Wrong error when nonexisting user is queried on proxy_authz endpoint

[baszoetekouw]

We have seen a number of occurrences where users tried to log in directly to a service (EduVPN in the example below) without registering at SBS first. This causes them to be registered at EduTEAMS like normal, and then EduTEAMS querying the proxy_authz endpoint with the uid that is stil unknown in SRAM at that point. The flow is then interrupted and the user is shown the following message:

You are not logged into SURF Research Access Management, and therefore you don't have access to EduVPN SRAM.

Copy & paste the following information if you contact sram-support@surf.nl
Entity ID https://sram.eduvpn.nl/saml|https://sram.eduvpn.nl/saml
Issuer ID http://login.uva.nl/adfs/services/trust|http://login.uva.nl/adfs/services/trust
User ID 022xxx@sram.surf.nl|mailto:0227439fexxxx@sram.surf.nl
Timestamp Thu, 09 Mar 2023 13:18:58 GMT

Curiously enough, this error message seems to be sfo.info1. I don't understand what this has to do with SFO?

The logs show this reponse:

Mar 09 13:18:57 sbs-pf1 python[9156]: DEBUG [user_api] user: eduteams, proxy_authz called with {'user_id': '022xxx@sram.surf.nl', 'service_id': 'https://sram.eduvpn.nl/saml', 'issuer_id': 'http://login.uva.nl/adfs/services/trust', 'uid': '1234', 'homeorganization': 'uva.nl'}
Mar 09 13:18:57 sbs-pf1 python[9156]: ERROR [user_api] user: eduteams, Returning unauthorized for user 022xxx@sram.surf.nl and service_entity_id https://sram.eduvpn.nl/saml as the user is unknown
Mar 09 13:18:57 sbs-pf1 python[9156]: INFO  [base] user: eduteams, Path /api/users/proxy_authz POST {"user_id": "022xxx@sram.surf.nl", "service_id": "https://sram.eduvpn.nl/saml", "issuer_id": "http://login.uva.nl/adfs/services/trust", "uid": "1234", "homeorganization": "uva.nl"}

It seems that the client page ServiceDenied.jsx does not handle status=USER_UNKNOWN correctly. Strangely enough, this page only seems to output SFO errors, even though the proxy_auth endpoint handles a number of different errors.

We should instead give the same message that we show to people who are not a member of the correct CO.

[oharsta]

@baszoetekouw
The proxy_authz endpoint in user_saml.py has the following constants to signal the client app which error message to show:

USER_UNKNOWN = 1
USER_IS_SUSPENDED = 2
SERVICE_UNKNOWN = 3
SERVICE_NOT_CONNECTED = 4
COLLABORATION_NOT_ACTIVE = 5

These error codes corresponds with the following messages from the locales:

info1: "You are not logged into SURF Research Access Management, and therefore you don't have access to <i>{{name}}</i>.",
info2: "<p>You are not logged into SURF Research Access Management as your profile is suspended, and therefore you don't have access to <i>{{name}}</i>.<p>Contact your admin(s) to enable access to this service.</p>",
info3: "You are logged into SURF Research Access Management, but the service <i>{{name}}</i> is unknown.",
info4: "<p>You are logged into SURF Research Access Management, but none of the collaborations you are member of grant you access to <i>{{name}}</i>.</p><p>Contact your admin(s) to enable access to this service.</p>",
info5: "<p>You are logged into SURF Research Access Management, but you don't have access to <i>{{name}}</i>. The collaboration which is connected to service <i>{{name}}</i> is not active.</p><p>Contact your admin(s) to enable access to this service.</p>",

If the user is not a member of the correct CO, then info4 is displayed. I don't think we should display that message if the user is unknown, as this is not the case. However it is very trivial to change this.

[baszoetekouw]

Adjusting info1 should suffice here.

[baszoetekouw]

Message is clearer now: