Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 when creating a metadata schema draft using the API #572

Open
kburger opened this issue Sep 30, 2024 · 7 comments
Open

403 when creating a metadata schema draft using the API #572

kburger opened this issue Sep 30, 2024 · 7 comments
Labels
bugfix

Comments

@kburger
Copy link
Contributor

kburger commented Sep 30, 2024

What is your question?

When POSTing a metadata schema using the /metadata-schemas I get a 403 Access is denied error. I've provided a Bearer token in the Authorization header (for the admin user), and the body is exactly the same as the client produces. The log output is not showing anything beyond the 403 error either. How can I best proceed from here?
@kburger kburger added the bugfix label Sep 30, 2024
@dennisvang
Copy link
Contributor

dennisvang commented Oct 29, 2024
edited
Loading

Reproduced on develop branch on localhost (with default dev db):

...
2024-10-29 14:56:10,012 25292 [http-nio-8080-exec-1] INFO  org.springframework.web.servlet.DispatcherServlet - Completed initialization in 2 ms
2024-10-29 14:56:10,036 25316 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - Securing POST /metadata-schemas
2024-10-29 14:56:10,052 25332 [http-nio-8080-exec-1] INFO  org.fairdatapoint.api.filter.LoggingFilter - http://localhost:8080/metadata-schemas
2024-10-29 14:56:10,116 25396 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - Secured POST /metadata-schemas
2024-10-29 14:56:10,224 25504 [http-nio-8080-exec-1] DEBUG org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']]
2024-10-29 14:56:10,226 25506 [http-nio-8080-exec-1] ERROR org.fairdatapoint.api.controller.exception.ExceptionControllerAdvice - Access is denied

So we're authenticated, but not authorized.

More detail:

...
2024-10-29 15:40:37,089 37848 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Did not re-authenticate UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=7e64818d-6276-46fb-8bb1-732e6e09f7e9, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER]] before authorizing
2024-10-29 15:40:37,090 37849 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Authorizing ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']]
2024-10-29 15:40:37,094 37853 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']] using AffirmativeBased 
...

Note the Granted Authorities=[ROLE_USER].

@dennisvang
Copy link
Contributor

dennisvang commented Oct 29, 2024
edited
Loading

POST /metadata-schemas requires the ADMIN role, but GET /users/current returns

{
  "uuid": "7e64818d-6276-46fb-8bb1-732e6e09f7e9",
  "firstName": "Albert",
  "lastName": "Einstein",
  "email": "albert.einstein@example.com",
  "role": "USER"
}

Note the "role": "USER".

This holds for both Albert Einstein and Nikola Tesla, even though the readme says Albert is ADMIN:

FAIRDataPoint/README.md

Lines 106 to 110 in 1e33bfd

- **ADMIN:**
- Username: `albert.einstein@example.com`
- Password: `password`
- **USER:**
- Username: `nikola.tesla@example.com`

The dev db migrations show there is a new admin in town:

FAIRDataPoint/src/main/resources/dev/db/migration/V0001.1__dev-data-users.sql

Lines 25 to 32 in 1e33bfd

INSERT INTO public.user_account (uuid, first_name, last_name, email, password_hash, user_role, created_at, updated_at)
VALUES ('95589e50-d261-492b-8852-9324e9a66a42', 'Admin', 'von Universe', 'admin@example.com', '$2a$10$L.0OZ8QjV3yLhoCDvU04gu.WP1wGQih41MsBdvtQOshJJntaugBxe', 'ADMIN', NOW(), NOW());
INSERT INTO public.user_account (uuid, first_name, last_name, email, password_hash, user_role, created_at, updated_at)
VALUES ('7e64818d-6276-46fb-8bb1-732e6e09f7e9', 'Albert', 'Einstein', 'albert.einstein@example.com', '$2a$10$hZF1abbZ48Tf.3RndC9W6OlDt6gnBoD/2HbzJayTs6be7d.5DbpnW', 'USER', NOW(), NOW());
INSERT INTO public.user_account (uuid, first_name, last_name, email, password_hash, user_role, created_at, updated_at)
VALUES ('b5b92c69-5ed9-4054-954d-0121c29b6800', 'Nikola', 'Tesla', 'nikola.tesla@example.com', '$2a$10$tMbZUZg9AbYL514R.hZ0tuzvfZJR5NQhSVeJPTQhNwPf6gv/cvrna', 'USER', NOW(), NOW());

Using a token for admin@example.com, POST /metadata-schemas works as expected (using develop branch on localhost with the default dev db).

@dennisvang
Copy link
Contributor

dennisvang commented Oct 29, 2024
edited
Loading

@kburger were you also using the local dev db with default users, or were you using a custom db with real users?

dennisvang referenced this issue Oct 30, 2024
@MarekSuchanek
Migrate to PostgreSQL (#519)
4318432
@dennisvang
Copy link
Contributor

@MarekSuchanek I can try to fix the inconsistency between migration and readme, but how do you wish to proceed?

  • either add a db migration to reinstate Einstein as admin
  • or update the readme to reflect Einstein's demotion to normal user, in favor of the new admin user

@kburger
Copy link
Contributor Author

kburger commented Nov 4, 2024

@kburger were you also using the local dev db with default users, or were you using a custom db with real users?

Default users, but also a confirmed ADMIN user on a 'real' FDP.

@dennisvang
Copy link
Contributor

[...] but also a confirmed ADMIN user on a 'real' FDP.

Hi @kburger, does the "real" FDP run the develop image or one of the v1.17.x images?
(assuming you are running one of the Docker images)

@kburger
Copy link
Contributor Author

kburger commented Nov 4, 2024

They're all running tagged docker images, mostly the 1.16.2 version to work around the bugs in 1.17.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kburger @dennisvang