search

janus-ssp / janus

Fully featured metadata registration administration module built on top of simpleSAMLphp.
Other
13 stars 8 forks source link

Switching to a different authsource breaks the push API #625

Open pmeulen opened 6 years ago

pmeulen commented 6 years ago

The push API is used to push a configuration to OpenConext-engineblock.

When using the push API (i.e. the post to /janus/app.php/api/remotes/test/pushes.json) you get an error in the janus log:

app.WARNING: Ssp Firewall: failed:Authsource 'default-sp' is invalid [] []
request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\HttpException: "You are not authenticated" at /opt/openconext/OpenConext-serviceregistry-1.23.1/simplesamlphp-1.14.14/modules/janus/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php line 77 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\HttpException(code: 0): You are not authenticated at /opt/openconext/OpenConext-serviceregistry-1.23.1/simplesamlphp-1.14.14/modules/janus/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php:77, Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the SecurityContext. at /opt/openconext/OpenConext-serviceregistry-1.23.1/simplesamlphp-1.14.14/modules/janus/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:53)"} []

The problem is that in https://github.com/janus-ssp/janus/blob/develop/src/Janus/ServiceRegistry/Security/Authentication/Provider/SspProvider.php authenticationType and userIdAttributeName are not set to the correct values. They should have been set to the values from modules/janus/app/config/config_janus_core.yml which contains:

janus_service_registry_core:
    admin:
        name: SURFconext
        email: help@surfconext.nl
#    auth: default-sp
#    useridattr: NameID
    auth: login-admin
    useridattr: user
    user:
        autocreate: true
...

When hard-coding the correct values in src/Janus/ServiceRegistry/Security/Authentication/Provider/SspProvider.php, push works as expected. E.g.:

public function authenticate(TokenInterface $token)
    {
        /** @var string $authenticationType */
        $authenticationType = $this->config->getValue('auth', 'login-admin');
        $authenticationType = 'login-admin';

        if (php_sapi_name() === 'cli') {
            return $this->getTokenForUsername($authenticationType);
        }

        $as = new \SimpleSAML_Auth_Simple($authenticationType);
        if (!$as->isAuthenticated()) {
            throw new AuthenticationException("Authsource '$authenticationType' is invalid");
        }

        /** @var string $userIdAttributeName */
        $userIdAttributeName = $this->config->getValue('useridattr', 'eduPersonPrincipalName');
        $userIdAttributeName = 'user';

        // Check if userid exists
        $attributes = $as->getAttributes();
        if (!isset($attributes[$userIdAttributeName])) {
            throw new AuthenticationException("Attribute '$userIdAttributeName' with User ID is missing.");
        }

        return $this->getTokenForUsername($attributes[$userIdAttributeName][0]);
    }
tvdijen commented 6 years ago

Actually, I can't reproduce this ... But to be fair, I've never had this push-mechanism working... Always: [30/Aug/2017:22:59:15 +0200] "POST /janus/app.php/api/remotes/prod/pushes.json?csrf-token=xyz HTTP/1.1" 500 Without any further explanation in logs..

pmeulen commented 6 years ago

@tvdijen If you couldn't get PUSH to work in the first place, the HTTP 500 you see is likely unrelated. Nothing in the php error (or apache error) logs either?

tvdijen commented 6 years ago

Not a thing...

tvdijen commented 6 years ago

I just got it working ... Still can't reproduce your issue.

I either use ... auth: admin useridattr: user

... for admin login or ... auth: default-sp useridattr: useridattr: urn:mace:dir:attribute-def:uid

... when using ServiceRegistry as an SP. Both work fine...