search

uhppoted / uhppoted-app-wild-apricot

Wild Apricot integration for uhppoted
MIT License
3 stars 0 forks source link

Rules not granting access #4

Closed bborncr closed 8 months ago

bborncr commented 9 months ago

First of all, thanks for this code! I have been testing it using the python and mqtt implementations with a lot of success. Using the Wild Apricot implementation I can't get the access to be granted.

Grules file:

// *** GRULES ***

rule Doors "Grants a member access to both doors" {
     when
         member.HasGroup("Doors")
     then
         record.Grant("Front Door");
         record.Grant("Back Door");
         record.Grant("Unused3");
         record.Grant("Unused4");
         Retract("Doors");
}

// *** END GRULES ***

ACL output:

Card Number     From    To      Back Door       Front Door      Unused3 Unused4
12345678        2024-01-01      2025-01-31      N       N       N       N
12345679        2024-01-01      2025-01-31      N       N       N       N

The app connects successfully to Wild Apricot and sees all the members, groups and cards. There are no errors. The ACL is successfully loaded into the controller but access is "N". Is there something obvious I'm missing?

uhppoted.conf

bind.address = 0.0.0.0
broadcast.address = 255.255.255.255
listen.address = 0.0.0.0:60001
timeout = 2.5s
; monitoring.healthcheck.interval = 15s
; monitoring.healthcheck.idle = 1m0s
; monitoring.healthcheck.ignore = 5m0s
; monitoring.watchdog.interval = 5s
card.format = any

# Wild Apricot
wild-apricot.http.client-timeout = 10s
wild-apricot.http.retries = 3
wild-apricot.http.retry-delay = 5s
wild-apricot.fields.card-number = FOB
; wild-apricot.fields.PIN = PIN
; wild-apricot.display-order.groups =
; wild-apricot.display-order.doors =
wild-apricot.facility-code = 43

UT0311-L0x.123456789.name = D123456789
UT0311-L0x.123456789.address = 192.168.1.250:60000
UT0311-L0x.123456789.door.1 = Front Door
UT0311-L0x.123456789.door.2 = Back Door
UT0311-L0x.123456789.door.3 = Unused3
UT0311-L0x.123456789.door.4 = Unused4
UT0311-L0x.123456789.timezone = UTC

Thanks,

uhppoted commented 9 months ago

Oooops ... apologies - the README is wrong :-(.

The grules file should add the grant to the permissions not the record:

// *** GRULES ***

rule Doors "Grants a member access to both doors" {
     when
         member.HasGroup("Doors")
     then
         permissions.Grant("Front Door");
         permissions.Grant("Back Door");
         permissions.Grant("Unused3");
         permissions.Grant("Unused4");
         Retract("Doors");
}

// *** END GRULES ***

Can you try that and let me know?

bborncr commented 9 months ago

I made the changes but no changes regarding the ACL. Also, If I change "permissions" to anything else it doesn't show an error.

2024/02/13 17:12:43 INFO   Stashed downloaded 'grules' file to /var/uhppoted/wild-apricot.grl
MEMBERS:
  Name         Card Number Membership         Active Suspended Registered Expires    Board Members Doors Electronics Committee Laser Cutter Table Saw
  John Doe     12345677    Regular membership Y      N         2024-02-12 2024-03-11 N             Y     Y                     Y            Y
  Jane Doe     12345679    Regular membership Y      N         2024-02-12 2024-03-11 Y             Y     N                     Y            Y

DOORS:
  Back Door
  Front Door
  Unused3
  Unused4

ACL:
  Card Number From       To         Back Door Front Door Unused3 Unused4
  12345677    2024-01-01 2025-01-31 N         N          N       N
  12345679    2024-01-01 2025-01-31 N         N          N       N
uhppoted commented 9 months ago

Hmmm - I've set up a test system that mirrors yours (except that my grules file revokes access to Unused3 and Unused4) and am getting the expected result:

./bin/uhppoted-app-wild-apricot --debug --config ../runtime/wild-apricot/uhppoted.conf get-acl --credentials ../runtime/wild-apricot/.credentials.json --rules ../runtime/wild-apricot/debug.grl
2024/02/13 10:40:23 INFO   Stashed downloaded 'grules' file to /usr/local/var/com.github.uhppoted/wild-apricot.grl
MEMBERS:
  Name     Card Number Membership         Active Suspended Registered Expires    Board Members Doors Electronics Committee Laser Cutter Table Saw
  Jane Doe 12345679    Regular membership Y      N         2024-02-12 2024-03-11 Y             Y     N                     Y            Y        
  John Doe 12345677    Regular membership Y      N         2024-02-12 2024-03-11 N             Y     Y                     Y            Y        

DOORS:
  Back Door
  Front Door
  Unused3
  Unused4

ACL:
  Card Number From       To         Back Door Front Door Unused3 Unused4
  12345677    2024-01-01 2025-01-31 Y         Y          N       N      
  12345679    2024-01-01 2025-01-31 Y         Y          N       N
uhppoted commented 9 months ago

Can you perhaps add some debugging to your grules file? e.g.

// *** GRULES ***

rule Doors "Grants a member access to both doors" {
     when
         member.HasGroup("Doors")
     then
         permissions.Grant("Front Door");
         permissions.Grant("Back Door");
         permissions.Revoke("Unused3");
         permissions.Revoke("Unused4");
         Retract("Doors");
}

rule Debug "Logs debug information" {
     when
         true
     then
         Log(">>>> DEBUG " + member.CardNumber);
         Log(">>>> DEBUG " + member.HasGroup("Doors"));
         Retract("Debug");
}

// *** END GRULES ***
bborncr commented 9 months ago

I copy/pasted the above rules. version v0.8.7 linux executable

Output

sudo ./uhppoted-app-wild-apricot --debug --config uhppoted.conf  get-acl --credentials credentials.json --rules rules.conf
2024/02/13 19:55:46 INFO   Stashed downloaded 'grules' file to /var/uhppoted/wild-apricot.grl
MEMBERS:
  Name         Card Number Membership         Active Suspended Registered Expires    Board Members Doors Electronics Committee Laser Cutter Table Saw
  John Smith   11293051    Regular membership Y      N         2024-02-12 2024-03-11 N             Y     Y                     Y            Y
  Jane Smith   12345679    Regular membership Y      N         2024-02-12 2024-03-11 Y             Y     N                     Y            Y

DOORS:
  Back Door
  Front Door
  Unused3
  Unused4

INFO[0001] >>>> DEBUG 11293051                           lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG false                              lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 12345679                           lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG false                              lib=grule-rule-engine package=AST source=GRL
ACL:
  Card Number From       To         Back Door Front Door Unused3 Unused4
  11293051    2024-01-01 2025-01-31 N         N          N       N
  12345679    2024-01-01 2025-01-31 N         N          N       N

  Card Number From       To         Back Door Front Door Unused3 Unused4
  11293051    2024-01-01 2025-01-31 N         N          N       N
  12345679    2024-01-01 2025-01-31 N         N          N       N

2024/02/13 19:55:46 INFO   Removing lockfile '/var/uhppoted/.wild-apricot/uhppoted-app-wild-apricot.lock'
uhppoted commented 9 months ago

Ok, that helps - it thinks Jane and John aren't members of group Doors. Now to figure out why ...

Can you run the get-members and get-groups commands:

sudo ./uhppoted-app-wild-apricot --debug --config uhppoted.conf  get-members --credentials credentials.json --file members.tsv
sudo ./uhppoted-app-wild-apricot --debug --config uhppoted.conf  get-groups --credentials credentials.json --file groups.tsv

and post the files here?

uhppoted commented 9 months ago

And maybe add some more debugging to the grules file:

// *** GRULES ***

rule Doors "Grants a member access to both doors" {
     when
         member.HasGroup("Doors")
     then
         permissions.Grant("Front Door");
         permissions.Grant("Back Door");
         permissions.Revoke("Unused3");
         permissions.Revoke("Unused4");
         Retract("Doors");
}

rule Debug "Logs debug information" {
     when
         true
     then
         Log(">>>> DEBUG " + member.CardNumber);
         Log(">>>> DEBUG " + member.HasGroup("Doors"));
         Log(">>>> DEBUG " + member.Groups.Len());
         Retract("Debug");
}

// *** END GRULES ***
bborncr commented 9 months ago

Members: It looks they are in the Doors group

Name          Card Number     Membership      Active  Suspended       Registered      Expires Board Members   Doors   Electronics Committee   Laser Cutter    Table Saw
John Smith    11293051        Regular membership      Y       N       2024-02-12      2024-03-11      N       Y       Y       Y       Y
Jane Smith    12345679        Regular membership      Y       N       2024-02-12      2024-03-11      Y       Y       N       Y       Y

Groups

ID      Groups
782239  Board Members
784869  Doors
784779  Electronics Committee
784771  Laser Cutter
784772  Table Saw

Output of get-acl with the added debug rules:

 sudo ./uhppoted-app-wild-apricot --debug --config uhppoted.conf  get-acl --credentials credentials.json --rules rules.conf
2024/02/13 20:28:14 INFO   Stashed downloaded 'grules' file to /var/uhppoted/wild-apricot.grl
MEMBERS:
  Name         Card Number Membership         Active Suspended Registered Expires    Board Members Doors Electronics Committee Laser Cutter Table Saw
  John Smith 11293051    Regular membership Y      N         2024-02-12 2024-03-11 N             Y     Y                     Y            Y
  Jane Smith   12345679    Regular membership Y      N         2024-02-12 2024-03-11 Y             Y     N                     Y            Y

DOORS:
  Back Door
  Front Door
  Unused3
  Unused4

INFO[0001] >>>> DEBUG 11293051                          lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG false                              lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 4                                  lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 12345679                           lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG false                              lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 4                                  lib=grule-rule-engine package=AST source=GRL
ACL:
  Card Number From       To         Back Door Front Door Unused3 Unused4
  11293051    2024-01-01 2025-01-31 N         N          N       N
  12345679    2024-01-01 2025-01-31 N         N          N       N

  Card Number From       To         Back Door Front Door Unused3 Unused4
  11293051    2024-01-01 2025-01-31 N         N          N       N
  12345679    2024-01-01 2025-01-31 N         N          N       N

2024/02/13 20:28:14 INFO   Removing lockfile '/var/uhppoted/.wild-apricot/uhppoted-app-wild-apricot.lock'
uhppoted commented 9 months ago

Which looks entirely correct - bizarre! I'm going to email you the credentials for my Wild Apricot test account.

If you can run get-acl with those and post the results? Hopefully that should at least isolate the problem as being either the Wild Apricot setup or something in the app code.

bborncr commented 9 months ago

Output works correctly with your credentials. Very strange.

2024/02/13 20:55:25 INFO   Stashed downloaded 'grules' file to /var/uhppoted/wild-apricot.grl
MEMBERS:
  Name     Card Number Membership         Active Suspended Registered Expires    Board Members Doors Electronics Committee Laser Cutter Table Saw
  Jane Doe 12345679    Regular membership Y      N         2024-02-12 2024-03-11 Y             Y     N                     Y            Y
  John Doe 12345677    Regular membership Y      N         2024-02-12 2024-03-11 N             Y     Y                     Y            Y

DOORS:
  Back Door
  Front Door
  Unused3
  Unused4

INFO[0001] >>>> DEBUG 12345679                           lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG true                               lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 4                                  lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 12345677                           lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG true                               lib=grule-rule-engine package=AST source=GRL
INFO[0001] >>>> DEBUG 4                                  lib=grule-rule-engine package=AST source=GRL
ACL:
  Card Number From       To         Back Door Front Door Unused3 Unused4
  12345677    2024-01-01 2025-01-31 Y         Y          N       N
  12345679    2024-01-01 2025-01-31 Y         Y          N       N

  Card Number From       To         Back Door Front Door Unused3 Unused4
  12345677    2024-01-01 2025-01-31 Y         Y          N       N
  12345679    2024-01-01 2025-01-31 Y         Y          N       N
bborncr commented 9 months ago

I got it working by using the ID of the group instead of the name. I had changed the name of the group previously. Thanks for your help!

uhppoted commented 9 months ago

Ok, I see where the problem is - for some reason the group names returned with the member record don't match the actual group names:

11293050
[ 
  { 784771, Laser Cutter, 0},
  {784772, Table Saw, 0},
  {784779, Electronics Committee, 0},
  {784869, DoorAccess, 0},
]

12345679
[
  {782239, Board Members, 0},
  {784771, Laser Cutter, 0},
  {784772, Table Saw, 0},
  {784869, Door, 0},
]

Not entirely sure why - possibly you edited the Doors group name after assigning it to the member and Wild Apricot didn't carry it through because internally they only use the group ID.

You may be able to fix it from the Wild Apricot dashboard, but if not you can actually use the group ID in HasGroup e.g.:

// *** GRULES ***

rule Doors "Grants a member access to both doors" {
     when
         member.HasGroup(784869)
     then
         permissions.Grant("Front Door");
         permissions.Grant("Back Door");
         permissions.Revoke("Unused3");
         permissions.Revoke("Unused4");
         Retract("Doors");
}

// *** END GRULES ***

which is unambiguous and also won't break if people edit the group names (which they do for no good reason at all :-)) but is also harder to read.

I'll have to think about maybe reworking the lookup logic - the assumption was that Wild Apricot would keep it consistent but clearly not.

uhppoted commented 9 months ago

Oh, right - our replies crossed :-)

Great, very glad you've got it working! I'll add in some logic to make it a bit more robust and also easier to debug in future.

twystd commented 8 months ago

Hi,

Am going to close this - the underlying issue has been fixed in Fix HasGroup lookup logic to resolve using group ID and will be released with v0.8.8.