sassoftware / restaf

A simple framework for building applications with SAS REST APIs, supported with SAS Viya
Apache License 2.0
17 stars 10 forks source link

Administrator login, CAS access callback #119

Open michburger opened 1 week ago

michburger commented 1 week ago

Dear restaf developers, in my current projects, I've got issues with CAS data access as soon as I'm logged in as administrator. How can I workaround that the CAS data does not arrive directly but a question related whether I'd like to access CAS as administrator is calling back and no data can be loaded? Actually in the relevant projects it would be great having the possibility to switch to administrator mode as data would be accessible this way only for administrators who are checking issues from users.

devaKumaraswamy commented 1 week ago

@michburger

  1. When you logged on to Viya, did you answer in the positive to a prompt similar to the picture below image This dialog might look different in your case based on how Viya was configured?

  2. What is the prompt you see when the code tries to read a cas table?

Note: restaf itself is not aware of access rights. It assumed that the Viya API's will handle all such issues.

michburger commented 1 week ago

Dear devakumaraswamy,it is no visible prompt. The result of a cas query contains some query and restaf simply cannot proceed.Will send you the details tomorrow.Michael Michael Burger SoftMatch.net -------- Ursprüngliche Nachricht --------Von: devakumaraswamy @.> Datum: 20.10.24 16:36 (GMT+01:00) An: sassoftware/restaf @.> Cc: Michael Burger @.>, Mention @.> Betreff: Re: [sassoftware/restaf] Administrator login, CAS access callback (Issue #119) @michburger

When you logged on to Viya, did you answer in the positive to a prompt similar to the picture below image.png (view on web) This dialog might look different in your case based on how Viya was configured?

What is the prompt you see when the code tries to read a cas table?

Note: restaf itself is not aware of access rights. It assumed that the Viya API's will handle all such issues.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

devaKumaraswamy commented 1 week ago

Want to add a data point: If the table has access rights specified, the admin user does not have "super-power" to access the tables. This makes sense - since folks who do Viya administration are not usually permitted to see business data.

michburger commented 1 week ago

Seems that the issue got resolved with an update from SAS Viya ... I mean if I'm logged on as administrator, there is no need for other ask back.

michburger commented 1 week ago

I could reproduce: as administrator CAS is asking whether I'd like to elevate but using restaf I cannot answer:

{ "auth_request": { "clientId": "sas.casControl", "scope": [ "openid", "uaa.user", "SASAdministrators" ], "requestParameters": { "response_type": "code", "redirect_uri": "/casManagement/", "state": "dd5b4750-c990-4b4d-93a7-02101d053f12", "client_id": "sas.casControl" }, "approvalParameters": {}, "state": "dd5b4750-c990-4b4d-93a7-02101d053f12", "responseTypes": [ "code" ], "resourceIds": [ "sas.casControl", "openid", "uaa" ], "authorities": [ { "authority": "uaa.resource" }, { "authority": "sasapp" } ], "approved": false, "redirectUri": "/casManagement/", "extensions": {} }, "approved_scopes": [], "denied_scopes": [ { "code": "scope.SASAdministrators", "text": "SASAdministrators" } ], "options": { "confirm": { "path": "/SASLogon/oauth/authorize", "location": "https://sdtb-viya-emea.siemens-healthineers.com/SASLogon/oauth/authorize", "value": "true", "key": "user_oauth_approval" }, "deny": { "path": "/SASLogon/oauth/authorize", "location": "https://sdtb-viya-emea.siemens-healthineers.com/SASLogon/oauth/authorize", "value": "false", "key": "user_oauth_approval" } }, "redirect_uri": "/casManagement/", "undecided_scopes": [], "scopes": [ { "code": "scope.SASAdministrators", "text": "SASAdministrators" } ], "message": "To confirm or deny access POST to the following locations with the parameters requested.", "client_display_name": "sas.casControl" }

michburger commented 1 week ago

restaf.min.js:7 Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'map') at restaf.min.js:7:38813 at e.a (restaf.min.js:7:39141) at restaf.min.js:1:79106

devaKumaraswamy commented 1 week ago

@michburger I do not quite follow your responses.

  1. what did the updated Viya fix?
  2. is the last message after the update? The error usually happens when the response from Viya is something that looks like ok to restaf but is not - so I am guessing the access is not working.
  3. does it work if you logon as a user who is authorized to access the table?
devaKumaraswamy commented 1 week ago

@michburger can you comment on my questions? Want to make sure your issue is resolved.

Thanks... Deva

michburger commented 6 days ago

Dear Deva, unfortunately I was wrong: The issue is not fixed.

Typically, the problem shows up in Edge and in the Console I can find this output when working as Administrator in Viya:

Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'map') at restaf.min.js:7:38813 at e.a (restaf.min.js:7:39141) at restaf.min.js:1:79106

The background: We've created a custom frontend as an IFrame / WebContent in the Viya report. That means, we're using the Viya login and host an additional web part inside. That means, my administrator login is valid for restaf.

For this case, restaf seems not yet to be prepared:

            "/casManagement/" !== t.href && "/casManagement" !== t.href || "GET" !== t.method || (e.data.results.links = e.data.results.links.map((function(t) {
                return "collection" === t.rel && (t.title = "servers",
                t.rel = "servers",
                t.patch = "cas"),
                t
            }

The problem is with this check in the first line because in this situation the variables are set as: t.method: "GET" t.href: "/casManagement/" e.status: 200 e.data.results.links is undefined - which causes the whole process to stop here.

the e.data.results object actually is a query related to admin access:

{ "auth_request": { "clientId": "sas.casControl", "scope": [ "openid", "uaa.user", "SASAdministrators" ], "requestParameters": { "response_type": "code", "redirect_uri": "/casManagement/", "state": "1b9a6562-95d1-48c6-a5df-2c75a4ff15d9", "client_id": "sas.casControl" }, "approvalParameters": {}, "state": "1b9a6562-95d1-48c6-a5df-2c75a4ff15d9", "responseTypes": [ "code" ], "resourceIds": [ "sas.casControl", "openid", "uaa" ], "authorities": [ { "authority": "uaa.resource" }, { "authority": "sasapp" } ], "approved": false, "redirectUri": "/casManagement/", "extensions": {} }, "approved_scopes": [], "denied_scopes": [ { "code": "scope.SASAdministrators", "text": "SASAdministrators" } ], "options": { "confirm": { "path": "/SASLogon/oauth/authorize", "location": "https://sdtb-viya-emea.siemens-healthineers.com/SASLogon/oauth/authorize", "value": "true", "key": "user_oauth_approval" }, "deny": { "path": "/SASLogon/oauth/authorize", "location": "https://sdtb-viya-emea.siemens-healthineers.com/SASLogon/oauth/authorize", "value": "false", "key": "user_oauth_approval" } }, "redirect_uri": "/casManagement/", "undecided_scopes": [], "scopes": [ { "code": "scope.SASAdministrators", "text": "SASAdministrators" } ], "message": "To confirm or deny access POST to the following locations with the parameters requested.", "client_display_name": "sas.casControl" }

devaKumaraswamy commented 6 days ago

@michburger I and several folks run restaf based apps in webcontent.

You need to make sure that the logon information to restaf is set properly. When running under webcontent, This is the code I use:

let logonPayload = { 
  host: "your viya server url",
  authType: "server"
}

let store = restaf.initStore({casProxy: true});
let msg = await store.logon(logonPayload);
let {casManagement} = await store.addServices('casManagement');

is your code similar to this?

michburger commented 6 days ago

Dear Deva, the code of the respective dashboards has two differences:

would one or both changes correct the behavior?

devaKumaraswamy commented 6 days ago

Michael:

  1. store.logon is an async function since it might(in some circumstances) call other services. So an await is needed.
  2. Since you are using cas, you need to change addServices as follows: let r = await store.addServices('identities', 'casManagement'); Otherwise there is no links to cas services setup in the store. I am assuming you are calling identities to get the user name. It is ok to call addServices on the same service multiple times - restaf will reuse what is already there.

Data point: Viya changed the default settings for CORS. This has caused issues for me. Still working with developers to understand why the new settings cause issues with access from user apps. So I set the defaults to the old default. But you should talk to your Viya admin about it. Below is my CORS setting. image

devaKumaraswamy commented 6 days ago

Additional comments - using Firefox: Firefox has additional security defaults that prevents writing cookies. So here is some info on how to deal with it:

Click the shield icon to the left of the address bar. Select “Turn off Enhanced Tracking Protection” for that site.

michburger commented 2 days ago

Dear Deva, I think there is a misunderstanding: In the case that I'm not working with the 'Authorize Access' setting, i.e., not working with elevated permissions, the code runs fine.

But in the case, elevated access is chosen, this JSON does not conform with the expectation of restaf. That's why I asked you here in this issue for a solution.

actually, the problem starts with a call to

let services = await store.addServices('casManagement', 'reports', 'reportTransforms');

devaKumaraswamy commented 3 hours ago

Michael: I was able to reproduce the issue with a newer version of Viya This change to initStore helped my test app:

let store = restaf.initStore({casProxy: true});

let me know if it works.