Details
Description
I'm adding a SAML test as part of MB-62604.
The issues a request to /pools/default/remoteClusters, which calls goxdcr_rest:proxy in ns_server and proxies the HTTP request after adding cb-on-behalf-of/cb-on-behalf-extras headers.
The test validates that the user is correctly authorized and relies on the info contained in the cb-on-behalf headers (parsed by cbauth).
No changes are required in goxdcr because cbauth AuthWebCreds will automatically take care of it.
The test:
https://review.couchbase.org/c/ns_server/+/215213 works as expected on trinity on a local M1 build.
127.0.0.1 - @goxdcr [29/Aug/2024:18:04:53 -0700] "GET /_cbauth/checkPermission?audit=true&domain=admin&permission=cluster.admin.security.admin%21impersonate&user=%40 HTTP/1.1" 200 0 - "goxdcr-cbauth" 0
|
127.0.0.1 - @goxdcr [29/Aug/2024:18:04:53 -0700] "GET /_cbauth/checkPermission?audit=true&context=ui%3DFOx2C5049IScSosw1xu2gg%3D%3D&domain=external&permission=cluster.xdcr.remote_clusters%21read&user=testuser2 HTTP/1.1" 200 0 - "goxdcr-cbauth" 0
|
127.0.0.1 - testuser2/UI [29/Aug/2024:18:04:53 -0700] "GET /pools/default/remoteClusters HTTP/1.1" 200 3 - "python-requests/2.28.2" 0
|
However, the same test fails on morpheus.
Note that the cbauth and ns_server changes have been merged to morpheus and works for other services in the same test.
I checked out a clean repo of morpheus and ran make from the top level directory.
The same test fails for goxdcr:
127.0.0.1 - @goxdcr [29/Aug/2024:13:59:41 -0700] "GET /_cbauth/checkPermission?domain=admin&permission=cluster.admin.security.admin%21impersonate&user=%40 HTTP/1.1" 200 0 - "goxdcr-cbauth" 0
|
127.0.0.1 - @goxdcr [29/Aug/2024:13:59:41 -0700] "GET /_cbauth/checkPermission?domain=external&permission=cluster.xdcr.remote_clusters%21read&user=testuser2 HTTP/1.1" 401 0 - "goxdcr-cbauth" 0
|
127.0.0.1 - testuser2/UI [29/Aug/2024:13:59:41 -0700] "GET /pools/default/remoteClusters HTTP/1.1" 403 121 - "python-requests/2.28.2" 1
|
It is especially curious because the "audit" parameter is also missing in this run only for goxdcr but is intact for other services.
version of cbauth will send either audit=true or audit=false for any checkPermission.
This was introduced in cbauth in 7.6.2 in MB-61006.
— Wireshark packet traces –
I've attached Wireshark traces which indicate cb-on-behalf-extras are transmitted from ns_server.
They are parsed differently using local builds on trinity vs morpheus.
trinity local build:
Packets 9536 is the request from UI to ns_server
9538 from ns_server to goxdcr - which contains cb-on-behalf-extras
9540 /_cbauth checks whether the user has privileges to use cb-on-behalf-of which it does
9542 indicates success
9544 checks permissions for on-behalf-of user and 9546 indicates success.
morpheus local build:
On morpheus, one can search for packets containing the cb-on-behalf-of extras in the Wireshark trace:
http.request.line == "cb-on-behalf-extras: Y29udGV4dDp1aT1POUZJamRtWEZSSStYME04c3A5eENRPT0=\r\n"
Packet 12698 contains cb-on-behalf-of extras.
Packet 12700 is the request to cbauth to check whether the user has cb-on-behalf-of privileges (it does).
Packet 12702 indicates OK.
Packet 12704 checks for permissions but doesn't include either audit/context.
Packet 12706 indicates not authorized (context is needed to successfully authorize).
In the same trace, the previous test case (using query) posts the same headers to cbauth in packets 12564, 12566 and audit, context are populated correctly.
This looks like the cbauth version being picked up is the tagged 1.12 version (as of April 5) which doesn't support either audit/context - only for goxdcr.