Authzforce example? - Githubissues

joansrios commented 6 years ago

Hello, I deployed IDM, PEPproxy, Orion and Cygnus using this new version of IDM but I could not deploy Authzforce in this version, nor in the previous version, someone has a guide?

i'm running IDM and PEPproxy using node.js and Orion, Cygnus and Authzfoce in a docker container, but i need an explanation about the policies and roles, and the next step after configure it and enable it in PEP and IDM

apozohue10 commented 6 years ago

Hi @RiosQ

In this link there is an application that uses the previous version of IdM, Pep Proxy, Orion and Authzforce. Maybe it helps you.

In the other hand, if you enable Authzforce in IdM and then create a role-permission assignment, the policies will be generated automatically in Authzforce. There are two levels of authorization: basic and advanced:

Basic, which just check if user can access a specific resource.
Advanced, which uses advanced XACML rules.

You can find a full explanation of how this works and the flows here There are also some useful videos and explanations in the fiware academy: authzforce, pep proxy and idm

joansrios commented 6 years ago

Hi, @apozohue10 thanks, now i'm centred in use basic authorization then i created 2 roles and 2 permissions to access to the Orion entities:

{
  "permission": {
    "name": "publish data",
    "action": "POST",
    "resource": "/v2/entities"
  }
}

{
  "permission": {
    "name": "get intities info",
    "action": "GET",
    "resource": "/v2/entities"
  }
}

later i created 2 users each with a different permission in the application and ran Authzforce but the application domain was not created automatically, presenting this error:

AZF domain not created for application ...

Any solutions?

apozohue10 commented 6 years ago

have you created role-permission assignment through the API? If it is that you probably need to clone the repository again.

Until last week the automate domain creation in authzforce was performed only via web portal. Now is available through the API too.

Regards

joansrios commented 6 years ago

No, i created the roles and permissions via API and the assignment via web app, becasue for example when you create an user using the web portal these are not enabled automatically and you need to enter to the mysql database and change the enabled value by 1 ( i don't know if this was corrected or if exist any reason for this ). for that reason i thought that was more efficient generate the roles and permissions via API and assign the permissions to the roles, assign these roles to the users and authorize the users to the App using the web app.

Then do you have any sugestion about the creation and assignment of roles and permissions or both methods now have the same support and efficiency?

Pdta: i'm using the latest PEPproxy and IDM versions in local mode and the authzforce 5.4.1 version and the latest Orion and cygnus version in Docker, and the basic security without PDP authorizations works

Pdta 2: the domain aparently now was created thanks, but this is the answer for any user with independient of his roles:

User token not authorized

here you can see the permissions:

    "permissions": [
        {
            "id": "c5437dc3-d1c0-4c24-b3f1-a5491eae89ec",
            "name": "publish data",
            "description": null,
            "action": "POST",
            "resource": "v2/entities",
            "xml": null
        },
        {
            "id": "65d94820-f79a-48e5-8e32-877109c44549",
            "name": "get intities info",
            "description": null,
            "action": "GET",
            "resource": "v2/entities",
            "xml": null
        }
    ]
}

and the roles:

{
    "roles": [

        {
            "id": "32c58739-6f84-4361-9d79-519b7df09519",
            "name": "Nodo"
        },
        {
            "id": "0c3696ff-682a-467d-ba65-11ec98ecf405",
            "name": "espectador"
        }
    ]
}

and this is the answer when assign the permission to a role:

{
    "role_permission_assignments": {
        "role_id": "0c3696ff-682a-467d-ba65-11ec98ecf405",
        "permission_id": "65d94820-f79a-48e5-8e32-877109c44549"
    },
    "authzforce": {
        "create_policy": {
            "message": " Success creating policy.",
            "status": 200
        },
        "activate_policy": {
            "message": "Success",
            "status": 200
        }
    }
}

and the users of the App

{
    "role_user_assignments": [
        {
            "user_id": "admin",
            "role_id": "provider"
        },
        {
            "user_id": "8ad79c7e-4ee8-4b33-a5ef-151e48506c85",
            "role_id": "32c58739-6f84-4361-9d79-519b7df09519"
        },
        {
            "user_id": "bde0ec63-a9f6-4ee7-b8bc-3a61d5c28c6a",
            "role_id": "0c3696ff-682a-467d-ba65-11ec98ecf405"
        }
    ]
}

I generate the token for each user and then I make this request for each one (Ignore the names, it's a test):

 curl --include  \
>      --header "X-Auth-token: (a token of admin, the GET permission-role user or the POST permission-role user)" \  # no matter aparently the role and the user
>   localhost/v2/entities/ 
HTTP/1.1 401 Unauthorized
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: HEAD, POST, PUT, GET, OPTIONS, DELETE
Access-Control-Allow-Headers: origin, content-type, X-Auth-Token, Tenant-ID, Authorization
Content-Type: text/html; charset=utf-8
Content-Length: 25
ETag: W/"19-U/U0CHmrsJ4CrjloTI39k3sueE8"
Date: Fri, 04 May 2018 13:40:22 GMT
Connection: keep-alive

User token not authorized

This is the PEPproxy terminal:

2018-05-07 13:17:26.967  - ERROR: Root - Auth-token not found in request header
2018-05-07 13:17:32.982  - INFO: IDM-Client - Token in cache, checking timestamp...
2018-05-07 13:17:32.982  - INFO: AZF-Client - Checking auth with AZF...
2018-05-07 13:17:32.982  - INFO: AZF-Client - Checking authorization to roles [ '0c3696ff-682a-467d-ba65-11ec98ecf405' ] to do  GET  on  v2/entities/ and app  181e9a52-f223-4f67-98dd-a9b4602f4901
2018-05-07 13:17:32.982  - INFO: AZF-Client - Checking auth with AZF...
2018-05-07 13:17:32.993  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-07 13:18:19.158  - INFO: IDM-Client - Checking token with IDM...
2018-05-07 13:18:19.204  - INFO: AZF-Client - Checking auth with AZF...
2018-05-07 13:18:19.204  - INFO: AZF-Client - Checking authorization to roles [] to do  GET  on  v2/entities/ and app  181e9a52-f223-4f67-98dd-a9b4602f4901
2018-05-07 13:18:19.205  - INFO: AZF-Client - Checking auth with AZF...
2018-05-07 13:18:19.212  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-07 13:19:01.684  - INFO: IDM-Client - Checking token with IDM...
2018-05-07 13:19:01.710  - INFO: AZF-Client - Checking auth with AZF...
2018-05-07 13:19:01.710  - INFO: AZF-Client - Checking authorization to roles [ '32c58739-6f84-4361-9d79-519b7df09519' ] to do  GET  on  v2/entities/ and app  181e9a52-f223-4f67-98dd-a9b4602f4901
2018-05-07 13:19:01.710  - INFO: AZF-Client - Checking auth with AZF...
2018-05-07 13:19:01.720  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

and here is the App configurations:

PDTA: I tried creating all using the API and later i tried using the web app and nothing change

joansrios commented 6 years ago

@apozohue10 , I'm really sorry for the spam but is the last configuration required to deploy my thesis proyect. Do i omitted or do i have wrong some configuration?

apozohue10 commented 6 years ago

Hi @RiosQ

I think the problem is the compatibility of Pep Proxy with some versions of AuthZforce. We have made a little change in Pep Proxy Code. If you do not want to download the code of Pep Proxy again you need to edit lib/azf.js file and substitute this line:

if (decision[0] === 'Permit') {

with:

if (decision[0].includes('Permit')) {

joansrios commented 6 years ago

Hi @apozohue10 ,Do you recommend a specific version or to rebuild all again? because the error persist:

2018-05-08 10:57:32.079  - INFO: IDM-Client - Checking token with IDM...
2018-05-08 10:57:32.188  - INFO: AZF-Client - Checking auth with AZF...
2018-05-08 10:57:32.188  - INFO: AZF-Client - Checking authorization to roles [ '0c3696ff-682a-467d-ba65-11ec98ecf405' ] to do  GET  on  v2/entities/ and app  181e9a52-f223-4f67-98dd-a9b4602f4901
2018-05-08 10:57:32.191  - INFO: AZF-Client - Checking auth with AZF...
2018-05-08 10:57:32.293  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-08 10:58:50.726  - INFO: IDM-Client - Checking token with IDM...
2018-05-08 10:58:50.757  - INFO: AZF-Client - Checking auth with AZF...
2018-05-08 10:58:50.758  - INFO: AZF-Client - Checking authorization to roles [ '32c58739-6f84-4361-9d79-519b7df09519' ] to do  GET  on  v2/entities/ and app  181e9a52-f223-4f67-98dd-a9b4602f4901
2018-05-08 10:58:50.758  - INFO: AZF-Client - Checking auth with AZF...
2018-05-08 10:58:50.778  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-08 10:59:38.265  - INFO: IDM-Client - Checking token with IDM...
2018-05-08 10:59:38.290  - INFO: AZF-Client - Checking auth with AZF...
2018-05-08 10:59:38.290  - INFO: AZF-Client - Checking authorization to roles [] to do  GET  on  v2/entities/ and app  181e9a52-f223-4f67-98dd-a9b4602f4901
2018-05-08 10:59:38.290  - INFO: AZF-Client - Checking auth with AZF...
2018-05-08 10:59:38.301  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

apozohue10 commented 6 years ago

The latest docker image of authzforce is unstable so we use version 5.4.1 and for Pep Proxy we use the latest version.

joansrios commented 6 years ago

@apozohue10 this is my docker file:

version: "2"
networks:
  fiware:
    driver: bridge
services:
# Base de datos Orion
  mongodb:
    image: mongo:3.4.7
    hostname: mongodb
    container_name: mongodb
    expose:
      - "27017"
    ports:
      - "27017:27017"
    volumes:      
      - "./data/db/mongodb:/data:rw"
    command: --smallfiles
    networks:
      - fiware
# GE encargado de la publicación y suscripción
  orion:
    image: fiware/orion:latest
    hostname: orion
    container_name: orion
    links: 
      - mongodb
    expose:
      - "1026"
    ports:
      - "1026:1026"
    command: -dbhost mongodb
    networks:
      - fiware
# GE encargada de la persistencia de datos
  cygnus:
    image: fiware/cygnus-ngsi:latest
    hostname: cygnus
    container_name: cygnus
    volumes:
      - "./config/cygnus/agent.conf:/opt/apache-flume/conf/agent.conf:rw"
      - "./config/cygnus/grouping_rules.conf:/opt/apache-flume/conf/grouping_rules.conf:rw"
    links:
      - orion
      - mysql-cygnus
    expose:
      - "5050"
      - "8081"
    ports:
      - "5050:5050"
      - "8081:8081"
    environment:
      - CYGNUS_MYSQL_HOST=mysql-cygnus
      - CYGNUS_MYSQL_PORT=3306
      - CYGNUS_MYSQL_USER=root
      - CYGNUS_MYSQL_PASS=fiware
      - CYGNUS_LOG_LEVEL=INFO
    networks:
      - fiware
# Base de datos para historicos
  mysql-cygnus:
    image: mysql:5.7.20
    hostname: mysql-cygnus
    container_name: mysql-cygnus 
    expose:
      - "3366"
    ports:
      - "3366:3306"
    environment:
      - MYSQL_ROOT_PASSWORD=fiware
    volumes:
      - "./data/db/mysql:/var/lib/mysql:rw"
    networks:
      - fiware
#=========================================================
#======================== TESTING ========================
  authzforce:
     image: fiware/authzforce-ce-server:release-5.4.1
     hostname: authzforce
     container_name: authzforce
     expose:
        - "8080" 
     ports: 
        - "8080:8080"
     networks:
        - fiware

I'll try again and if the error has not solution i'll discart the Authzforce deployment, thanks...

joansrios commented 6 years ago

Hi @apozohue10 i tried to deploy again Authzforce and i downloaded the latest idm and PEPproxy repositories, then i used this python library IDM to automatize the process and run this:

import Fiware.IDM as IDM

idm_host = "http://localhost:3000"
proxy = "http://localhost"
IDM.deploy_app(idm_host, "admin@test.com", "1234")
tokens = [IDM.get_access_token(idm_host, "admin@test.com", "1234"),
               IDM.get_access_token(idm_host, "App@test.com", "App"),
               IDM.get_access_token(idm_host, "Nodo@test.com", "Nodo")]
for i in tokens:
    print(IDM.get_all_entities(proxy, i))

But it really does not work, I guess the permissions are not created correctly, and this problem is wasting me a lot of time

/home/rios/Documents/Air2/Servidor/venv/bin/python /home/rios/Documents/Air2/Servidor/main.py
User token not authorized
User token not authorized
User token not authorized

even in the previous version i had this issue too without a solution: stack overflow. The PEPproxy console shows:

2018-05-09 11:01:44.297  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:01:44.310  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-09 11:18:55.970  - INFO: IDM-Client - Checking token with IDM...
2018-05-09 11:18:55.995  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:18:55.996  - INFO: AZF-Client - Checking authorization to roles [] to do  GET  on  v2/entities/ and app  c93501a4-7946-4a58-8130-d0b054ce77a3
2018-05-09 11:18:55.996  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:18:56.005  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-09 11:18:56.008  - INFO: IDM-Client - Checking token with IDM...
2018-05-09 11:18:56.032  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:18:56.032  - INFO: AZF-Client - Checking authorization to roles [ '87a1f28f-469e-4c89-8ac4-bfedb89e570a' ] to do  GET  on  v2/entities/ and app  c93501a4-7946-4a58-8130-d0b054ce77a3
2018-05-09 11:18:56.032  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:18:56.040  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource
2018-05-09 11:18:56.046  - INFO: IDM-Client - Checking token with IDM...
2018-05-09 11:18:56.070  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:18:56.070  - INFO: AZF-Client - Checking authorization to roles [ '988f12c5-c7cd-4ef5-abfa-996811cebb80' ] to do  GET  on  v2/entities/ and app  c93501a4-7946-4a58-8130-d0b054ce77a3
2018-05-09 11:18:56.071  - INFO: AZF-Client - Checking auth with AZF...
2018-05-09 11:18:56.079  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

apozohue10 commented 6 years ago

Hi @RiosQ I think you have created all elements succesfully, but I think the problem is when making a request to Pep Proxy. For example I see in your logs of Pep Proxy that is checking authorization with authzforce to access:

v2/entities/

But when you create the permission the resource is:

v2/entities

Try to delete the trailing slash of the path when making the request to Pep Proxy. I think this should solve the problem.

joansrios commented 6 years ago

@apozohue10,I tried and nothing changed

apozohue10 commented 6 years ago

Hi @RiosQ In Pep Proxy directory change this line log_config.json:

"AZF-Client": "INFO",

to:

"AZF-Client": "DEBUG",

After that run Pep Proxy and write here the output of Pep Proxy console when you send requests to it. In this way we can see more information when Pep Proxy send requests to Authzforce.

joansrios commented 6 years ago

Admin User:

2018-05-11 07:58:04.435  - INFO: Server - Starting PEP proxy in port 80. IdM authentication ...
2018-05-11 07:58:04.538  - INFO: Server - Success authenticating PEP proxy. Proxy Auth-token:  953742bf-eced-41c8-8e13-1f2303a1df66
2018-05-11 07:58:09.534  - INFO: IDM-Client - Checking token with IDM...
2018-05-11 07:58:09.568  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 07:58:09.568  - INFO: AZF-Client - Checking authorization to roles [] to do  GET  on  v2/entities/ and app  30f38b53-842b-4d7a-8dd3-0c54774b842e
2018-05-11 07:58:09.570  - DEBUG: AZF-Client - XML:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">30f38b53-842b-4d7a-8dd3-0c54774b842e</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">v2/entities/</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2018-05-11 07:58:09.570  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 07:58:09.585  - DEBUG: AZF-Client - AZF response status:  200
2018-05-11 07:58:09.585  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns5="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><Result><Decision>Deny</Decision></Result></Response>
2018-05-11 07:58:09.595  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
   { '$': 
      { xmlns: 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
        'xmlns:ns2': 'http://authzforce.github.io/core/xmlns/pdp/5.0',
        'xmlns:ns3': 'http://www.w3.org/2005/Atom',
        'xmlns:ns4': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
        'xmlns:ns5': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6' },
     Result: [ [Object] ] } }
2018-05-11 07:58:09.606  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
2018-05-11 07:58:09.606  - DEBUG: AZF-Client - Decision:  Deny
2018-05-11 07:58:09.607  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

User with POST premission

2018-05-11 07:59:24.059  - INFO: IDM-Client - Checking token with IDM...
2018-05-11 07:59:24.134  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 07:59:24.134  - INFO: AZF-Client - Checking authorization to roles [ '9cdc8353-9a88-4f78-b561-6af6bb1c68b0' ] to do  GET  on  v2/entities/ and app  30f38b53-842b-4d7a-8dd3-0c54774b842e
2018-05-11 07:59:24.136  - DEBUG: AZF-Client - XML:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"><Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">9cdc8353-9a88-4f78-b561-6af6bb1c68b0</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">30f38b53-842b-4d7a-8dd3-0c54774b842e</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">v2/entities/</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2018-05-11 07:59:24.136  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 07:59:24.153  - DEBUG: AZF-Client - AZF response status:  200
2018-05-11 07:59:24.153  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns5="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><Result><Decision>Deny</Decision></Result></Response>
2018-05-11 07:59:24.161  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
   { '$': 
      { xmlns: 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
        'xmlns:ns2': 'http://authzforce.github.io/core/xmlns/pdp/5.0',
        'xmlns:ns3': 'http://www.w3.org/2005/Atom',
        'xmlns:ns4': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
        'xmlns:ns5': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6' },
     Result: [ [Object] ] } }
2018-05-11 07:59:24.176  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
2018-05-11 07:59:24.177  - DEBUG: AZF-Client - Decision:  Deny
2018-05-11 07:59:24.177  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

User with GET premission

2018-05-11 07:54:45.025  - INFO: Server - Starting PEP proxy in port 80. IdM authentication ...
2018-05-11 07:54:45.144  - INFO: Server - Success authenticating PEP proxy. Proxy Auth-token:  c1ca28d4-3b99-48cd-a1bf-8011d0da1ed9
2018-05-11 07:55:33.772  - INFO: IDM-Client - Checking token with IDM...
2018-05-11 07:55:33.818  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 07:55:33.818  - INFO: AZF-Client - Checking authorization to roles [ '7ddeadf2-40c2-49cc-9b8c-7e39aa7be7d3' ] to do  GET  on  v2/entities/ and app  30f38b53-842b-4d7a-8dd3-0c54774b842e
2018-05-11 07:55:33.821  - DEBUG: AZF-Client - XML:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"><Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">7ddeadf2-40c2-49cc-9b8c-7e39aa7be7d3</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">30f38b53-842b-4d7a-8dd3-0c54774b842e</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">v2/entities/</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2018-05-11 07:55:33.821  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 07:55:33.836  - DEBUG: AZF-Client - AZF response status:  200
2018-05-11 07:55:33.837  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns5="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><Result><Decision>Permit</Decision></Result></Response>
2018-05-11 07:55:33.846  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
   { '$': 
      { xmlns: 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
        'xmlns:ns2': 'http://authzforce.github.io/core/xmlns/pdp/5.0',
        'xmlns:ns3': 'http://www.w3.org/2005/Atom',
        'xmlns:ns4': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
        'xmlns:ns5': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6' },
     Result: [ [Object] ] } }
2018-05-11 07:55:33.860  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
2018-05-11 07:55:33.861  - DEBUG: AZF-Client - Decision:  Permit
2018-05-11 07:55:33.861  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

@apozohue10 Aleluya, i change this in the azf.js file:

            log.debug('Decision: ', decision);
            log.debug('Decision[0]: ', decision[0]);

            //if (decision[0].includes('Permit')) {
        if (decision == 'Permit') {
                success();
            } else {
                error(401, 'User not authorized in AZF for the given action and resource');
            }
        }, error);
    };

and as you can see this is the Debug of the User with GET permission:

2018-05-11 08:20:32.523  - INFO: IDM-Client - Checking token with IDM...
2018-05-11 08:20:32.596  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 08:20:32.597  - INFO: AZF-Client - Checking authorization to roles [ '7ddeadf2-40c2-49cc-9b8c-7e39aa7be7d3' ] to do  GET  on  v2/entities/ and app  30f38b53-842b-4d7a-8dd3-0c54774b842e
2018-05-11 08:20:32.600  - DEBUG: AZF-Client - XML:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"><Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">7ddeadf2-40c2-49cc-9b8c-7e39aa7be7d3</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">30f38b53-842b-4d7a-8dd3-0c54774b842e</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">v2/entities/</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2018-05-11 08:20:32.600  - INFO: AZF-Client - Checking auth with AZF...
2018-05-11 08:20:32.705  - DEBUG: AZF-Client - AZF response status:  200
2018-05-11 08:20:32.706  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns3:Response xmlns="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://www.w3.org/2005/Atom" xmlns:ns5="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><ns3:Result><ns3:Decision>Permit</ns3:Decision></ns3:Result></ns3:Response>
2018-05-11 08:20:32.712  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
   { '$': 
      { xmlns: 'http://authzforce.github.io/core/xmlns/pdp/5.0',
        'xmlns:ns2': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
        'xmlns:ns3': 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
        'xmlns:ns4': 'http://www.w3.org/2005/Atom',
        'xmlns:ns5': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6' },
     Result: [ [Object] ] } }
2018-05-11 08:20:32.724  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
2018-05-11 08:20:32.725  - DEBUG: AZF-Client - Decision:  Permit
2018-05-11 08:20:32.725  - DEBUG: AZF-Client - Decision[0]:  P
2018-05-11 08:20:32.725  - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"

the answer for the request for each user:

/home/rios/Documents/Air2/Servidor/venv/bin/python /home/rios/Documents/Air2/Servidor/main.py
User token not authorized
[]
User token not authorized

Process finished with exit code 0

thanks for all, but i have a last question the XACML permission are abled to authorize the access with an especific header value like the 'Fiware-ServicePath' : 'test' or other features like this, and the Iot agents can have roles in the application?

apozohue10 commented 6 years ago

Include headers like that should not affect authorizations flows. The Pep Proxy just redirects requests once it has checked permissions with Authzforce. Right now iot agents can only authenticate. We want to add the functionality of giving roles to Iot agents in coming releases.

ging / fiware-idm

Authzforce example? #8