Some admin tools fails with 403

[vjrj]

@jloomisVCE and me just discovered that many admin tools fails with a 403 error and some error like:

2021-10-07 16:41:09.061  WARN --- [nio-9101-exec-4] a.org.ala.ws.security.ApiKeyInterceptor  : Non-authorised IP address - X.X.X.X

See screenshot:

Adding the IP to the whitelist variable did not solve the issue. The user has the ROLE_ADMIN role and the ROLE_IMAGE_ADMIN

Tested with image-service 1.1.5.1 and 1.1.7.1.

Sounds like a bug more than a config issue? Any tip?

[vjrj]

Maybe it's an authorization error in userdetails, @jloomisVCE can you check if your image-service IP is allowed to get user details?

https://github.com/AtlasOfLivingAustralia/documentation/wiki/Secure-your-LA-infrastructure#allowlist-ip-address

[vjrj]

I ask myself, in my test environment, is allowed and still fails with 403:

[vjrj]

If helps, reindexImages works:

image-service/grails-app/controllers/au/org/ala/images/AdminController.groovy

Line 358 in b1481e3

def reindexImages() {

but scheduleArtifactGeneration and other admin tools (like scheduleKeywordRegeneration) fails with 403:

image-service/grails-app/controllers/au/org/ala/images/ImageController.groovy

Line 515 in b1481e3

@AlaSecured(value = [CASRoles.ROLE_ADMIN], anyRole = true, redirectUri = "/")

[vjrj]

Maybe the key is a collision between the api calls that require an apikey and the /admin UI calls

image-service/grails-app/controllers/au/org/ala/images/WebServiceController.groovy

Line 156 in b1481e3

@RequireApiKey

sorry for the verbosity.

PS: curl calls with an ApiKey works:

curl -X POST https://images.vtatlasoflife.org/ws/scheduleArtifactGeneration/0b2af3c3-3c8c-4e49-8014-ffa367cb266c -H "apiKey: SOME-VALID-API-KEY" 

{"success":true,"message":"Image artifact generation scheduled for image 862245"}%