search

ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
36 stars 81 forks source link

Update an XACML Permission #307

Closed jason-fox closed 1 year ago

jason-fox commented 1 year ago

Related https://github.com/FIWARE/tutorials.Administrating-XACML/issues/7

The only way to use the API to update an XACML rule is to include dummy values as follows:

{
   "permission": {
        "action": "",
        "resource": "",
+        "use_authorization_service_header" : false, "authorization_service_header": " ",
        "xml":"..."}
}

The relevant logic is here in permission.js - there is a difference between check_create_body_request() and check_update_body_request()

check_update_body_request() - NOT GOOD

if (permission.use_authorization_service_header) {
      if (typeof permission.use_authorization_service_header !== 'boolean') {
        reject(bad_request('use_authorization_service_header attribute must be a boolean'));
      }
    } else if (!permission.authorization_service_header) {
      reject(bad_request('if use_authorization_service_header is set, authorization_service_header needs to be set'));
    }

check_create_body_request() - GOOD

if (permission.use_authorization_service_header) {
      if (typeof permission.use_authorization_service_header !== 'boolean') {
        reject(bad_request('use_authorization_service_header attribute must be a boolean'));
      }
      if (!permission.authorization_service_header) {
        reject(bad_request('if use_authorization_service_header is set, authorization_service_header needs to be set'));
      }
    } else if (permission.authorization_service_header) {
      reject(bad_request('if authorization_service_header is set, use_authorization_service_header needs to be set'));
    }

I believe this difference is incorrect. !check_create_body_request() in line 404 is checking for any falsy value even if permission.use_authorization_service_header is false - shouldn't the logic here align with the create function?

apozohue10 commented 1 year ago

Hi jason,

yes, you are right. I have already fixed the issue using the same logic in check_update_body_request

BR