Janus REST API resets ACLs while updating metadata

baszoetekouw commented 9 years ago

When updating an existing entry in Janus using the new REST API to insert a new metadata field, Janus also resets the ACL.

For example:

[bas@miranda]~> curl -s -u user:pass 'https://serviceregistry.surfconext.nl/janus/app.php/api/connections/1981'|python -mjson.tool

{
    "allowAllEntities": false,
    "allowedConnections": [
        {
            "id": 384,
            "name": "http://adfs.amolf.nl/adfs/services/trust"
        },
        {
            "id": 994,
            "name": "http://sts.mumc.nl/adfs/services/trust"
        }
    ],
    "blockedConnections": [],
    "createdAtDate": "2015-03-04T14:22:14+0100",
    "disableConsentConnections": [],
    "id": 1981,
    "isActive": true,
    "metadata": {
        "AssertionConsumerService": [
            {
                "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            }
        ],
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "contacts": [
            {
                "contactType": "technical",
                "emailAddress": "bas@surfnet.nl"
            },
            {
                "contactType": "technical",
                "emailAddress": "bas@zoetekouw.net"
            },
            {
                "contactType": "technical"
            }
        ],
        "logo": [
            {
                "height": "60",
                "url": "https://.png",
                "width": "120"
            }
        ],
        "redirect": {
            "sign": false
        }
    },
    "name": "bazo:test",
    "parentRevisionNr": 1,
    "revisionNote": "No revision note",
    "revisionNr": 2,
    "state": "testaccepted",
    "type": "saml20-sp",
    "updatedAtDate": "2015-07-23T14:12:50+0200",
    "updatedByUserName": "urn:collab:person:surfnet.nl:bas",
    "updatedFromIp": "145.97.21.122"
}

Now, I try to change the redirect.sign setting:

[bas@miranda]~> echo '{"metadata":{"redirect":{"sign":true}}}' | curl -s -u user:pass -X PUT -H "Content-type: application/json" 'https://serviceregistry.surfconext.nl/janus/app.php/api/connections/1981' | python -m json.tool

I expect this to only change the redirect.sign setting. However, it also clears out the allowedConnections as if I had specified "allowedConnections": [].

This is the result of the above query:

{
    "allowAllEntities": false,
    "allowedConnections": [],
    "blockedConnections": [],
    "createdAtDate": "2015-03-04T14:22:14+0100",
    "disableConsentConnections": [],
    "id": 1981,
    "isActive": true,
    "metadata": {
        "AssertionConsumerService": [
            {
                "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            }
        ],
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "contacts": [
            {
                "contactType": "technical",
                "emailAddress": "bas@surfnet.nl"
            },
            {
                "contactType": "technical",
                "emailAddress": "bas@zoetekouw.net"
            },
            {
                "contactType": "technical"
            }
        ],
        "logo": [
            {
                "height": "60",
                "url": "https://.png",
                "width": "120"
            }
        ],
        "redirect": {
            "sign": true
        }
    },
    "name": "bazo:test",
    "parentRevisionNr": 3,
    "revisionNote": "No revision note",
    "revisionNr": 6,
    "state": "testaccepted",
    "type": "saml20-sp",
    "updatedAtDate": "2015-07-23T14:17:23+0200",
    "updatedByUserName": "engine",
    "updatedFromIp": "145.97.21.122"
}

baszoetekouw commented 9 years ago

The same holds for ARPs.

relaxnow commented 8 years ago

Yes, the API has PUT semantics, meaning that you have to give the entire document back. I'll look into accepting PATCH too.

janus-ssp / janus

Janus REST API resets ACLs while updating metadata #587