search

bondy-io / bondy

Bondy is an open source, always-on and scalable application networking platform connecting all elements of a distributed application—offering service and event mesh capabilities combined. Bondy implements the open Web Application Messaging Protocol (WAMP) and is written in Erlang.
https://www.bondy.io
Apache License 2.0
129 stars 12 forks source link

Cannot add a user to a authentication source of a realm #20

Closed Jopie01 closed 1 year ago

Jopie01 commented 1 year ago

Background: I want to add a new user through the http-api on port 18081. I'm using Postman for that (local install).

I'm able to add a user to a realm with a password or cryptosign key and add it to a group. But when I try to login I always get the message

ClientSession left: CloseDetails(reason=<wamp.error.not_auth_method>, message='The requested authentication methods are not available for this user on this realm.')

Looking at my default security_config.json I find a section called sources where the different authentication methods are defined and usernames linked to an authentication method. For cryptosign, I have to add the new user to the list of usernames. I cannot get sources through the api and I don't know add the new user. Also it's nowhere in the documentation and not specified in https://github.com/bondy-io/bondy/blob/develop/apps/bondy/priv/specs/bondy_admin_api.json

So the question is, how can this be done in a running Bondy instance?

aramallo commented 1 year ago

Hi @Jopie01 you are correct.

The issue is that not all Admin WAMP Procedures are exposed via the Admin HTTP API right now.

Just to check, for a user in your realm to be able to authenticate using a particular methods you need:

  1. The realm to have the method listed in its authmethods property
  2. The realm to have a sources rule where usernames is the string all or is a list of usernames which includes the user.

We are currently working on implementing and documenting all the HTTP API (I added Issue #21 to track this activity ).

In the meantime, you can operate on your Realm's sources using the WAMP API, please check the docs for bondy.source.add.

You could use Wick as you use CURL to call that procedure 😄 .

For example to allow myusername to authenticate into com.myrealm using password when connecting from any network you would use.

./wick --url ws://localhost:18081/ws \
--realm com.leapsight.bondy \
call bondy.source.add \
"com.myrealm" \
'{
    "usernames":["myusername"],
    "authmethod":"password",
    "cidr":"0.0.0.0/0"
}' | jq
aramallo commented 1 year ago

@Jopie01 there is another option via HTTP.

You can use the (undocumented) /services/call HTTP API


curl -X "POST" "http://localhost:18081/services/call" \
     -H 'Content-Type: application/json; charset=utf-8' \
     -H 'Accept: application/json; charset=utf-8' \
     -d $'{
  "procedure": "bondy.source.add",
  "arguments": [
    "com.myrealm",
    {
        "usernames":["myusername"],
    "authmethod":"password",
    "cidr":"0.0.0.0/0"
    }
  ],
  "options": {},
  "arguments_kw": {}
}'
Jopie01 commented 1 year ago

@aramallo Thanks for the answer. I have already a running instance of Bondy with two users, but these are configured in the security_config.json and that works well. But now I want to add a third user which I want to add through the api.

When I execute

curl -X "POST" "http://localhost:18081/services/call" \
     -H 'Content-Type: application/json; charset=utf-8' \
     -H 'Accept: application/json; charset=utf-8' \
     -d $'{
  "procedure": "bondy.source.add",
  "arguments": [
    "com.example.realm",
    {
        "usernames":["client1", "client2", "client3"],
    "authmethod":"cryptosign",
    "cidr":"0.0.0.0/0"
    }
  ],
  "options": {},
  "arguments_kw": {}
}'

I get this error back:

{
    "code": "bondy.error.http_gateway.invalid_expression",
    "description": "This might be due to an error in the action expression (mops) itself or as a result of a key missing in the response to a gateway action (WAMP or HTTP call).",
    "message": "There is no value for path 'requestbodyargs' in the HTTP Request context."
}

Just to mention that I want to add "client3" as the new user. The other two users are already there. I don't know if it is enough to only send the new user and that Bondy will take care to add the new user to the already existing list of usernames.

aramallo commented 1 year ago

Arggg. Sorry @Jopie01 my bad, I was using an old snippet.

Can you try with the following?

curl -X "POST" "http://localhost:18081/services/call" \
     -H 'Content-Type: application/json; charset=utf-8' \
     -H 'Accept: application/json; charset=utf-8' \
     -d $'{
  "procedure": "bondy.source.add",
  "options": {},
  "args": [
    "com.example.realm",
    {
        "usernames":["client1", "client2", "client3"],
    "authmethod":"cryptosign",
    "cidr":"0.0.0.0/0"
    }
  ],
  "kwargs": {}
}'

args instead of arguments and kwargs instead of arguments_kw.

aramallo commented 1 year ago

Re your question

The other two users are already there. I don't know if it is enough to only send the new user and that Bondy will take care to add the new user to the already existing list of usernames.

Yes, you could just send the request with "usernames": ["client3"], as internally this will create a separate record per user (the other two users are already there)

Jopie01 commented 1 year ago

@aramallo, thanks for the answers. Everything now works perfectly! Also the Wick one works.