Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API returns 403 in Umbrella Setup #160

Open
ipa-big opened this issue Jul 19, 2024 · 0 comments
Open

API returns 403 in Umbrella Setup #160

ipa-big opened this issue Jul 19, 2024 · 0 comments

Comments

@ipa-big
Copy link

ipa-big commented Jul 19, 2024

Setup

I am using a modified umbrella chart to setup the portal, idps, discovery finder (chart version: 0.3.1 - also tried 0.2.2) and so on. The Chart looks like this:

---
apiVersion: v2
name: umbrella
sources:
  - https://github.com/eclipse-tractusx/tractus-x-umbrella
type: application
version: 1.0.0

dependencies:
  # portal
  - condition: portal.enabled
    name: portal
    repository: file:///tmp/tractus-x-portal/charts/portal
    version: 2.1.0-RC1
  # cx-iam
  - condition: centralidp.enabled
    name: centralidp
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 3.0.0
  - condition: sharedidp.enabled
    name: sharedidp
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 3.0.0
  # discovery-finder para cosas de Digital Twin
  - condition: discoveryfinder.enabled
    name: discoveryfinder
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 0.3.1
    # bpn-discovery para cosas de Digital Twin
  - condition: bpndiscovery.enabled
    name: bpndiscovery
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 0.2.2
    # sd-factory
  - condition: selfdescription.enabled
    name: sdfactory
    alias: selfdescription
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 2.1.19
    # miw
  - name: managed-identity-wallet
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 0.4.0
    condition: managed-identity-wallet.enabled
  # semantic-hub
  - condition: semantic-hub.enabled
    name: semantic-hub
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 0.2.2
  - name: bpdm
    condition: bpdm.enabled
    repository: https://eclipse-tractusx.github.io/charts/dev
    version: 5.0.2
    # TX Data Consumer 1
  - name: tx-data-provider
    alias: dataconsumerOne
    version: 0.0.5
    repository: https://eclipse-tractusx.github.io/charts/dev
    condition: dataconsumerOne.enabled
    # TX Data Providers
  - name: tx-data-provider
    version: 0.0.5
    repository: https://eclipse-tractusx.github.io/charts/dev
    condition: tx-data-provider.enabled
    # TX Data Consumer 2
  - name: tx-data-provider
    alias: dataconsumerTwo
    version: 0.0.5
    repository: https://eclipse-tractusx.github.io/charts/dev
    condition: dataconsumerTwo.enabled
    # pgadmin4 as helper tool for easy database access
  - condition: pgadmin4.enabled
    name: pgadmin4
    repository: https://helm.runix.net
    version: 1.25.x

... and the part of values file about the discovery finder looks like this:

discoveryfinder:
  enabled: true
  enablePostgres: true
  discoveryfinder:
    authentication: true
    livenessProbe:
      initialDelaySeconds: 200
    readinessProbe:
      initialDelaySeconds: 200
    host: semantics.tx.test
    properties:
      discoveryfinder:
        initialEndpoints:
          - type: bpn
            endpointAddress: http://portal-backend.tx.test/api/administration/Connectors/discovery
            description: Service to discover connector endpoints based on bpns
            documentation: http://portal-backend.tx.test/api/administration/swagger/index.html
    idp:
      issuerUri: "http://centralidp.tx.test/auth/realms/CX-Central"
      publicClientId: "Cl21-CX-DF"
    dataSource:
      url: "jdbc:postgresql://{{ .Release.Name }}-discoveryfinder-postgresql:5432/discoveryfinder"
    # -- docs: http://semantics.tx.test/discoveryfinder/swagger-ui/index.html
    ingress:
      enabled: true
      tls: false
      urlPrefix: "/discoveryfinder"
      className: "nginx"
      annotations:
        cert-manager.io/cluster-issuer: "my-ca-issuer"
        nginx.ingress.kubernetes.io/rewrite-target: "/$2"
        nginx.ingress.kubernetes.io/use-regex: "true"
        nginx.ingress.kubernetes.io/enable-cors: "true"
        nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
        nginx.ingress.kubernetes.io/x-forwarded-prefix: "/discoveryfinder"
  postgresql:
    nameOverride: "discoveryfinder-postgresql"
    primary:
      persistence:
        enabled: false
        size: 8Gi
    auth:
      password: "dbpassworddiscoveryfinder"
      postgresPassword: "dbpassworddiscoveryfinder"

Current Behaviour

When I try to access endpoints of the API (e.g. POST http://semantics.tx.test/discoveryfinder/administration/connectors/discovery/search ) I always receive a response with status code 403 and the message "The request requires higher privileges than provided by the access token."

Desired Behaviour

I want to create and list endpoints via the API of the discovery finder with http calls

To Reproduce

According to the enum JwtRoles.java

public enum JwtRoles {

   VIEW( "view_discovery_endpoint" ),
   ADD( "add_discovery_endpoint" ),
   DELETE( "delete_discovery_endpoint" );
   ...
}

It requires specific roles to consume the API. Therefore, I added the roles manually to the CX-Operator user of the umbrella setup:

image

Then I requested a jwt token from the central idp of the umbrella setup. The JWT token contains:

{
...
  "iss": "http://centralidp.tx.test/auth/realms/CX-Central",
  "aud": [
    "Cl1-CX-Registration",
    "Cl2-CX-Portal",
    "Cl21-CX-DF",
    "Cl16-CX-BPDMGate",
    "Cl7-CX-BPDM",
    "Cl5-CX-Custodian",
    "technical_roles_management",
    "Cl24-CX-SSI-CredentialIssuer",
    "Cl3-CX-Semantic",
    "Cl23-CX-Policy-Hub",
    "account"
  ],
  "azp": "Cl2-CX-Portal",
  "resource_access": {
    "Cl21-CX-DF": {
      "roles": [
        "view_discovery_endpoint",
        "add_discovery_endpoint",
        "delete_discovery_endpoint"
      ]
    }, ...
  },
  "scope": "catena profile email",
...

Finally i send a http request as follows:

POST http://semantics.tx.test/discoveryfinder/administration/connectors/discovery/search
Authorization: Bearer {{kc-access-token}}
Content-Type: application/json

{}

The Response is:

HTTP/1.1 403 
Date: Fri, 19 Jul 2024 17:19:35 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
WWW-Authenticate: Bearer error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token.", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization
Access-Control-Max-Age: 1728000

<Response body is empty>

Response code: 403; Time: 62ms (62 ms); Content length: 0 bytes (0 B)

I assume that the token has not all scopes included because of the error message "insufficient_scope". Unfortunately, i was not able to receive a token with a different scope than "catena profile email"

Thanks for your support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ipa-big