You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If I'm logged in as an elevated user, I can get a resource, but not the transformed resource; eg:
http --headers get http://localhost/fcrepo/rest/expert/51d37fccfdb86059c507a75b46cb0f66 Authorization:"Bearer $jwt"| grep ^HTTP
#HTTP/1.1 200 OK
But
http --headers get http://localhost/fcrepo/rest/expert/51d37fccfdb86059c507a75b46cb0f66/svc:node Authorization:"Bearer $jwt"| grep ^HTT
#HTTP/1.1 500 Internal Server Error
The response is:
{
"details": {
"message": "403 <!doctype html><html lang=\"en\"><head><title>HTTP Status 403 – Forbidden</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1><hr class=\"line\" /><p><b>Type</b> Status Report</p><p><b>Description</b> The server understood the request but refuses to authorize it.</p><hr class=\"line\" /><h3>Apache Tomcat/9.0.65</h3></body></html>",
"stack": "Error: 403 <!doctype html><html lang=\"en\"><head><title>HTTP Status 403 – Forbidden</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1><hr class=\"line\" /><p><b>Type</b> Status Report</p><p><b>Description</b> The server understood the request but refuses to authorize it.</p><hr class=\"line\" /><h3>Apache Tomcat/9.0.65</h3></body></html>\n at TransformService.exec (/fin/services/gateway/models/transform.js:659:15)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async parsed (/fin/services/gateway/models/service-proxy/transform-service.js:24:23)"
},
"error": true,
"message": "Unable to render from transform service node"
}
Where I don't see the original request's either directAccess or jwt token being propogated.
Default Model
The model code for dbsync has similar problems. However, there may be an additional problem in the model as well. Here, I don't see how dbsync propagates a (What I would guess to be a direct access as discovery) request to the transform service.
From @jrmerz
How about this, we allow admins to override their roles with a header. so if the JWT token is authenticated and has role admin AND there is a fin-principal header, (ex: fin-principal: foo, bar ) then the request to fcrepo will ONLY have the supplied principles. This would allow admins in impersonate users for testing as well.
@jrmerz I have been testing sandbox, and this is still not working. In short, dbsync calls transform services, and these services are calling the underlying fcrepo setup as public.
Dbsync calls a transform service, so it goes to the middleware, to the transformService
to the renderTransform which execs the transform.
But here, we are calling a simple api.get(options) to fetch the fcrepo data.
I'm not sure how you think best to solve this. I can see that for (some) middleware, all the way back in the proxy, it makes sense to call the normal proxyRequest, get the container, and then call the transform. Alternatively, you could propogate the original request to that api.get request, the issue there is that request has already been run through the gateway, so I'm not sure if at that point you want to make a direct request, or just start the whole process over, and if the latter, do you just forward the fin-principal and Authorization, or a larger header set?
Direct transform service request
If I'm logged in as an elevated user, I can get a resource, but not the transformed resource; eg:
But
The response is:
This Error is thrown here:
fin/services/fin/gateway/models/transform.js
Line 657 in 8e73bfa
Where I don't see the original request's either directAccess or jwt token being propogated.
Default Model
The model code for dbsync has similar problems. However, there may be an additional problem in the model as well. Here, I don't see how dbsync propagates a (What I would guess to be a direct access as discovery) request to the transform service.
fin/services/fin/dbsync/lib/model.js
Line 512 in 8e73bfa
The text was updated successfully, but these errors were encountered: