Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User endpoint returns 401 #1825

Closed
ishank011 opened this issue Mar 19, 2021 · 10 comments · Fixed by #1910
Closed

User endpoint returns 401 #1825

ishank011 opened this issue Mar 19, 2021 · 10 comments · Fixed by #1910
Labels
OCIS-Fastlane Planned outside of the sprint Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug Type:Regression

Comments

@ishank011
Copy link
Contributor

ishank011 commented Mar 19, 2021

Since #1762, tokens are not set in the context.

Using cs3 backend with a keycloak IDP. After redirection from the IDP, GetUserByClaim returns correctly, but when the endpoint /ocs/v1.php/cloud/user is called, it returns a 401. The corresponding logs:

ocis: {"level":"debug","service":"storage","pkg":"rgrpc","traceid":"014aacdf53ae15b2e6ac1781d343702e","user-agent":"grpc-go/1.29.1","from":"tcp://127.0.0.1:44446","uri":"/cs3.gateway.v1beta1.GatewayAPI/GetUserByClaim","start":"19/Mar/2021:12:13:28 +0100","end":"19/Mar/2021:12:13:28 +0100","time_ns":151535872,"code":"OK","time":"2021-03-19T12:13:28+01:00","message":"unary"}
ocis: {"level":"debug","service":"storage","pkg":"rgrpc","traceid":"0e1c67b2a0d0b3d7c180279c5faf9d25","method":"/cs3.gateway.v1beta1.GatewayAPI/CreateHome","time":"2021-03-19T12:13:28+01:00","message":"skipping auth"}
ocis: {"level":"debug","service":"storage","pkg":"rgrpc","traceid":"0e1c67b2a0d0b3d7c180279c5faf9d25","user-agent":"grpc-go/1.29.1","from":"tcp://[::1]:57020","uri":"/cs3.storage.registry.v1beta1.RegistryAPI/GetStorageProvider","start":"19/Mar/2021:12:13:28 +0100","end":"19/Mar/2021:12:13:28 +0100","time_ns":217328,"code":"OK","time":"2021-03-19T12:13:28+01:00","message":"unary"}
ocis: {"level":"debug","service":"storage","pkg":"rgrpc","traceid":"0e1c67b2a0d0b3d7c180279c5faf9d25","user-agent":"grpc-go/1.29.1","from":"tcp://127.0.0.1:44446","uri":"/cs3.gateway.v1beta1.GatewayAPI/CreateHome","start":"19/Mar/2021:12:13:28 +0100","end":"19/Mar/2021:12:13:28 +0100","time_ns":95253417,"code":"OK","time":"2021-03-19T12:13:28+01:00","message":"unary"}
ocis: {"level":"debug","service":"proxy","policy":"ocis","prefix":"/ocs/v[12].php/cloud/(users?|groups)","path":"/ocs/v1.php/cloud/user","routeType":"regex","time":"2021-03-19T12:13:28+01:00","message":"director found"}
ocis: {"level":"info","service":"proxy","method":"GET","path":"GET","from":"194.12.136.109:53360","time":"2021-03-19T12:13:28+01:00","message":"access-log"}
ocis: {"level":"debug","service":"ocs","request":"422865b7-c2d8-40b2-bdcf-2a74233819d1","proto":"HTTP/1.1","method":"GET","status":401,"path":"/ocs/v1.php/cloud/user","duration":0.363791,"bytes":144,"time":"2021-03-19T12:13:28+01:00"}

cc @refs @butonic

@ishank011
Copy link
Contributor Author

@refs when we log in using the CS3 backend, the roles are empty.

roleIDs, err := loadRolesIDs(ctx, user.Id.OpaqueId, c.settingsRoleService)
if err != nil {
c.logger.Error().Err(err).Msg("Could not load roles")
}
if len(roleIDs) == 0 {
return user, nil
}

And the /ocs/v1.php/cloud/user endpoint requires these roles to be set

r.Route("/user", func(r chi.Router) {
r.With(requireSelfOrAdmin).Get("/", svc.GetSelf)
r.Get("/signing-key", svc.GetSigningKey)
})

So this fails here

// get roles from context
roleIDs, ok := roles.ReadRoleIDsFromContext(r.Context())
if !ok {
mustNotFail(render.Render(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized")))
return
}

Interestingly, it used to work before #1762 even though the roles list was still empty. Can you please take a look at what changed?

@ishank011
Copy link
Contributor Author

Apparently, previously the RequireSelfOrAdmin method was never actually called

@refs
Copy link
Member

refs commented Apr 1, 2021

hm, hmmmmm. There was only one change that comes to mind, but it was not on #1762, but this one #1696.

Since #1762, tokens are not set in the context.

I'd need to bisect there

@refs
Copy link
Member

refs commented Apr 1, 2021

Apparently, previously the RequireSelfOrAdmin method was never actually called

prior to #1762? I see last changes to ocs/service.go file were on 26.10.2020 🤔. Need deeper investigation I'd say.

@micbar
Copy link
Contributor

micbar commented Apr 7, 2021

This is currently blocking the update to the latest version for CERN

@settings settings bot removed the p2-high label Apr 7, 2021
@micbar micbar added the Priority:p2-high Escalation, on top of current planning, release blocker label Apr 8, 2021
@exalate-issue-sync exalate-issue-sync bot added p2-high OCIS-Fastlane Planned outside of the sprint labels Apr 8, 2021
@refs
Copy link
Member

refs commented Apr 8, 2021

@ishank011 I started digging into this. Setup a local deployment following this guide, with the only addition being

### Users Backend
# Set user backend to CS3
PROXY_ACCOUNT_BACKEND_TYPE="cs3"

to the .env in deployments/examples/ocis_keycloak and could manage to login. I'm sure I'm missing something, but on the meantime, could you share your config details? Perhaps we can also jump in a zoom call to speed this up :)

@ishank011
Copy link
Contributor Author

Hi @refs. Thanks for looking into it!

The problem arises when the reva we're not able to get a list of roles for the user. Can you log roleIDs here https://github.com/owncloud/ocis/blob/master/proxy/pkg/user/backend/cs3.go#L54. If it's not empty, try to set it to empty and see if it works.

And sure, please let me know when you're free so we can have a call.

@refs
Copy link
Member

refs commented Apr 8, 2021

correction to my own comment! that config didn't make it into the container, instead I modified the docker-compose.yml with PROXY_ACCOUNT_BACKEND_TYPE: "cs3" for the ocis container and was able to reproduce it

@refs
Copy link
Member

refs commented Apr 8, 2021

with the error being:

{"level":"error","service":"proxy","error":"could not get user by claim mail with value admin@example.org : %!w(<nil>) ","time":"2021-04-08T09:28:26.2783404Z","message":"Could not get user by claim"}

@ishank011
Copy link
Contributor Author

If you're using the json driver for the userprovider service in reva, you can add the admin user to the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OCIS-Fastlane Planned outside of the sprint Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug Type:Regression
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants