ocmproviderauthorizer: do not match providers full hostname against the 'domain' field #3322

SamuAlfageme · 2022-10-06T15:37:46Z

Up until now, when accepting an OCM invitation, we match the users' IDP:

>> ocm-find-accepted-users
+------------+---------+----------------+-----------------------+
| OPAQUEID   | IDP     | MAIL           | DISPLAYNAME           |
+------------+---------+----------------+-----------------------+
| samuel9876 | cern.ch | samuel@cern.ch | Samuel Alfageme Sainz |
+------------+---------+----------------+-----------------------+

... with the domain from the ocm providers in Mentix:

{
		"name": "CERN",
		"full_name": "CERN",
		"description": "CERN ScienceMesh",
		"organization": "CERN",
		"domain": "cern.ch",
		"homepage": "https://home.cern/",
		"email": "cernbox-service-ops@cern.ch",
		"services": [
		     ...
		 ]
}

However, while transitioning to production environments, these fields will be with actual IDP URLs. Like e.g.

reva whoami
id:<idp:"https://auth.cern.ch/auth/realms/cern" opaque_id:"cboxbot" type:USER_TYPE_PRIMARY > username:"cboxbot" ...>

This will result on an error as https://auth.cern.ch/auth/realms/cern does not match cern.ch from the example ocm-providers.json/mentix

2022-10-05 15:17:06.716 INF src/github/cs3org/reva/internal/http/interceptors/providerauthorizer/providerauthorizer.go:83 > skipping provider authorizer check for: /ocm/shares pid=1 pkg=rhttp traceid=2f02001fb497925228a9e579b7b2bd9d
2022-10-05 15:17:06.716 DBG src/github/cs3org/reva/pkg/rhttp/rhttp.go:304 > http routing: url=ocm pid=1 pkg=rhttp
2022-10-05 15:17:06.716 DBG src/github/cs3org/reva/internal/http/services/ocmd/ocmd.go:113 > http routing head=shares pid=1 pkg=rhttp tail=/ traceid=2f02001fb497925228a9e579b7b2bd9d
2022-10-05 15:17:06.72 ERR src/github/cs3org/reva/internal/grpc/services/ocmproviderauthorizer/ocmproviderauthorizer.go:125 > error verifying mesh provider error="error: not found: https://auth.cern.ch/auth/realms/cern" pid=1 pkg=rgrpc traceid=e251ed3c59c6a6ed1bb2d1765343e9bf
2022-10-05 15:17:06.721 ERR src/github/cs3org/reva/internal/http/services/ocmd/reqres.go:62 > provider not authorized error="error verifying mesh provider" pid=1 pkg=rhttp traceid=2f02001fb497925228a9e579b7b2bd9d
2022-10-05 15:17:06.721 WRN src/github/cs3org/reva/internal/http/interceptors/log/log.go:112 > http end="05/Oct/2022:15:17:06 +0000" host=10.100.54.0 method=POST pid=1 pkg=rhttp proto=HTTP/1.1 size=71 start="05/Oct/2022:15:17:06 +0000" status=401 time_ns=6280387 traceid=2f02001fb497925228a9e579b7b2bd9d uri=/ocm/shares url=/ocm/shares

We'll also need to consider the cases where a single IDP is used in multiple institutions like e.g. eduGAIN. As all the users will share the same IDP URL on their ids.

The text was updated successfully, but these errors were encountered:

mirekys · 2022-10-06T16:22:14Z

This might be related: pondersource/oc-sciencemesh#19

redblom · 2022-12-07T11:00:54Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ocmproviderauthorizer: do not match providers full hostname against the 'domain' field #3322

ocmproviderauthorizer: do not match providers full hostname against the 'domain' field #3322

SamuAlfageme commented Oct 6, 2022

mirekys commented Oct 6, 2022

redblom commented Dec 7, 2022

ocmproviderauthorizer: do not match providers full hostname against the 'domain' field #3322

ocmproviderauthorizer: do not match providers full hostname against the 'domain' field #3322

Comments

SamuAlfageme commented Oct 6, 2022

mirekys commented Oct 6, 2022

redblom commented Dec 7, 2022