "reason": "De URL https://gemma-ztc.zgw.s-hertogenbosch.dev/api/v1/roltypen/8b8a05e8-9b2f-4b46-8b2f-a3e0ae8849c9 gaf als antwoord HTTP 403. Geef een geldige URL op."
        },
        {
            "name": "roltype",
            "code": "bad-url",
            "reason": "De URL https://gemma-ztc.zgw.s-hertogenbosch.dev/api/v1/roltypen/8b8a05e8-9b2f-4b46-8b2f-a3e0ae8849c9 gaf als antwoord HTTP 403. Geef een geldige URL op."
        }
    ]
}

Basically, the same error but twice. This might indicate that the validation is performed twice:

  1. With authentication
  2. Without authentication

Validation 2 fails even when External API credentials are configured. If External API credentials are not configured, both 1 and 2 validation rules fail. How and why validation is triggered twice is, is a mystery...

joeribekker commented 5 years ago

We can't reproduce https://github.com/VNG-Realisatie/gemma-zaken/issues/1375#issuecomment-547966213 either.

I think there's something wrong with the setup but can't pinpoint it :/

bartjkdp commented 5 years ago

I will do some more debugging on the specific setup next week. The whole setup can be replicated by cloning this repository: https://gitlab.com/delta10/zgw-2 and run:

vagrant up

and performing the installation steps as described in the README.md.

Hugo-ter-Doest commented 4 years ago

Please reopen if the issue remains.