Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Query should handle 401 unauthorized exceptions from Katsu gracefully #56

Merged
merged 1 commit into from
Oct 21, 2024

Conversation

OrdiNeu
Copy link
Collaborator

@OrdiNeu OrdiNeu commented Oct 21, 2024

Jira link

DIG-1822

Description

While federating servers Daisie found that if you pass in a token that has no authz for anything to the query service, it will pass that on to Katsu and then Katsu will return a 401 Unauthorized. It should return an empty result, instead.

To test

  1. Build this branch
  2. Go to Keycloak http://candig.docker.internal:8080/auth/admin/master/console/
  3. Sign in with your admin username/password
  4. Switch realms at the left to candig
    image
  5. Users->Add User. Fill in username testtest, email test@test.ca
  6. Go to the Credentials tab at the top, create new, password testtest
  7. Try to sign in at http://candig.docker.internal:5080/ where it'll prompt you to give it a first/last name:
  8. Grab a token for this user in the usual manner:
 CURL_OUTPUT=$(curl -s --request POST \                                                                                                                                                                                                                                                                                                                                                       
   --url 'http://candig.docker.internal:8080/auth/realms/candig/protocol/openid-connect/token' \                                                                                                                                                                                                                                                                                              
   --header 'Content-Type: application/x-www-form-urlencoded' \                                                                                                                                                                                                                                                                                                                               
   --data grant_type=password \                                                                                                                                                                                                                                                                                                                                                               
   --data client_id=local_candig \                                                                                                                                                                                                                                                                                                                                                            
   --data client_secret=$CANDIG_CLIENT_SECRET \                                                                                                                                                                                                                                                                                                                                               
   --data username=testtest \                                                                                                                                                                                                                                                                                                                                                                 
   --data password=testtest \                                                                                                                                                                                                                                                                                                                                                                 
   --data scope=openid                                                                                                                                                                                                                                                                                                                                                                        
 )
  1. curl candig.docker.internal:5080/query/query -H "Authorization: Bearer $TOKEN"
  2. This should now return an empty response instead of an error.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@OrdiNeu OrdiNeu requested a review from daisieh October 21, 2024 14:37
Copy link
Member

@daisieh daisieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, works as expected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants