painless-security / trust-router

Moonshot Trust Router
0 stars 0 forks source link

Internal Processing Error in TR when domain constraint does not match #21

Open jennifer-richards opened 6 years ago

jennifer-richards commented 6 years ago

Today I made a spelling mistake when I set up a new trust router infrastructure. I misspelled the domain constraint for the down-stream trust router in the infrastructure, using 'l2tr.level1.localdomain' when its actual name is 'l2tr.level2.localdomain'.

The consequence of this is that I saw an 'Internal Processing Error' during an initial TIDC request to check whether the infrastructure was set up correctly.

The log and config from the L1TR (upstream) and the config from the L2TR (down-stream) trust routers are attached.

The command used on the down-stream trust router was this:

tidc l2tr.level2.localdomain tr.level2.realm apc.trust.realm apc.trust.realm

Launchpad Details: #LP1464800 Stefan Paetow - 2015-06-13 00:33:34 +0000

jennifer-richards commented 6 years ago

The interesting output to see here would be the output from the ultimate tids. Looking at the code, what's probably happening is that the intersected constraint set in handle_authorizations is empty for domain, so that function returns -1. It probably should print an error at that point. In this instance we have an authorization problem. It's not clear we want to return a very helpful error to the client (or intermediate trust routers). How reasonable would it be to return "unauthorized request" or similar in this situation? Or perhaps better "Responding TIDS declines authorization," to give someone a hint that what they really want to do is look at the tids logs.

Launchpad Details: #LPC Sam Hartman - 2015-06-13 01:07:58 +0000

jennifer-richards commented 6 years ago

Which TIDS would that be? The TIDS on the APC?

If the domain constraints are empty in a trust configuration, does it generate the same error?

Launchpad Details: #LPC Stefan Paetow - 2015-06-13 14:23:19 +0000

jennifer-richards commented 6 years ago

"Stefan" == Stefan Paetow

Stefan> Which TIDS would that be? The TIDS on the APC?  If the
Stefan> domain constraints are empty in a trust configuration, does
Stefan> it generate the same error?

I'd assume the tids on the target idp realm.

If all constraints are empty you get a different behavior. Namely, you get no authorization database entries.

Launchpad Details: #LPC Sam Hartman - 2015-06-15 13:03:47 +0000

jennifer-richards commented 6 years ago

Yes, in that case that would be the APC then. I can re-generate that. It's easily reproduced :-)

Launchpad Details: #LPC Stefan Paetow - 2015-06-15 14:59:31 +0000