Unauthorized users are allowed

[dcalvoalonso]

Hi,

I am trying to use FIWARE security Generic Enablers: PEP Proxy, IDM KeyRock and AuthZForce. Specifically, I am using the instances available to trial users in the url https://account.lab.fiware.org.

My problem is related with level 1 of authorization. I have configured PEP proxy to check permissions using AuthZForce as you can see below:

config.azf = {
        enabled: true,
        protocol: 'https',
    host: 'auth.lab.fiware.org',
    port: 6019,
    custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

My application only has an authorized user. When I send requests to PEP proxy with an authorized user’s token, everything goes OK:

2017-05-09 08:56:29.958  - INFO: AZF-Client - Checking authorization to roles [ '106' ] to do  GET  on   and app  43bb03d87eb742918aaef19fcd41a002
2017-05-09 08:56:29.963  - INFO: AZF-Client - Checking auth with AZF...
2017-05-09 08:56:30.388  - INFO: Root - Access-token OK. Redirecting to app...

Nevertheless, if I use a token for an unauthorized user, the result is the same:

2017-05-09 08:58:09.501  - INFO: AZF-Client - Checking authorization to roles [] to do  GET  on   and app  43bb03d87eb742918aaef19fcd41a002
2017-05-09 08:58:09.502  - INFO: AZF-Client - Checking auth with AZF...
2017-05-09 08:58:09.876  - INFO: Root - Access-token OK. Redirecting to app...

As you can see in the output of PEP Proxy, the user does not have a role in the app but the request is approved.

[dcalvoalonso]

Is there any news on this? I have done another attempt and I have exactly the same problem.

Please find below the output of PEP Proxy with DEBUG level:

2017-09-01 07:15:34.654  - INFO: AZF-Client - Checking authorization to roles [] to do  GET  on  api/VehicleOwner and app  43bb03d87eb742918aaef19fcd41a002
2017-09-01 07:15:34.655  - DEBUG: AZF-Client - XML:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">43bb03d87eb742918aaef19fcd41a002</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">api/VehicleOwner</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2017-09-01 07:15:34.655  - INFO: AZF-Client - Checking auth with AZF...
2017-09-01 07:15:34.656  - DEBUG: HTTP-Client - Sending  POST  to: https://auth.lab.fiware.org:6019/authzforce-ce/domains/PbrqJjFvEeeI7FJUADLrRg/pdp
2017-09-01 07:15:34.657  - DEBUG: HTTP-Client -  Headers:  { 'X-Auth-Token': 'XlSXY5qUZhKpCJalLM8GhpFpmvhxxt',
  Accept: 'application/xml',
  'Content-Type': 'application/xml' }
2017-09-01 07:15:34.657  - DEBUG: HTTP-Client -  Body:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">43bb03d87eb742918aaef19fcd41a002</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">api/VehicleOwner</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2017-09-01 07:15:34.941  - DEBUG: AZF-Client - AZF response status:  200
2017-09-01 07:15:34.941  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns5:Response xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns4="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:ns5="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns6="http://www.w3.org/2005/Atom"><ns5:Result><ns5:Decision>Permit</ns5:Decision></ns5:Result></ns5:Response>
2017-09-01 07:15:34.961  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
   { '$': 
      { 'xmlns:ns2': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
        'xmlns:ns3': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6',
        'xmlns:ns4': 'http://authzforce.github.io/core/xmlns/pdp/3.6',
        'xmlns:ns5': 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
        'xmlns:ns6': 'http://www.w3.org/2005/Atom' },
     Result: [ [Object] ] } }
2017-09-01 07:15:34.963  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
2017-09-01 07:15:34.966  - DEBUG: AZF-Client - Decision:  Permit
2017-09-01 07:15:34.967  - INFO: Root - Access-token OK. Redirecting to app...
2017-09-01 07:15:34.976  - DEBUG: HTTP-Client - Sending  GET  to: https://automat-marketplace.atosresearch.eu:1337/api/VehicleOwner