search

painless-security / trust-router

Moonshot Trust Router
0 stars 0 forks source link

Realms can appear with no 'sources' listed in the 'show communities' response #58

Closed jennifer-richards closed 6 years ago

jennifer-richards commented 6 years ago

The response to the show communities monitoring request lists no "sources" for some realms (see the "nymets.com" RP realm in the snippet below). The "sources" entry indicates the source that led the trust router to include a realm in a community. Every realm must have at least one source (and when peering is enabled, may have multiple).

Need to figure out what's going on with this. The source should be "file", like for the "redsox.com" entry.

{
    "code": 0,
    "message": "success",
    "payload": {
        "communities": [
            {
                "type": "apc",
                "expiration_interval": 120,
                "name": "apc.sports.psec.us",
                "rp_realms": [
                    {
                        "realm": "nymets.com",
                        "sources": []
                    },
                    {
                        "realm": "redsox.com",
                        "sources": [
                            {
                                "origin": "file"
                            }
                        ]
jennifer-richards commented 6 years ago

BTW, this is with Debian test build 3.4.0-1~14 using the attached organization configuration.

trusts.cfg.zip

jennifer-richards commented 6 years ago

This seems to happen when there is an RP realm that has no corresponding IDP realm.

jennifer-richards commented 6 years ago

This is resolved by bad2cb03f82006fddc8e26fdca07e49613fb3bfc. I've gone ahead and added that to the jennifer/monitoring branch (#48) because it's such a small patch.

jennifer-richards commented 6 years ago

Test

Steps

  1. Set up two trust router peers, each with some IDP and RP realms. Set their filtering to allow them to share community info.
  2. Start the trust routers and let them peer and exchange community info.
  3. Check the output of trmon host port show communities

Expected results

Every IDP and RP realm should have at least one entry in its "sources" array.

meadmaker commented 6 years ago

I set up the two trust routers - A and B. A is configured by the QA portal; it has several realms, at least one of which is an RP-only realm. B receives all of these realms, and lists A as the source->origin.

Verified!