Open qjhart opened 5 months ago
From @jrmerz How about this, we allow admins to override their roles with a header. so if the JWT token is authenticated and has role admin AND there is a fin-principal header, (ex: fin-principal: foo, bar ) then the request to fcrepo will ONLY have the supplied principles. This would allow admins in impersonate users for testing as well.
3114e79a0f0f5d878b426f250ea50fef746ff9dc
You need to make sure the finPrinciples array includes fedoraUser... Forgot to do that.
Then update the DB sync get container function to use the service account token (see the keycloak module) and set the fin-principle header to discover
@jrmerz I have been testing sandbox, and this is still not working. In short, dbsync calls transform services, and these services are calling the underlying fcrepo setup as public.
Here's the long description:
The gateway proxy divides fcrepo requests into proxyRequests or middleware.
Dbsync calls a transform service, so it goes to the middleware, to the transformService to the renderTransform which execs the transform.
But here, we are calling a simple api.get(options) to fetch the fcrepo data.
I'm not sure how you think best to solve this. I can see that for (some) middleware, all the way back in the proxy, it makes sense to call the normal proxyRequest, get the container, and then call the transform. Alternatively, you could propogate the original request to that api.get
request, the issue there is that request has already been run through the gateway, so I'm not sure if at that point you want to make a direct request, or just start the whole process over, and if the latter, do you just forward the fin-principal and Authorization, or a larger header set?
Examples:
This works, since we've set the principal
http http://localhost/fcrepo/rest/expert/66356b7eec24c51f01e757af2b27ebb8 Authorization:"Bearer $jwt" fin-principal:discover
This sets the principal to an unallowed user, and properly fails
http http://localhost/fcrepo/rest/expert/66356b7eec24c51f01e757af2b27ebb8 Authorization:"Bearer $jwt" fin-principal:foo
This should work, but also fails, since the service makes a public request.
http http://localhost/fcrepo/rest/expert/66356b7eec24c51f01e757af2b27ebb8/svc:node Authorization:"Bearer $jwt" fin-principal:discover
Direct transform service request
If I'm logged in as an elevated user, I can get a resource, but not the transformed resource; eg:
But
The response is:
This Error is thrown here:
https://github.com/ucd-library/fin/blob/8e73bfa637398d21db336da9186e444ecfbc332e/services/fin/gateway/models/transform.js#L657
Where I don't see the original request's either directAccess or jwt token being propogated.
Default Model
The model code for dbsync has similar problems. However, there may be an additional problem in the model as well. Here, I don't see how dbsync propagates a (What I would guess to be a direct access as discovery) request to the transform service.
https://github.com/ucd-library/fin/blob/8e73bfa637398d21db336da9186e444ecfbc332e/services/fin/dbsync/lib/model.js#L512