Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@RPC.allow restrictions are not applied after restart of VOLTTRON #3168

Closed
schandrika opened this issue Apr 12, 2024 · 0 comments · Fixed by #3171
Closed

@RPC.allow restrictions are not applied after restart of VOLTTRON #3168

schandrika opened this issue Apr 12, 2024 · 0 comments · Fixed by #3171
Assignees
@schandrika

Comments

@schandrika
Copy link
Contributor

Describe the bug
Auth restrictions on RPC methods specified using @RPC.allow decorators are not enforced on existing agents after a restart of VOLTTRON server. These are enforced on a newly installed agent or after auth update using "vctl auth" commands.

To Reproduce

  1. Start VOLTTRON
  2. Install agent, say AgentA, with RPC exported method with a auth restriction using the @RPC.allow decorator
  3. Install a second agent, say CallerAgent, and call the auth restricted method of AgentA on onstart method
  4. Start AgentA and CallerAgent
  5. This should cause the RPC call to fail with a error clearly mentioning that CallerAgent does not have the necessary capability to access AgentA's method
  6. Restart VOLTTRON
  7. Restart AgentA
  8. Restart CallerAgent
  9. Observe there is no auth error and CallerAgent is able to call the auth restricted method of AgentA

Expected behavior
Auth rules should be enforced for newly installed agents and existing agents
@schandrika schandrika self-assigned this Apr 12, 2024
schandrika added a commit to schandrika/volttron that referenced this issue Apr 12, 2024
@schandrika
Fix for security issue VOLTTRON#3168
859dbe8
@schandrika schandrika mentioned this issue Apr 12, 2024
Merged
@schandrika schandrika changed the title RPO allow restrictions are not applied after restart of VOLTTRON @RPC.allow restrictions are not applied after restart of VOLTTRON Apr 12, 2024
craig8 pushed a commit that referenced this issue Apr 19, 2024
@schandrika
Fix for security issue #3168 (#3169)
8286369 
* Fix for security issue #3168

* handling clean up errors in test

* testing group commands in different test module

* moved group and role test to different module

* moved group and role test to different module
@craig8 craig8 mentioned this issue Apr 19, 2024
Merged
craig8 added a commit that referenced this issue May 8, 2024
@craig8 @schandrika
Releases/9.0.1 (#3171)
7b5339b 
* Update readthedocs requirements.txt

* Update conf.py

* Update requirements_demo.txt

Add missing pandas requirement for demo

* work around for issue #3154

* Fix for security issue #3168 (#3169)

* Fix for security issue #3168

* handling clean up errors in test

* testing group commands in different test module

* moved group and role test to different module

* moved group and role test to different module

* Added a cache for agent names since platform start

* Fixes process overload from file events

* fixed issue with variable definition.

* Remove PersistentDict from web-user.json file.

* Update admin_endpoints.py

Handle behavior of removing PersistentDict

* Update version to 9.0.1

---------

Co-authored-by: Chandrika Sivaramakrishnan <chandrika@pnnl.gov>
Co-authored-by: Chandrika <schandrika@users.noreply.github.com>
Co-authored-by: Andrew Rodgers <andrew@aceiotsolutions.com>
@craig8 craig8 mentioned this issue May 8, 2024
Merged
14 tasks
craig8 added a commit that referenced this issue May 10, 2024
@craig8 @schandrika
Releases/9.0.1 (#3171) (#3181)
90d6f25 
* Update readthedocs requirements.txt

* Update conf.py

* Update requirements_demo.txt

Add missing pandas requirement for demo

* work around for issue #3154

* Fix for security issue #3168 (#3169)

* Fix for security issue #3168

* handling clean up errors in test

* testing group commands in different test module

* moved group and role test to different module

* moved group and role test to different module

* Added a cache for agent names since platform start

* Fixes process overload from file events

* fixed issue with variable definition.

* Remove PersistentDict from web-user.json file.

* Update admin_endpoints.py

Handle behavior of removing PersistentDict

* Update version to 9.0.1

---------

Co-authored-by: Chandrika Sivaramakrishnan <chandrika@pnnl.gov>
Co-authored-by: Chandrika <schandrika@users.noreply.github.com>
Co-authored-by: Andrew Rodgers <andrew@aceiotsolutions.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@schandrika schandrika

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Releases/9.0.1 VOLTTRON/volttron
1 participant
@schandrika