[Geoserver-devel] [JIRA] (GEOS-10418) Bad request sent to GeoFence when matching for groups

Emanuele Tajariol created an issue

GeoServer / BugGEOS-10418

Bad request sent to GeoFence when matching for groups

Issue Type:

BugBug

Assignee:

Unassigned

Components:

GeoFence

Created:

14/Mar/22 7:02 PM

Priority:

MediumMedium

Reporter:

Emanuele Tajariol

When the option “Use GeoServer roles to get authorizations” is used, the AccessManager should send a request to GeoFence specifying the role and requiring no user should be present in the matching rules.

The method selecting role and user in the Rule is this one: https://github.com/geoserver/geoserver/blob/84557570531bda5d9ce03703bba379fb2a4b1cfa/src/extension/geofence/src/main/java/org/geoserver/geofence/GeofenceAccessManager.java#L569-L594

When the block

        if (config.isUseRolesToFilter() && config.getRoles().size() > 0) {

            String role = "UNKNOWN";
            for (GrantedAuthority authority : user.getAuthorities()) {
                if (config.getRoles().contains(authority.getAuthority())) {
                    role = authority.getAuthority();
                }
            }
            LOGGER.log(Level.FINE, "Setting role for filter: {0}", new Object[] {role});
            ruleFilter.setRole(role);
        }

is selected, the user in the rule should also be set:

        ruleFilter.setUser(RuleFilter.SpecialFilterType.DEFAULT);

otherwise the default value ANY will remain as a filter in the rule, and the GeoFence rule engine will match also rules related to other users.

In this log for instance:

DEBUG [services.RuleReaderServiceImpl] - Filter RuleFilter[user:ANY role:"UNKNOWN"+ inst:name+:default-gs ip:"xxx.xxx.xxx.xxx"+ serv:"WMS"+ req:"GETMAP"+ ws:"geonode"+ layer:"xxx_mapping_pipelineplanned"+] is matching the following Rules:
DEBUG [services.RuleReaderServiceImpl] -     Role:UNKNOWN
DEBUG [services.RuleReaderServiceImpl] -     Role:UNKNOWN ---> Rule[id:5518 pri:2972 user:admin ws:geonode l:xxx_mapping_pipelineplanned acc:ALLOW]
DEBUG [services.RuleReaderServiceImpl] -     Role:UNKNOWN ---> Rule[id:5519 pri:2973 user:admin srv:WMS ws:geonode l:xxx_mapping_pipelineplanned acc:ALLOW]
DEBUG [services.RuleReaderServiceImpl] - Filter RuleFilter[user:ANY role:"UNKNOWN"+ inst:name+:default-gs ip:"xxx.xxx.xxx.xxx"+ serv:"WMS"+ req:"GETMAP"+ ws:"geonode"+ layer:"xxx_mapping_pipelineplanned"+] on role UNKNOWN has access AccessInfoInternal[grant:ALLOW]
INFO [services.RuleReaderServiceImpl] - Returning AccessInfo[grant:ALLOW admin:false] for RuleFilter[user:ANY role:"UNKNOWN"+ inst:name+:default-gs ip:"xxx.xxx.xxx.xxx"+ serv:"WMS"+ req:"GETMAP"+ ws:"geonode"+ layer:"xxx_mapping_pipelineplanned"+]

we are requesting all the rules for role “UNKNOWN”. By looking for group matching, we should not match rules explicitely related to given users. In fact you can see that a Rule for user “admin” is matching, and it should not.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197-sha1:81e20ed)

Atlassian logo