Switching to a different authsource breaks the push API

[pmeulen]

The push API is used to push a configuration to OpenConext-engineblock.

When using the push API (i.e. the post to /janus/app.php/api/remotes/test/pushes.json) you get an error in the janus log:

app.WARNING: Ssp Firewall: failed:Authsource 'default-sp' is invalid [] []
request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\HttpException: "You are not authenticated" at /opt/openconext/OpenConext-serviceregistry-1.23.1/simplesamlphp-1.14.14/modules/janus/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php line 77 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\HttpException(code: 0): You are not authenticated at /opt/openconext/OpenConext-serviceregistry-1.23.1/simplesamlphp-1.14.14/modules/janus/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php:77, Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the SecurityContext. at /opt/openconext/OpenConext-serviceregistry-1.23.1/simplesamlphp-1.14.14/modules/janus/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:53)"} []

The problem is that in https://github.com/janus-ssp/janus/blob/develop/src/Janus/ServiceRegistry/Security/Authentication/Provider/SspProvider.php authenticationType and userIdAttributeName are not set to the correct values. They should have been set to the values from modules/janus/app/config/config_janus_core.yml which contains:

janus_service_registry_core:
    admin:
        name: SURFconext
        email: [email protected]
#    auth: default-sp
#    useridattr: NameID
    auth: login-admin
    useridattr: user
    user:
        autocreate: true
...

When hard-coding the correct values in src/Janus/ServiceRegistry/Security/Authentication/Provider/SspProvider.php, push works as expected. E.g.:

public function authenticate(TokenInterface $token)
    {
        /** @var string $authenticationType */
        $authenticationType = $this->config->getValue('auth', 'login-admin');
        $authenticationType = 'login-admin';

        if (php_sapi_name() === 'cli') {
            return $this->getTokenForUsername($authenticationType);
        }

        $as = new \SimpleSAML_Auth_Simple($authenticationType);
        if (!$as->isAuthenticated()) {
            throw new AuthenticationException("Authsource '$authenticationType' is invalid");
        }

        /** @var string $userIdAttributeName */
        $userIdAttributeName = $this->config->getValue('useridattr', 'eduPersonPrincipalName');
        $userIdAttributeName = 'user';

        // Check if userid exists
        $attributes = $as->getAttributes();
        if (!isset($attributes[$userIdAttributeName])) {
            throw new AuthenticationException("Attribute '$userIdAttributeName' with User ID is missing.");
        }

        return $this->getTokenForUsername($attributes[$userIdAttributeName][0]);
    }

[tvdijen]

Actually, I can't reproduce this ...
But to be fair, I've never had this push-mechanism working... Always:
[30/Aug/2017:22:59:15 +0200] "POST /janus/app.php/api/remotes/prod/pushes.json?csrf-token=xyz HTTP/1.1" 500
Without any further explanation in logs..

[pmeulen]

@tvdijen If you couldn't get PUSH to work in the first place, the HTTP 500 you see is likely unrelated. Nothing in the php error (or apache error) logs either?

[tvdijen]

Not a thing...

[tvdijen]

I just got it working ... Still can't reproduce your issue.

I either use ...
auth: admin
useridattr: user

... for admin login or ...
auth: default-sp
useridattr: useridattr: urn:mace:dir:attribute-def:uid

... when using ServiceRegistry as an SP. Both work fine...