search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

usestore connection testing API gives 403 when mentioned scope is used #19328

Closed AnuradhaSK closed 9 months ago

AnuradhaSK commented 9 months ago

Describe the issue:

  1. Create an M2M app, authorize the userstore API

    Screenshot 2024-02-01 at 10 15 24

  2. Get a token with internal_userstore_view scope

--header 'Authorization: Basic UTRnR2dzYU55TF9KMzV2TlllTVYweWRwbGlvYTpORTFoRFNINmNfNzdHQjFoNjBsOHZudlRVTW9sU2dmUlhmWDBxWEVZRzBVYQ==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=internal_userstore_view'
  1. Try user store connection testing API using the token. it will give 403 
    curl --location 'https://localhost:9443/t/carbon.super/api/server/v1/userstores/test-connection' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer 27acfa07-cfe1-3dc3-9448-bb9058518606' \
--data '{
"connectionPassword": "aaaaaaaaaa",
"connectionURL": "jdbc:h2:/home/xyz/database/WSO2_DB",
"driverName": "org.h2.Driver",
"username": "DB"
}'

Issue is with the order of resource access control defined

https://github.com/wso2/carbon-identity-framework/blob/d2dea76701a0057d5ecd9dc8e9c85f3441e8105a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml#L798-L800

    <!-- Userstore Management API -->
    <Resource context="(.*)/api/server/v1/userstores(.*)" secured="true" http-method="POST">
        <Scopes>internal_userstore_create</Scopes>
    </Resource>
    <Resource context="(.*)/api/server/v1/userstores(.*)" secured="true" http-method="GET">
        <Scopes>internal_userstore_view</Scopes>
    </Resource>
    <Resource context="(.*)/api/server/v1/userstores(.*)" secured="true" http-method="PUT, PATCH">
        <Scopes>internal_userstore_update</Scopes>
    </Resource>
    <Resource context="(.*)/api/server/v1/userstores/(.*)" secured="true" http-method="DELETE">
        <Scopes>internal_userstore_delete</Scopes>
    </Resource>
    <Resource context="(.*)/api/server/v1/userstores/test-connection" secured="true" http-method="POST">
        <Scopes>internal_userstore_view</Scopes>
    </Resource>

Currently the operations works with internal_userstore_create scope

DMHP commented 9 months ago

The following part should be moved `

internal_userstore_view 
</Resource>`

before the `

internal_userstore_create 
</Resource>`
DMHP commented 9 months ago

https://github.com/wso2/carbon-identity-framework/pull/5471/files