Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users cannot enroll RADIUS tokens in the WebUI if a policy with scope=user is defined #1749

Closed
fredreichbier opened this issue Jul 16, 2019 · 2 comments

Comments

@fredreichbier
Copy link
Member

commented Jul 16, 2019

Steps to reproduce:

  • Define a policy with scope=user and action=enrollRADIUS
  • Log in as a user, click "Enroll token", select RADIUS token
  • We get an error "User actions are defined, but the action radiusserver_read is not allowed!"
  • Even if RADIUS servers are defined, the dropdown list "RADIUS server configuration" presents no choices
  • Hence, we cannot select a RADIUS server, and submitting the form says "ERR905: Missing parameter: 'radius.server'"

This is because the WebUI requests GET /radiusserver/ when the user tries to enroll a RADIUS token. As a side effect of #1495, this endpoint is not allowed for users by default anymore: We would need a policy with scope user and action radiusserver_read to allow users to retrieve the list of RADIUS servers.

However, such a policy cannot be created via the WebUI.

I guess the right way to fix this would be to add a radiusserver_read action to the user scope. Maybe we should also automatically create it in the migration script, like we did for admin policies in #1721.

@fredreichbier

This comment has been minimized.

Copy link
Member Author

commented Jul 17, 2019

The following Flask blueprints are accessible with an access token with role "user":

@token_blueprint.before_request
@audit_blueprint.before_request
@user_blueprint.before_request
@caconnector_blueprint.before_request
@system_blueprint.before_request
@radiusserver_blueprint.before_request
@privacyideaserver_blueprint.before_request

Admin *_read policies exist for /radiusserver/, /caconnector/ and /privacyideaserver/.

  • For /caconnector, the policy action is not actually enforced because the decorator is commented out:
    #@prepolicy(check_base_action, request, ACTION.CACONNECTORREAD)

    This was done in 1c33272, I guess as a hotfix?
  • I'm unsure why the /privacyideaserver/ blueprint is accessible for users anyway, because REMOTE tokens cannot be enrolled by users anyway (according to their tokenclass info)
  • We should add scope=user policy actions at least for /caconnector/ and /radiusserver/.
@cornelinux

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

Do not do this in PR #1765
We should use an extra endpoint like radiusserver_list_names_for_other_purposes or as abbreviation: rlnfop.

This way we can avoid, thtat the admin has to define two policies.
If the user has a policy "enrollRADIUS" he will also be allowed to read the list (only the names) of radius server definitions.

fredreichbier added a commit that referenced this issue Aug 14, 2019

Add /system/names/{caconnector,radius} endpoints
These endpoints can be accessed by users and admins to retrieve the
names of defined RADIUS servers and information about the defined CA
connectors (but not the sensitive configuration).

Fixes #1749
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.