New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[management-api] allowed to set unknown group to an api #354

Closed
vdelattre opened this Issue Dec 1, 2016 · 12 comments

Comments

Projects
None yet
3 participants
@vdelattre

vdelattre commented Dec 1, 2016

I tried to create an api with post api.

body

{
  "name": "products",
  "version": "v1",
  "description": "api igr product",
  "contextPath": "/v2/products",
  "endpoint": "http://128.239.252.99:8080/v2/products"
}

response: 404

{
  "message": "Group [IGR Owners] can not be found.",
  "http_status": 404
}

But now, in UI, on api tab, i have red popup error: Group [IGR Owners] can not be found

and in get list api, i have message :

{
  "message": "Group [IGR Owners] can not be found.",
  "http_status": 404
}

How can i manage to delete this wrong api?

@brasseld brasseld changed the title from Portal - Blocked with message of groups unkown to [portal] Blocked with an error message of type 'unknown group' Dec 1, 2016

@brasseld brasseld added the type: bug label Dec 1, 2016

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Dec 1, 2016

What is the role of the user you use when you POST your api.
Is he member of the IGR Owners group ?

@vdelattre

This comment has been minimized.

vdelattre commented Dec 1, 2016

@brasseld

This comment has been minimized.

Member

brasseld commented Dec 1, 2016

You must be authenticated to create an API.

If I run this curl command:

curl -vvv -H "Content-Type: application/json" -X POST -d '{"name": "products","version": "v1","description": "api igr product","contextPath": "/v2/products","endpoint": "http://128.239.252.99:8080/v2/products"}' http://localhost:8083/management/apis

I get an (expected) 401 status code:

> POST /management/apis HTTP/1.1
> Host: localhost:8083
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 152
>
* upload completely sent off: 152 out of 152 bytes
< HTTP/1.1 401 Full authentication is required to access this resource
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With
< Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE, X-XSRF-TOKEN
< Access-Control-Max-Age: 1209600
< WWW-Authenticate: Basic realm="Gravitee.io Management API"
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Pragma: no-cache
< X-Frame-Options: DENY
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 0

So you have pass an authentification to create an API.

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Dec 2, 2016

are you using postman ?

@vdelattre

This comment has been minimized.

vdelattre commented Dec 5, 2016

i confirm
i used postman and i didn't send authentification

@brasseld

This comment has been minimized.

Member

brasseld commented Dec 5, 2016

Ok, so postman is using transparently cookies from your browser that's the reason why you did not need to set authorization headers.

So, it did not solve the issue anymore.

Can you provide us with a complete scenario to reproduce the issue, if you're able to.

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Dec 5, 2016

could you provide a dump of your datas ?

or at least the the api, users, groups, memberships

@vdelattre

This comment has been minimized.

vdelattre commented Dec 6, 2016

OK i deleted volume docker to start from crash
with postman, i call api with no authentification:

  1. get http://192.168.175.43:8083/management/apis
    return 200, no result

  2. in UI, create group api named IGR owners

  3. post http://192.168.175.43:8083/management/apis
    header basic auth:
    admin/xxxx
    body:
    {
    "name": "products",
    "version": "v1",
    "description": "api igr product",
    "contextPath": "/v2/products",
    "group": "IGR Owners",
    "endpoint": "http://128.239.252.99:8080/v2/products"
    }

return 404
{
"message": "Group [IGR Owners] can not be found.",
"http_status": 404
}

  1. get http://192.168.175.43:8083/management/apis
    error 404
    {
    "message": "Group [IGR Owners] can not be found.",
    "http_status": 404
    }

  2. same as num 4

=> i think error is in group name or id, but no where i see id of group api

@brasseld

This comment has been minimized.

Member

brasseld commented Dec 6, 2016

Hi @vdelattre,

You're right, the issue is about group reference because you have to specify the group ID and not the group name. That's the reason why you got this error.

For your information, you can retrieve ID of your group by calling this service:
http://192.168.175.43:8083/management/configuration/groups/

And use the id in place of the group name.

@brasseld brasseld added this to the 1.2.0 milestone Dec 6, 2016

@brasseld

This comment has been minimized.

Member

brasseld commented Dec 6, 2016

In any case, this issue is still valid because you should not be able to create an API with an invalid group reference.

@vdelattre

This comment has been minimized.

vdelattre commented Dec 6, 2016

For information, your swagger.json doesn't show configuration/groups

@brasseld

This comment has been minimized.

Member

brasseld commented Dec 6, 2016

Right, I'm creating an other issue to update Swagger descriptor: #357

@brasseld brasseld modified the milestones: 1.3.0, 1.2.0 Jan 10, 2017

@NicolasGeraud NicolasGeraud changed the title from [portal] Blocked with an error message of type 'unknown group' to [management-api] allowed to set unknown group to an api Apr 27, 2017

brasseld added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue May 11, 2017

@brasseld brasseld self-assigned this May 11, 2017

@brasseld brasseld modified the milestones: 1.6.0, 1.3.0 May 11, 2017

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue May 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment