Problem in interaction between idm,pep and authzforce

[AnotherCodeArtist]

There's apparently a problem in the interaction between idm, authzforce and probably pep.
Since I cannot tell which component is the actual trouble maker, I've filed an issue at the IdM project as well. So please see this issue for a detailed description. I cannot see any rules in the PAP that correspond to the roles I have defined in IdM, although the IdM creates a valid domain.

As mentioned in the other issue, authentication between my client app and the IdM works perfectly fine. But whenever PEP tries to perform the authorization, things go terribly wrong.

Here's again the log from PEP:

2016-08-18 11:32:30.971  - INFO: IDM-Client - Checking token with IDM...
2016-08-18 11:32:31.001  - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 11:32:31.002  - INFO: AZF-Client - Checking authorization to roles [ 'provider', '4db71b9d39d340f387585ed832c28c78' ] to do  GET  on  v2/entities and app  6806127773ae47fdb777886585358543
2016-08-18 11:32:31.002  - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 11:32:31.006  - ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error

Wireshark revealed the following:

PEP first checks the token with the IdM

Frame 43: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface 0
Ethernet II, Src: AsustekC_86:b6:ea (d8:50:e6:86:b6:ea), Dst: Apple_1f:46:33 (c8:2a:14:1f:46:33)
Internet Protocol Version 4, Src: 10.12.200.84, Dst: 10.12.200.247
Transmission Control Protocol, Src Port: 41769 (41769), Dst Port: 8000 (8000), Seq: 1449, Ack: 1, Len: 76
    Source Port: 41769
    Destination Port: 8000
    [Stream index: 2]
    [TCP Segment Len: 76]
    Sequence number: 1449    (relative sequence number)
    [Next sequence number: 1525    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header Length: 32 bytes
    Flags: 0x018 (PSH, ACK)
    Window size value: 1369
    [Calculated window size: 87616]
    [Window size scaling factor: 64]
    Checksum: 0x98a7 [validation disabled]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [SEQ/ACK analysis]
    TCP segment data (76 bytes)
[2 Reassembled TCP Segments (1524 bytes): #42(1448), #43(76)]
Hypertext Transfer Protocol
    GET /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw HTTP/1.1\r\n]
        Request Method: GET
        Request URI: /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw
        Request Version: HTTP/1.1
    Host: 10.12.200.247:8000\r\n
    Connection: keep-alive\r\n
    User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 7 Build/MOB30P; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\r\n
    Accept: */*\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Language: en-US\r\n
     [truncated]Cookie: csrftoken=nfAqXttUUjNygfpWdWUBD7DrbANdRstQ; sessionid=".eJyFU8tu3DYUdcdjjyPHdmK3zbOp0yau3MeYpKhXVkWbVQp4kZaINsaAL1lyZqS5I8qoFwKSTYD-Q3-jX9Af6bZ_EUojt4OiQKCFyHvPuee--GbQwEcu262LSpZzrSamfK0LdigUFUJpFCqCaRr4QqBQIyEI9rXSCrF
    X-Requested-With: com.ionicframework.myfiwareclient357647\r\n
    \r\n
    [Full request URI: http://10.12.200.247:8000/user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw]
    [HTTP request 1/1]

Then the Idm provides the necessary information about the AFZ domain:

HTTP/1.0 200 OK
Date: Thu, 18 Aug 2016 11:32:19 GMT
Server: WSGIServer/0.1 Python/2.7.6
Vary: Accept-Language, Cookie
X-Frame-Options: SAMEORIGIN
Content-Type: application/json
Content-Language: en
Set-Cookie:  sessionid=".eJyFU8tu3DYUdcdjjyPHdmK3zbOp0yau3MeYpKhXVkWbVQp4kZaINsaAL1lyZqS5I8qoFwKSTYD-Q3-jX9Af6bZ_EUojt4OiQKCFyHvPuee--GbQwEcu262LSpZzrSamfK0LdigUFUJpFCqCaRr4QqBQIyEI9rXSCrFRXenFJFfJaG1t7aLMClVqGLDthT7Py2JS8Jk-ZTsTXpts0kOzAdvr3bpQ8zIvTHLfsjNj5s9OTjAJx8h--Jnne354cumdwDrbs9zLXOpqsqQmm5bx85znBYEh218REFza1BU7snUUlbG3zjnu7eOf9FVlykL_0ON2prwyEy5Nfpmbqxd__v7HK7bRlS__E6EN7_zSehzYOH4Lmw2MXLapyplNA7YauOGyQa7AOWXDtnDYPq3Zbp_4j9zwaXkON89gp4FdN7lhC7iuvzqDPbeBW26ybq31Ygq3s_UOYZ16kXKpYT_Zur4XfNrVv2wFHGTDDts31Wbw8Up7kkFLU_BJcmgPGPu-FwYi8r2Aklhy6hNClY-8iFKJeN3Ap252-wMDyfaTDQvgapYX2cGKWLaqnC0lqeIhkgRFAeEUqUikfojaJEgYEx4IK3mnlbz3f5I-QqhXbAPPazHN5Ycl7WqGItXaDxXlSkYxkphEXNoiI-GRWidDCzNXc73sqtKFsdO_pqdxEFKCYs82KUUxj1KayhB5KVECyyW5m_Ddjv66X6mas41FOdUV3DuD-w08cPuAoUSppwIUehGmOhUiCFI_DrEkMfalr7O7__bTBtntFnm5V-04H3avS-mU11MDn7Fbq_4uj0cd4nmP-JyN9K_zfGETOZSKG23ymXb-OcBj5oz-2tq_-dBZ__s3mVdlFCA87v8OM9KBL45fwpfvXsITNpovygstDTxt4MjNnGS7a9hscm3_Ktvu1tbawK3ZsE0Ojhv42oKzgXW2hAv1vdGVGctyVneP5Bt2iGIU45TjgGNBhd3AIOICpxGNcEQJxfAt2zS64IWB77KjWtTj9wRqWnM:1baLYZ:YyDjkSAR3VR82PFrrTF29kTd5zE"; httponly; Path=/

{"organizations": [], "displayName": "johndoe", "roles": [{"name": "Provider", "id": "provider"}, {"name": "Restaurant-Viewer", "id": "4db71b9d39d340f387585ed832c28c78"}], "app_id": "6806127773ae47fdb777886585358543",
 "email": "jd@test.com", "id": "johndoe", "app_azf_domain": "-XUmQmUdEeatWgJCrBEABg"}

After this I cannot make out a valid http request sent from PEP to AFZ, nevertheless the following response pops up:

Frame 67: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) on interface 9
Null/Loopback
Internet Protocol Version 4, Src: 10.12.200.247, Dst: 10.12.200.247
Transmission Control Protocol, Src Port: 8282 (8282), Dst Port: 62035 (62035), Seq: 1, Ack: 329, Len: 144
    Source Port: 8282
    Destination Port: 62035
    [Stream index: 3]
    [TCP Segment Len: 144]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 145    (relative sequence number)]
    Acknowledgment number: 329    (relative ack number)
    Header Length: 32 bytes
    Flags: 0x018 (PSH, ACK)
    Window size value: 12749
    [Calculated window size: 407968]
    [Window size scaling factor: 32]
    Checksum: 0xa6bd [validation disabled]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [SEQ/ACK analysis]
Hypertext Transfer Protocol
    HTTP/1.1 400 Bad Request\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
        Request Version: HTTP/1.1
        Status Code: 400
        Response Phrase: Bad Request
    Server: Apache-Coyote/1.1\r\n
    Transfer-Encoding: chunked\r\n
    Date: Thu, 18 Aug 2016 11:32:31 GMT\r\n
    Connection: close\r\n
    \r\n
    [HTTP response 1/1]
    HTTP chunked response
        End of chunked encoding
            Chunk size: 0 octets
        \r\n

So maybe there's something wrong with the request sent from PEP. Nevertheless, could you please check whether the XML stored in AFZ looks ok (ging/fiware-idm#70)?

The permissions for role "Restaurant-Viewer" should be "GET" , "/v2/entities".

[cdanger]

Hello, as far as I understand, if the "HTTP/1.1 400 Bad Request" in your capture is the response from AZF, then the request that is causing it should be visible just before. Unfortunately, I cannot find it here. Is it anywhere in your packet capture so I can see what's wrong with it that is causing the error 400 response from AZF?
Thanks.

[AnotherCodeArtist]

Hi @cdanger! I'll provide you with the capture result on Monday. To me it's just some binary content sent to the authzforce port, so I doubt that would be helpful. It's definitely no valid request so I totally agree with AZF's response but also don't know what triggers this response. Anyway, we will see soon.
BTW: Is it possible for you to setup a working security installation based on the currently available docker-images/Dockerfiles or master branches?

[cdanger]

Hello, I found the time to setup a IdM-PEP-AZF infrastructure with latest Docker releases at last, and indeed, I faced a couple of issues in the PEP proxy and one in the IdM. I do not own these components, so I did what I could to fix things quickly. For long-term fixes, I reported specific issues on their respective github repositories and created pull requests, so we'll have to wait for the next releases. In the meantime, I can tell you the quick fixes I did.

First, I assume you still have an AZF Docker container up and running, probably the version 5.4.0b which was the latest at the time you created the issue. You may upgrade to 5.4.1 which I released more recently. Anyway, this is just for your info, and will not fix the issue here.

As for the IdM, especially the dashboard, you have to fix issues:

• 72: you can check my pull request to know how to fix it; basically fixing a typo in file openstack_dashboard/templates/access_control/policy.xacml.
• 71: this one I already told you about. I created a pull request as well to get it fixed.

Then restart the IdM container after fixing the files.

As for the PEP, you have to fix issues:

• 29: until 2 days ago, the version of the pep proxy inside the image tagged 5.3.1 was not 5.3.1 actually, but 5.2.1. This has been fixed a day ago. Therefore you have to get rid of the Docker image fiware/pep-proxy:5.3.1 in your local repository: docker stop and docker rm any container using image fiware/pep-proxy:5.3.1 , then docker rmi fiware/pep-proxy:5.3.1. Then docker run to get back the new image and run the container with your custom config.js, and also a custom log_config.json in DEBUG level everywhere to make troubleshooting easier at the first stage of testing; for example:

docker run -d --name pep-proxy -v /home/toto/fiware-pep-proxy/config.js:/opt/fiware-pep-proxy/config.js -v /home/toto/fiware-pep-proxy/log_config.json:/opt/fiware-pep-proxy/log_config.json -p 80:80 fiware/pep-proxy:5.3.1

My config.js looks like this:

 var config = {};

config.pep_port = 80;

// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
    enabled: false,
    cert_file: 'cert/cert.crt',
    key_file: 'cert/key.key',
    port: 443
};

 config.account_host = 'http://idm:8000';

 config.keystone_host = 'idm';
 config.keystone_port = 5000;

 config.app_host = 'www.google.es';
 config.app_port = '80';

// Use true if the app server listens in https
config.app_ssl = false;

// Credentials obtained when registering PEP Proxy in Account Portal
// Of course these are not the real ones I am using but just for example
 config.username = 'pep_proxy_XXXXXXXX';
 config.password = 'XXXXXXXXXXXXXX';

// in seconds
config.chache_time = 300;

// if enabled PEP checks permissions with AuthZForce GE. 
// only compatible with oauth2 tokens engine
//
// you can use custom policy checks by including programatic scripts 
// in policies folder. An script template is included there
config.azf = {
    enabled: true,
    protocol: 'http',
    host: 'azf',
    port: 8080,
    custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

config.magic_key = undefined;

module.exports = config;

Here I am using hostnames for the IdM and AZF hosts but you can use IP addresses of course. What is important is config.azf.protocol which must be set to http. I assume you are using a default setup of AZF with SSL disabled and listening to port 8080 (depends on the docker run command you used to run the AZF container). We want to make sure everything works with SSL disabled first, before we begin to tackle the SSL issues.

My log_config.json:

{
  "appenders": [
    { 
      "type": "console",
      "layout": {
        "type": "pattern",
        "pattern": "%d  - %p: %c - %m",
        "replaceConsole": true
      } 
    }
  ],
  "levels": {
    "Server": "DEBUG",
    "Root": "DEBUG",
    "HTTP-Client": "DEBUG",
    "AZF-Client": "DEBUG",
    "IDM-Client": "DEBUG",
    "Test": "DEBUG"
  }
}

• 31 and 32. I created a pull request to fix both. In order to apply this fix to your Docker container, you can download the fixed version of lib/azf.js file from my forked repository. then copy it to the container, then connect to the container's shell (assuming your pep-proxy container's name is pep-proxy):

$ docker cp /home/toto/fiware-pep-proxy/lib/azf.js pep-proxy:/opt/fiware-pep-proxy/lib/azf.js
$ docker exec -t -i pep-proxy

In the container's shell, install the Node.js package xml2js (this requires Internet connection over https, so make sure the proxy is well configured with npm config set https-proxy ... if you have one):

$ npm install xml2js

Exit the shell/container, restart the container and check that it starts OK with docker logs -f pep-proxy.

[AnotherCodeArtist]

Thanks a lot @cdanger! I'm currently on vacations and will give your fixes a try once I'm back in office (about two weeks from now) and get some time for it.

[cdanger]

Now the fixes are parts of the new releases so you should upgrade to KeyRock v5.4.0, PEP Proxy v5.4 or later, AZF v5.4.1 or later.

[cdanger]

I am now closing this issue since no news from the OP for quite some time. You can re-open when you happen to reproduce the issue with new software versions.