Problem in interaction between idm,pep and authzforce about fiware HOT 6 CLOSED

Hello, as far as I understand, if the "HTTP/1.1 400 Bad Request" in your capture is the response from AZF, then the request that is causing it should be visible just before. Unfortunately, I cannot find it here. Is it anywhere in your packet capture so I can see what's wrong with it that is causing the error 400 response from AZF?
Thanks.

from fiware.

Hi @cdanger! I'll provide you with the capture result on Monday. To me it's just some binary content sent to the authzforce port, so I doubt that would be helpful. It's definitely no valid request so I totally agree with AZF's response but also don't know what triggers this response. Anyway, we will see soon.
BTW: Is it possible for you to setup a working security installation based on the currently available docker-images/Dockerfiles or master branches?

from fiware.

Hello, I found the time to setup a IdM-PEP-AZF infrastructure with latest Docker releases at last, and indeed, I faced a couple of issues in the PEP proxy and one in the IdM. I do not own these components, so I did what I could to fix things quickly. For long-term fixes, I reported specific issues on their respective github repositories and created pull requests, so we'll have to wait for the next releases. In the meantime, I can tell you the quick fixes I did.

First, I assume you still have an AZF Docker container up and running, probably the version 5.4.0b which was the latest at the time you created the issue. You may upgrade to 5.4.1 which I released more recently. Anyway, this is just for your info, and will not fix the issue here.

As for the IdM, especially the dashboard, you have to fix issues:

• 72: you can check my pull request to know how to fix it; basically fixing a typo in file openstack_dashboard/templates/access_control/policy.xacml.
• 71: this one I already told you about. I created a pull request as well to get it fixed.

Then restart the IdM container after fixing the files.

As for the PEP, you have to fix issues:

• 29: until 2 days ago, the version of the pep proxy inside the image tagged 5.3.1 was not 5.3.1 actually, but 5.2.1. This has been fixed a day ago. Therefore you have to get rid of the Docker image fiware/pep-proxy:5.3.1 in your local repository: docker stop and docker rm any container using image fiware/pep-proxy:5.3.1 , then docker rmi fiware/pep-proxy:5.3.1. Then docker run to get back the new image and run the container with your custom config.js, and also a custom log_config.json in DEBUG level everywhere to make troubleshooting easier at the first stage of testing; for example:

docker run -d --name pep-proxy -v /home/toto/fiware-pep-proxy/config.js:/opt/fiware-pep-proxy/config.js -v /home/toto/fiware-pep-proxy/log_config.json:/opt/fiware-pep-proxy/log_config.json -p 80:80 fiware/pep-proxy:5.3.1

My config.js looks like this:

 var config = {};

config.pep_port = 80;

// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
    enabled: false,
    cert_file: 'cert/cert.crt',
    key_file: 'cert/key.key',
    port: 443
};

 config.account_host = 'http://idm:8000';

 config.keystone_host = 'idm';
 config.keystone_port = 5000;

 config.app_host = 'www.google.es';
 config.app_port = '80';

// Use true if the app server listens in https
config.app_ssl = false;

// Credentials obtained when registering PEP Proxy in Account Portal
// Of course these are not the real ones I am using but just for example
 config.username = 'pep_proxy_XXXXXXXX';
 config.password = 'XXXXXXXXXXXXXX';

// in seconds
config.chache_time = 300;

// if enabled PEP checks permissions with AuthZForce GE. 
// only compatible with oauth2 tokens engine
//
// you can use custom policy checks by including programatic scripts 
// in policies folder. An script template is included there
config.azf = {
    enabled: true,
    protocol: 'http',
    host: 'azf',
    port: 8080,
    custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

config.magic_key = undefined;

module.exports = config;

Here I am using hostnames for the IdM and AZF hosts but you can use IP addresses of course. What is important is config.azf.protocol which must be set to http. I assume you are using a default setup of AZF with SSL disabled and listening to port 8080 (depends on the docker run command you used to run the AZF container). We want to make sure everything works with SSL disabled first, before we begin to tackle the SSL issues.

My log_config.json:

{
  "appenders": [
    { 
      "type": "console",
      "layout": {
        "type": "pattern",
        "pattern": "%d  - %p: %c - %m",
        "replaceConsole": true
      } 
    }
  ],
  "levels": {
    "Server": "DEBUG",
    "Root": "DEBUG",
    "HTTP-Client": "DEBUG",
    "AZF-Client": "DEBUG",
    "IDM-Client": "DEBUG",
    "Test": "DEBUG"
  }
}

• 31 and 32. I created a pull request to fix both. In order to apply this fix to your Docker container, you can download the fixed version of lib/azf.js file from my forked repository. then copy it to the container, then connect to the container's shell (assuming your pep-proxy container's name is pep-proxy):

$ docker cp /home/toto/fiware-pep-proxy/lib/azf.js pep-proxy:/opt/fiware-pep-proxy/lib/azf.js
$ docker exec -t -i pep-proxy

In the container's shell, install the Node.js package xml2js (this requires Internet connection over https, so make sure the proxy is well configured with npm config set https-proxy ... if you have one):

$ npm install xml2js

Exit the shell/container, restart the container and check that it starts OK with docker logs -f pep-proxy.

from fiware.

Thanks a lot @cdanger! I'm currently on vacations and will give your fixes a try once I'm back in office (about two weeks from now) and get some time for it.

from fiware.

Now the fixes are parts of the new releases so you should upgrade to KeyRock v5.4.0, PEP Proxy v5.4 or later, AZF v5.4.1 or later.

from fiware.

I am now closing this issue since no news from the OP for quite some time. You can re-open when you happen to reproduce the issue with new software versions.

from fiware.