ging / fiware-pep-proxy Goto Github PK

Please push the tagged releases Docker images to official Fiware DockerHub so that they can be pulled by release selection. At least push 5.2 - but tag it.

Here is just the last one pushed: https://hub.docker.com/r/fiware/pep-proxy/tags/

No release is tagged.

Yes I know the existing version numbers currently align, but could you please add an additional tags to indicate which version aligns with which FIWARE release- you can see a similar examples here:

IoT Agent JSON

• a1271a3 - FIWARE 7.5.1
• 57ba014 - FIWARE_7.5
• 3afecc5 - FIWARE_7.4
  ...etc

Hi All
I am facing issue in this command curl --header "X-Auth-Token:z2zXk...ANOXvZrmvxvSg" http://proxy_host.
I am confused what proxy_host means here .

I tried with curl --header "X-Auth-Token:<oauth2_token>" http://pep-proxy-ip:port-no and received response as "User Token not authorized".

But from here "https://github.com/ging/fiware-pep-proxy" curl --header "X-Auth-Token:z2zXk...ANOXvZrmvxvSg" http://proxy_host it gives result as

"Once authenticated, the forwarded request will include additional HTTP headers with user info:

X-Nick-Name: nickname of the user in IdM
X-Display-Name: display name of user in IdM
X-Roles: roles of the user in IdM
X-Organizations: organizations in IdM "

How can i get the above result from this command curl --header "X-Auth-Token:z2zXk...ANOXvZrmvxvSg" http://proxy_host

Hi,
When i want to use pep proxy wilma;
Although I do everything properly in config.js
when i start wilma i got this error every time
what is the cause of this?

my error looks like this;
"
INFO: Server - Starting PEP proxy in port 80. IdM authentication ...
2018-12-03 05:08:05.325 - ERROR: Server - Caught exception: Error: listen EACCES 0.0.0.0:80
2018-12-03 05:08:05.369 - ERROR: Server - Error in IDM communication Error: getaddrinfo ENOTFOUND http http:443
at errnoException (dns.js:50:10)
at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:95:26)
2018-12-03 05:08:05.369 - INFO: Server - Waiting 5 seconds before attempting again.
"
Please helps
Thanks

For some reason *.png and *.jpg files are unable to go through proxy, even when they are on public paths. *svg images work fine, i suspect that this may have something to do with content-type headers

PEP version: 7.0.1 (not matter)
IDM version: 7.0.0

Sending correct token:

pep_1 | 2018-08-21 16:34:38.135 - INFO: IDM-Client - Token in cache, checking timestamp...
pep_1 | 2018-08-21 16:34:38.135 - INFO: Root - Access-token OK. Redirecting to app...

Sending incorrect token:

pep_1 | 2018-08-21 16:35:16.456 - INFO: IDM-Client - Checking token with IDM...
pep_1 | 2018-08-21 16:35:16.908 - ERROR: IDM-Client - Error validating token. Proxy not authorized in keystone. Keystone authentication ...
pep_1 | 2018-08-21 16:35:17.317 - ERROR: Server - Caught exception: SyntaxError: Unexpected token u

if token is valid, http return code is 200.
If token is invalid, session freeze.

The Decision value in AuthzForce Response is not parsed correctly, which results in user unauthorized, even if AuthzForce decision is 'Permit'. Example of debug log:

2016-10-23 22:47:53.378 - DEBUG: AZF-Client - Decision: [ 'Permit' ]
2016-10-23 22:47:53.378 - ERROR: Root - User access-token not authorized: User not authorized in AZF for the given action and resource

Hi, as I run
(CI job @ travis https://travis-ci.com/fiware-qa/fiware-pep-proxy)
npm test

there is the following error:

module.js:549
    throw err;
    ^

Error: Cannot find module './../config'
    at Function.Module._resolveFilename (module.js:547:15)
    at Function.Module._load (module.js:474:25)
    at Module.require (module.js:596:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/repo/sanity/test.js:4:14)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)
    at Module.require (module.js:596:17)
    at require (internal/module.js:11:18)
    at /repo/node_modules/mocha/lib/mocha.js:172:27
    at Array.forEach (<anonymous>)
    at Mocha.loadFiles (/repo/node_modules/mocha/lib/mocha.js:169:14)
    at Mocha.run (/repo/node_modules/mocha/lib/mocha.js:356:31)
    at Object.<anonymous> (/repo/node_modules/mocha/bin/_mocha:366:16)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)
    at Function.Module.runMain (module.js:693:10)
    at startup (bootstrap_node.js:188:16)
    at bootstrap_node.js:609:3
npm ERR! Test failed.  See above for more details.
root@c8e951372251:/repo#  Cannot find module './../config'

The XACML request produced is invalid if the authenticated user has no role (empty roles array). Indeed, in this case, the subject-role Attribute element does not have any AttributeValue, and this is rejected by the PDP because it is not valid per XACML schema. The solution is just to avoid including the subject-role Attribute itself in the Request when there is not any role to put in it.

Using permanent token type from IDM KeyRock, some errors were raised in https://github.com/ging/fiware-pep-proxy/blob/master/controllers/root.js.

In order to overcome this problem, I have had to comment lines https://github.com/ging/fiware-pep-proxy/blob/master/controllers/root.js#L119 to https://github.com/ging/fiware-pep-proxy/blob/master/controllers/root.js#L125.

I retrieved Docker image tagged 5.3.1 from Docker hub two days ago, and I realized this is actually pep-proxy v5.2.1 inside. Could you fix the tag on Docker hub or make a new Docker release?
Thanks.

Hi,

I want a ContextBroker instance to communicate with a local MongoDB over IPv6 (as part of an IPv6-only deployment test).

I have the following configuration in the same VM (Linux Centos 6.7):

• IPv6 enabled MongoDB (in the same VM as CB. Mongo version is 2.6.11)
• Orion Context Broker (installed with yum right today 27/5/2016 and running over IPv4 and IPv6 as the host is IPv6 capable).

The CB's config file contains:

Database configuration for orion-broker

BROKER_DATABASE_HOST= XXXX
BROKER_DATABASE_NAME=orion

Where, for XXXX I have tried with [::1], ::1 or localhost6 each one resulting in different error:

1. With localhost6, CB starts but the connection with Mongo is over IPv4:
   [root@test bin]# netstat -nat
   Active Internet connections (servers and established)
   Proto Recv-Q Send-Q Local Address Foreign Address State
   tcp 0 0 0.0.0.0:1026 0.0.0.0:* LISTEN
   tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN
   tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
   tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53765 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53770 ESTABLISHED
   tcp 0 0 127.0.0.1:53764 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53764 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53769 ESTABLISHED
   tcp 0 0 127.0.0.1:53762 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:53768 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:53761 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:53767 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53766 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53768 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53763 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53762 ESTABLISHED
   tcp 0 0 127.0.0.1:53770 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:53769 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53761 ESTABLISHED
   tcp 0 0 127.0.0.1:27017 127.0.0.1:53767 ESTABLISHED
   tcp 0 0 127.0.0.1:53765 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:53766 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 127.0.0.1:53763 127.0.0.1:27017 ESTABLISHED
   tcp 0 0 :::1026 :::* LISTEN
   tcp 0 0 :::27017 :::* LISTEN
   tcp 0 0 :::22 :::* LISTEN
   tcp 0 0 ::1:25 :::* LISTEN

2. With ::1, CB won't start and you'll get in the Log files:

log directory: '/var/log/contextBroker'
terminate called after throwing an instance of 'mongo::UserException'
what(): More than one ':' detected. If this is an ipv6 address, it needs to be surrounded by '[' and ']'; ::1
log directory: '/var/log/contextBroker'

3. With [::1], CB won't start and you'll get in the Log files:
   /var/log/contextBroker/contextBroker.log
   ::::::::::::::
   time=2016-05-27T12:56:51.157CEST | lvl=ERROR | corr=N/A | trans=N/A | srv=N/A | subsrv=N/A | from=N/A | function=mongoConnect | comp=Orion | msg=mongoConnectionPool.cpp[1
   40]: Database Startup Error (cannot connect to mongo - doing 100 retries with a 1000 microsecond interval)

Any idea on how to make this work ?
(Note: I tried with FIWARE node.js IoT Agent-ul and using localhost6 the connecion is done over IPv6).

Hi everyone, I've got Wilma and KeyRock on the same VM, this is my config.js

config.account_host = 'http://localhost';

config.keystone_host = 'localhost';
config.keystone_port = 5000;

config.username = 'sandro';
config.password = 'sandro';

sandro is the user I created, give him role of admin and then generate the token. When I launch the PEP proxy:

2018-01-28 15:07:14.280 24574 TRACE keystone.notifications   File "/home/ubuntu/keystone/.venv/local/lib/python2.7/site-packages/stevedore/extension.py", line 170, in _load_plugins
2018-01-28 15:07:14.280 24574 TRACE keystone.notifications     self._on_load_failure_callback(self, ep, err)
2018-01-28 15:07:14.280 24574 TRACE keystone.notifications   File "/home/ubuntu/keystone/.venv/local/lib/python2.7/site-packages/stevedore/driver.py", line 50, in _default_on_load_failure
2018-01-28 15:07:14.280 24574 TRACE keystone.notifications     raise err
2018-01-28 15:07:14.280 24574 TRACE keystone.notifications ImportError: cannot import name _uuid_generate_random
2018-01-28 15:07:14.280 24574 TRACE keystone.notifications 
2018-01-28 15:07:14.866 24574 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1
2018-01-28 15:07:14.921 24574 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [28/Jan/2018 15:07:14] "POST /v3/auth/tokens HTTP/1.1" 401 328 8.502280

I still don't have configured AuthZ and put any app, I had initially google.es as the template.
Thank you for your help! :)

Hi!

We are working with KeyRock and we are not sure if this PEP supports it.

Thanks!

I’m trying make the Level 2 authorization using PEP, IdM and AZF.

I have created a REST web service that exposes one GET service 'service2/list'. I have created a permission to make a GET to the resource service2/list and a role 'developer', and associated the permission to the role ‘developer’. I created a user too, and I assigned 'developer' and ‘provider’ roles to my user.

I have changed the file /horizon/openstack_dashboard/local/local_settings.py to connect the keyrock with authzforce:

    ACCESS_CONTROL_URL = 'http://192.168.99.100:8080'
    ACCESS_CONTROL_MAGIC_KEY = 'undefined'

And my PEP configuration:

    config.azf = {
            enabled: true,
            protocol: 'http',
            host: '192.168.99.100',
            port: 8080,
            custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
    };

The call to the resource is intercepted by PEP, and initially it show me a error:

    pep-proxy_1  | 2016-12-14 16:49:44.474  - INFO: IDM-Client - Checking token with IDM… 
    pep-proxy_1  | 2016-12-14 16:49:44.531  - INFO: AZF-Client - Checking auth with AZF...
    pep-proxy_1  | 2016-12-14 16:49:44.533  - INFO: AZF-Client - Checking authorization to roles [ 'c6653c957bc34b96be0e197b56bb17c1', 'provider' ] to do  GET  on  service2/list and app  9c3cb030636144abaca85ccfdd64c173
    pep-proxy_1  | 2016-12-14 16:49:44.534  - INFO: AZF-Client - Checking auth with AZF…  
    pep-proxy_1  | 2016-12-14 16:49:45.366  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

So I activated the debug from authzforce and I checked that everything was working. Then I look into pep files, and I found the file lib/azf.js:

    log.debug('Decision: ', decision);
    if (decision === 'Permit') {
            success();
    } else {
            error(401, 'User not authorized in AZF for the given action and resource');
    }

I activated the debug from pep too, and I got it:

    pep-proxy_1  | 2016-12-16 21:16:31.684  - DEBUG: AZF-Client - AZF response status:  200
    pep-proxy_1  | 2016-12-16 21:16:31.684  - DEBUG: AZF-Client - AZF response:  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns3="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://www.w3.org/2005/Atom"><Result><Decision>Permit</Decision></Result></Response>
    pep-proxy_1  | 2016-12-16 21:16:31.697  - DEBUG: AZF-Client - AZF response parsing result (JSON):  { Response: 
    pep-proxy_1  |    { '$': 
    pep-proxy_1  |       { xmlns: 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
    pep-proxy_1  |         'xmlns:ns2': 'http://authzforce.github.io/core/xmlns/pdp/5.0',
    pep-proxy_1  |         'xmlns:ns3': 'http://authzforce.github.io/rest-api-model/xmlns/authz/5',
    pep-proxy_1  |         'xmlns:ns4': 'http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6',
    pep-proxy_1  |         'xmlns:ns5': 'http://www.w3.org/2005/Atom' },
    pep-proxy_1  |      Result: [ [Object] ] } }
    pep-proxy_1  | 2016-12-16 21:16:31.698  - DEBUG: AZF-Client - AZF response parsing error ('null' means no error):  null
    pep-proxy_1  | 2016-12-16 21:16:31.699  - DEBUG: AZF-Client - Decision:  [ 'Permit' ]
    pep-proxy_1  | 2016-12-16 21:16:31.699  - ERROR: Root - User access-token not authorized:  User not authorized in AZF for the given action and resource

As you can see, we received ‘Permit’ as response. After a checked the type of decision, and I saw ‘object’. And for javascript when === is used, object type is different of string type. So I changed the === to == and worked. Another solution is make a parser before compare, to convert the object variable to string.

Please, add the latest release (5.3) to the tags available in the Docker Hub repository.

The readthedoc documentation, specially the admin guide section, system installation. We can read the following content:

The username/password corresponds with the credentials of a registerd PEP Proxy in the FIWARE Account Portal. Do do so you have to first register an application. The steps can be found [here].

here makes reference to a link to the content http://fiware-idm.readthedocs.org/en/latest/user_guide.html#registering-an-application which does not exist. I think that It should be http://fiware-idm.readthedocs.io/en/latest/user_guide/#def-register-pep-and-iot

config.cache_time maybe? (one 'h' too many)

The current release of Authzforce and the one available on the catalogue is version 4.4.1, but both idm and pep-wilma only work with version 4.2.0, as there are some changes in the urls and xml. Please consider adding support for the new Authzforce version. The main change for pep-wilma seems to be that the response xml of the pdp has changed from:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <Result>
       <Decision>Permit</Decision>
       <Status>
           <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
       </Status>
   </Result>
</Response>

to:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns5:Response xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:ns3="http://authzforce.github.io/rest-api-model/xmlns/authz/4" xmlns:ns4="http://www.w3.org/2005/Atom" xmlns:ns5="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns6="http://authzforce.github.io/pap-dao-file/xmlns/properties/3.6">
  <ns5:Result>
    <ns5:Decision>Permit</ns5:Decision>
  </ns5:Result>
</ns5:Response>

Also, this request is hardcoded to use https in lib/azf.js.

Thanks.

When pep wilma sends data to Authzforce, it uses HTTPS as default (see lib/azf.js#L198). If Authzforce is not configured to listen to HTTPS requests (like the official authzforce docker image) this results in the following error, as a result of xml2json not being able to transform the response from the Authzforce server:

ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error

Maybe this should be configurable, as other Authzforce options are.

Thanks.

Following PEP Proxy Configuration ("SECURING ORION - PEP PROXY CONFIGURATION") at https://fiware-tutorials.readthedocs.io/en/stable/pep-proxy/index.html I receive this error:
fiware-pep_1 | TypeError: Cannot read property 'secret' of undefined fiware-pep_1 | at pep (/opt/fiware-pep-proxy/controllers/root.js:61:34)

The FIWARE Docker guidelines says:

At least a Docker container tag associated with the latest stable release MUST be present in Dockerhub.

The automated image only has the latest tag.

Please add versioned tags to the docker image, at least for the latest stable release.

Hello,
I have doubts about docker versions of pep-proxy, for my project i wanted to use pep-proxy from docker and i had some issues with it. I went and checked docker file and this line confuse me git checkout tags/5.4 to my understanding versions 7.0.0/latest are being build as versions 5.4 ( Correct me if um wrong).
I also checked this by downloading latest image from docker hub running it and then went inside of container to check code and code is indeed from version 5.4.
I think removing from git checkout tags/5.4 from docker file should fix this issue.

Also i had another issue using latest version of pep-proxy directly from github, i write about it on stack. Not sure if it is allowed to post links here if not u can remove it. Link of issue
My second issue seem like some exception was not handled properly, or i maybe missed something.
Thanks.

Hello @aalonsog ,

we have a following setup which introduces a problem related to the integration of PEP and PDP.

Our setup consists of one virtual machine with Ubuntu 14.04 which hosts only FIWARE GEs. Hosted are:

1. a local instance of keystone + horizon

2. there is example oauth2 client from FIWARE

3. a local PDP instance running on local Tomcat server where we created a new domain as well

4. a local PEP instance which protects google api as showed in FIWARE video clip on youtube

The following procedure raises an error, but only when azf is enabled in PEP configuration. In other words, basic authentication works fine, but the problem is in Level 2 authorization.

1. the example oauth2 client from FIWARE is utilized to obtain an access token with the default idm credentials

2. PEP is configure as follows:

config.pep_port = 80;

// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
enabled: false,
cert_file: 'cert/cert.crt',
key_file: 'cert/key.key',
port: 443
};

config.account_host = 'http://localhost';

config.keystone_host = '127.0.0.1';
config.keystone_port = 5000;

config.app_host = 'www.google.at';
config.app_port = '80';
// Use true if the app server listens in https
config.app_ssl = false;

// Credentials obtained when registering PEP Proxy in Account Portal
config.username = 'pep_proxy_59c493d755be48e3a88ef4693d45f86f';
config.password = '8507046e86f5402690bfdb2a882a41d4';

// in seconds
config.chache_time = 300;

//config.check_permissions = true;

// if enabled PEP checks permissions with AuthZForce GE.
// only compatible with oauth2 tokens engine
//
// you can use custom policy checks by including programatic scripts
// in policies folder. An script template is included there
config.azf = {
enabled: true,
host: '127.0.0.1',
port: 8080,
path: '/authzforce-ce/domains/dLRIBstnEeWh6AAMKfwfVg/pdp',
custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

config.magic_key = undefined;

3. and curl is used to generate an HTTP request

curl --header "X-Auth-Token:AXFZaEMe5LHdJ0unJUK5fHShrG9jxk" http://localhost

Upon sending the request above, PEP outputs following error in console:

2016-02-09 16:46:48.730 - INFO: Server - Starting PEP proxy in port 80. Keystone authentication ...
2016-02-09 16:46:48.838 - INFO: Server - Success authenticating PEP proxy. Proxy Auth-token: 37dfce4ba9394a0f9826a207b1dce11b
2016-02-09 16:46:57.513 - INFO: IDM-Client - Checking token with IDM...
2016-02-09 16:46:57.550 - INFO: AZF-Client - Checking auth with AZF...
2016-02-09 16:46:57.551 - INFO: AZF-Client - Checking authorization to roles [ 'provider_role' ] to do GET on and app cdcbdf2e94524524852aea1f6b16d1c4
2016-02-09 16:46:57.569 - ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error

and tomcat running PDP outputs only following information:

INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.

It could be that I am missing something in configuration, but I am struggling with this problem for 2 days. What is unclear to me, is how PDP obtains roles and permission defined for a specific user in keystone? Is there a link to configure between those two?

Thank you for any help on this topic.

Regards,
Domagoj

Hi,

I need some help please: I want to perform Level 2 basic authorization. So I created a new role in my application on keyrock (idm) and created two new permissions: One that has the HTTP verb GET and /test1 as resource and one that has POST as HTTP verb and /test2 as resource, but I did not yet assign these permissions to my newly created role. I created these two resources just for testing purposes. All they do is that they send back a text message that tell me if I could access these resources. My newly created role I assigned to one of my registered users.

Using Chrome's Advanced REST Client I sent a GET and POST request for these resources to the pep-proxy. For both requests I got a response of 401 Unauthorized, which is fine since I did not include a X-Auth-Token in these requests yet. Then I performed the authentication with the oauth2 example-client and got back my token. I copied the token into the header field and sent the same requests to the pep-proxy again. In both cases I got back a 200 OK message and the dedicated success messages that I created. But actually this should not be the case. Instead I should get back a 401 Unauthorized messages since the role of the user, which I am logged in as, does not have the permissions to access these resources.

Why can I still access these resources? It seems to me the only thing that is checked is if the token is valid or not. As soon as the token is valid, the user can access whatever he wants. Did I do something wrong?

I run everything as docker containers. Here is some log output for the GET request:

pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Token in cache, checking timestamp...
pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Token in cache expired
pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Checking token with IDM...
keyrock | 2016-11-25 12:44:05.331 34 INFO eventlet.wsgi.server [-] 172.18.0.7 - - [25/Nov/2016 12:44:05] "GET /v3/access-tokens/nalLDoB334Z3BItu0ytcoUJOmOC3m2 HTTP/1.1" 200 394 0.026148
pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking auth with AZF...
pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking authorization to roles [ '5fedd57e74c94a9b993db26b145c1035' ] to do GET on test1 and app eb5fc491be0d4edd946cc6ce20a096b3
pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking auth with AZF...
pep | 2016-11-25 12:44:05.345 - INFO: Root - Access-token OK. Redirecting to app...

I hope someone can help me with this.

Best regards,
Thomas

I'm facing severe troubles when trying to enable Level 2 authorization using PEP, IdM and AFZ.

There seem to be several issues so it is virtually impossible to say which component is actually responsible for the problem.
That's why I have already filed issues with IdM and AFZ. So please refer to these entries for a detailed problem description. At least it looks as if PEP does not make a valid request to AFZ (basically it looks as AFZ comes up with a response without having got a valid http request).

Here's the relevant part of my PEP configuration:

config.azf = {
    enabled: true,
    host: '10.12.200.247',
    port: 8282,
    custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

In lib/azf.js, XACML response (from authzforce) parsing by xml2json keeps the namespace prefixes in the generated JSON keys, which breaks the extraction of the XACML Decision. Namespace prefixes are arbitrary and may change without notice. What matters is the namespace URI they are associated with (in the 'xmlns' attribute) which is always the XACML namespace. For example, the XACML Response may have xmlns:ns4="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" and so a ns4:Decision element at some point. Then later, it may have xmlns:ns6="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" and so ns6:Decision, etc.
One solution is to use NPM package 'xml2js' which can strip namespace prefixes while converting to JSON and therefore remove any dependency on the namespace prefix.

On the long-term, I would recommend replacing xml2json with 'xml2js' for all XML parsing since it handles XML complexity better (more features and flexibility).

Please, add the same functionality as described here to the old release 5.3.1. This release works with orion global instance.

If you set up a PEP proxy to use AuthZforce using docker-compose as shown:

 pep-proxy:
    image: fiware/pep-proxy
    depends_on:
      - keyrock
      - authzforce
    ports:
      - "1027:1027"
    expose:
      - "1027"
    environment:
      - PEP_PROXY_APP_HOST=orion
      - PEP_PROXY_APP_PORT=1026
      - PEP_PROXY_PORT=1027
      - PEP_PROXY_IDM_HOST=keyrock
      - PEP_PROXY_HTTPS_ENABLED=false
      - PEP_PROXY_IDM_SSL_ENABLED=false
      - PEP_PROXY_IDM_PORT=3005
      - PEP_PROXY_APP_ID=xxxxxxxxx
      - PEP_PROXY_USERNAME=yyyyyyy
      - PEP_PASSWORD=zzzzzzz
      - PEP_PROXY_PDP=authzforce
      - PEP_PROXY_AUTH_ENABLED=true
      - PEP_PROXY_MAGIC_KEY=1234
      - PEP_PROXY_AZF_PROTOCOL=http
      - PEP_PROXY_AZF_HOST=authzforce
      - PEP_PROXY_AZF_PORT=8080

Level 2 - Basic Authorization from Keyrock is used rather than Level 3 - Advanced Authorization from Authzforce - the PEP_PROXY_AUTH_ENABLED is incorrectly read as a string rather than a boolean

When using Keyrock idm as the pdp, the pep-proxy checks that the user is logged in from pep.trusted_apps (line 114 and 214). Is there a reason to do this? Because Keyrock already has a "trusted applications" list, doesn't it already check the user permissions and app_id there?

Now I need to add new trusted apps to both lists in idm and pep-proxy. This is a problem for me because it needs a manual configuration edit and restart for pep-proxy.

When I have

config.pep_port = 80;

// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
    enabled: true,
    ...
    port: 443
};

is the PEP proxy supposed to listen on both ports http/80 and https/443 or just the https one? If on both ports, how do I configure to listen to https only?
The documentation should clarify that. Thanks.

Hi!

We are using IdM, Authzforce and Wilma PEP environment to protect our app and, we are having issues protecting some resources.

For example, we are trying to protect the resource NGSI10/queryContext?limit=1000&entity_type=review, but when doing the request against Authzforce it throws the following error:

[AZF] Checking authorization to roles [ '2e11644af92047a18474e849d6747b9a' ] to do  POST  on  NGSI10/queryContext?limit=1000&entity_type=review and app  d5f5eec653a540d996b6e1f562ed7e70
Error in AZF communication  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:error xmlns:ns2="http://thalesgroup.com/authz/model/3.0" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://thalesgroup.com/authzforce/pdp/model/2014/12"><message>Unexpected character '=' (code 61); expected a semi-colon after the reference for entity 'entity_type'
 at [row,col {unknown-source}]: [1,999]</message></ns2:error>

This error is caused due to the character &, which is forbidden in XML. Encoding the forbidden characters in the resource parameter would solve any issues like this one, as IdM already encodes this request against authzforce.

Hi!

As I did in fiware-idm, I'm just pointing that we've also created an image for fiware-pep-proxy :P

We've created the fiware-pep-proxy image based in the Node official image.

Like the fiware-idm one, it's been made mainly for integration so, it requires the following:

• docker-compose (for components integration)
• A fiware-idm instance
• An Authzforce instance
• An app to protect (we've been using Orion)

We've created a template config.js with values by default. With docker-compose, this variables can be modified just by passing the values in the docker-compose yml file like:

pepwilma:
    image: bitergia/pep-wilma:4.3.0
    links:
        - orion
        - idm
        - authzforce
    volumes_from:
        - idm
    environment:
        - AUTHZFORCE_HOSTNAME=authzforce
        - AUTHZFORCE_PORT=8080
        - IDM_KEYSTONE_HOSTNAME=idm
        - IDM_KEYSTONE_PORT=5000
        - APP_HOSTNAME=orion
        - APP_PORT=10026
        - [email protected]
        - PEP_PASSWORD=test
        - PEP_PORT=1026
        - [email protected]
        - IDM_USERPASS=test
        - MAGIC_KEY=daf26216c5434a0a80f392ed9165b3b4

Finally, and just to make things a bit easier, we've added a really simple script based on the 'Resource Owner Password Credentials Grant', to get a fresh Oauth2 token just by launching a command:

docker exec -i -t <pepwilma-container-name> auth-token.sh <user-email> <password>

All the information regarding the fiware-pep-proxy image is available here

Again, feel free to use it as you need.

Best!

Hi,

When starting the server and doing the initial authentication of the pep proxy user with keyrock, it fails with the following error:

2018-04-11 14:57:25.036  - INFO: Server - Starting PEP proxy in port 1080. IdM authentication ...
2018-04-11 14:57:25.040  - DEBUG: HTTP-Client - Sending  POST  to: http://idm:4000/v3/auth/tokens
2018-04-11 14:57:25.041  - DEBUG: HTTP-Client -  Headers:  { 'Content-Type': 'application/json' }
2018-04-11 14:57:25.042  - DEBUG: HTTP-Client -  Body:  {"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"pep_proxy_8bb4f48b-4db7-452f-944b-e827c71cdac7","password":"pep_proxy_ec8dbe01-f776-463e-906a-6b2e716c5c10"}}}}}
POST /v3/auth/tokens 400 0.403 ms - 117
2018-04-11 14:57:25.056  - ERROR: Server - Error in keystone communication {"error":{"message":"Expecting to find name and password or token in body request","code":400,"title":"Bad Request"}}

It seems the new keyrock release uses a different payload than keystone and modifying the code to send the correct payload seems to fix this, but I'm not sure if this is the only place where this problem may be present.

Are you planning on updating the pep-proxy to work with the new keyrock release or is there a new version in the works (like with keyrock)?

Thanks,

Regards.

Hi!

I'm trying to deploy a secure environment for testing using the three security GEs (authzforce, IdM and fi-ware-pep-proxy).

With a clean installation of IdM, several organizations, applications and users are provided. I've tested to modify the roles and permissions against authzforce and the exchange of XACML's worked perfectly.

But now, trying to introduce the fi-ware-pep-proxy, I'm having issues with the authentication.

Here's the config.js file I've used:

 var config = {};

config.pep_port = 10026;

// Set this var to undefined if you don't want the server to listen on HTTPS
//config.https = {
//    enabled: false,
//    cert_file: 'cert/cert.crt',
//    key_file: 'cert/key.key',
//    port: 443
//};

// Our IdM IP
config.account_host = '172.17.0.159';

// Our Keystone Settings. In this case Keystone and Horizon are at the same host
config.keystone_host = '172.17.0.159';
config.keystone_port = 5000;

// The host of the app to protect
config.app_host = '172.17.0.96';
config.app_port = '1026';

// The username and password we've used for registering the app (just for testing)
config.username = '[email protected]';
config.password = 'test';

// in seconds
config.chache_time = 300;

// if enabled PEP checks permissions with AuthZForce GE.
// only compatible with oauth2 tokens engine
config.azf = {
    enabled: true,
    host: '172.17.0.72',
    port: 8080,
    path: '/authzforce/domains/f7727b3b-0a04-11e5-9a3a-adc96088fc92/pdp'
};

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

// 'client secret' of our registed app
config.magic_key = '82df536ff47...5beb9766';

module.exports = config;

There, with this configuration file, I got the following message when running sudo node server :

Starting PEP proxy in port 10026. Keystone authentication ...
Error in keystone communication {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

I've checked Keystone logs and also the same error is there. Checking the API examples here, I've tried to retrieve the token manually using the Default scope and it worked perfectly. Then found that the request done for the fi-ware-pep-proxy at lib/idm.js is a Domain Scoped request.

So, at this point, I'm a bit lost. Is there any configuration I should add to my IdM? Any help would be appreciated!

I tried to execute "npm test" and got following result.

  Sanity Checks for Wilma PEP Proxy - Identity Manager Checks
    Testing Keystone configuration
      1) should have PEP user configured
    Testing connection with Keystone
2019-01-16 22:52:32.352  - ERROR: Test - Error in keystone communication {"error":{"message":"Expecting to find X-Auth-token in requests","code":400,"title":"Bad Request"}}
      2) should have connectivity with Keystone
2019-01-16 22:52:34.360  - INFO: IDM-Client - IDM authorization configuration:
2019-01-16 22:52:34.360  - INFO: IDM-Client -  + Authzforce enabled: false
2019-01-16 22:52:34.361  - INFO: IDM-Client -  + Authorization rules allowed: HTTP Verb+Resource

both test 1 and 2 failed.

test 1 checks pep config is set properly like following code:

describe('Testing Keystone configuration', function() {

                it('should have PEP user configured', function (done) {
                        if (config.pep.username !== undefined && config.pep.username !== '') {
                                if (config.password !== undefined && config.password !== '') {
                                        done();
                                }
                        }
                });
        });

solution for test 1

This code checks "config.password" variable but should check "config.pep.password",right?

test 2 checks communication between pep and Keyrock without auth.

This test send request to <keyrock_ip>:keyrock:port/v3.
However the request sent to this endpoint must be set "x-auth-token" header.

const checkConn = function(callback, callbackError) {

        const options = {
            host: config.idm.host,
            port: config.idm.port,
            path: '/v3',
            method: 'GET'
        };
        const protocol = config.idm.ssl ? 'https' : 'http';
        proxy.sendData(protocol, options, undefined, undefined, callback, callbackError);
    };

solution for test2

To check whether Keyrock return status code 200, /version endpoint is suitable, right?
I confirmed the communication test passed properly.

If you agree these changes, I would create pull request.

When configuring the Keyrock PEP-proxy to listen to outbound v6 queries and forward them over v6 too towards a backend component this way:

• Server.js file: app.listen(80, "::");
• Config.js file: config.app_host = '::1’;

The PEP-proxy correctly attends the query over v6. However, when forwarding (again over v6) to the component, the service URL is not correctly provided (looks like ":" characters are misleading for that parsing process).

Traces for a ContextBroker GE as a backend component are:

400
Bad Request

The problem does not happen if we configure the IPv6 component endpoint with a valid FQDN. For instance, the following one works fine in a host where /etc/hosts has the line "localhost6 ::1":

• Server.js file: app.listen(80, "::");
• Config.js file: config.app_host = 'localhost6’;

Thanks for your support!

I wanted to connect pep-proxy with the idm .. so I followed the installation of pep from that link .. https://github.com/ging/fiware-pep-proxy by building it from the source . That was the config file i was supposed to edit

// Credentials obtained when registering PEP Proxy in app_id in Account Portal
config.pep = {
    app_id: '',
    username: '',
    password: '',
    trusted_apps : []
}

i also wanted to know how could i get both the app_id and the trusted_apps parameters and i'm also confused with the meaning of the app_id whether it's the client id or not .

That was the first part of my issue.

when i put the client id with app id and put the username and password of pep proxy that i got when i registerd it on idm , i got keystone communication error

when i edited the idm host parameter by adding "http" at the beginning , i got no token and i get "token undefined" message . Also when i edited the username and password by putting those of idm account , everytime i get a new token. So i wanted to know the best way to build the fiware pep-proxy and make it communicate correctly with the idm with no problems .

Then i tried to follow the installation commands from the docker file . On building the pep-proxy with these commands , i got a new config file which is that of fiware academia

this config file is different from the first one i worked on . When i followed the steps in this video https://www.youtube.com/watch?v=dtKsjGbJ7Xc&index=10&list=PLARS-yIy9nOoBIOJS05Rpkvu1pZiNTgPT and configured the username and password by putting those of the pep-proxy , i got this error.

On putting "http" before keystone parameter as follows

config.keystone_host = 'http://cloud.lab.fiware.org';

i got this message

But on putting the username and password of idm in the configuration as shown below
config.username = 'idm_user_mail; config.password = 'password';

i always get a new token .

Now , I want to know the best way to get the pep-proxy and the idm work together as i'm still struggling to make them communicate properly. @aalonsog @flopezag @UniSurreyIoT

Update : I have followed this document "https://www.slideshare.net/mobile/daltoncezane/integrating-fiware-orion-keyrock-and-wilma"to make communication between idm and pep proxsy and specifically this code to generate token from idm send it using postman

POST to "http://idm_ip:8000/oauth2/token"
Payload:
grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD&cli
ent_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET

but can't generate token
This is postman response

DOCTYPE html>

<title>Error</title>

SyntaxError: Unexpected token
# in JSON at position 0
    at JSON.parse (<anonymous>)
    at createStrictSyntaxError
(/home/ubuntu/fiware-idm/node_modules/body-parser/lib/types/json.js:157:10)

   at parse
(/home/ubuntu/fiware-idm/node_modules/body-parser/lib/types/json.js:83:15)

   at
/home/ubuntu/fiware-idm/node_modules/body-parser/lib/read.js:121:18

   at invokeCallback
(/home/ubuntu/fiware-idm/node_modules/raw-body/index.js:224:16)

   at done
(/home/ubuntu/fiware-idm/node_modules/raw-body/index.js:213:7)

   at IncomingMessage.onEnd
(/home/ubuntu/fiware-idm/node_modules/raw-body/index.js:273:7)

   at emitNone (events.js:106:13)
    at
IncomingMessage.emit (events.js:208:7)
    at
endReadableNT (_stream_readable.js:1064:12)
    at
_combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback
(internal/process/next_tick.js:180:9)

and this is logs of idm after sending request

POST /oauth2/token 400 1.679 ms - 1164                                       
SyntaxError: Unexpected token # in JSON at position 0                        
    at JSON.parse (<anonymous>)                                              
    at createStrictSyntaxError (/home/ubuntu/fiware-idm/node_modules/body-par
ser/lib/types/json.js:157:10)                                                
    at parse (/home/ubuntu/fiware-idm/node_modules/body-parser/lib/types/json
.js:83:15)                                                                   
    at /home/ubuntu/fiware-idm/node_modules/body-parser/lib/read.js:121:18   
    at invokeCallback (/home/ubuntu/fiware-idm/node_modules/raw-body/index.js
:224:16)                                                                     
    at done (/home/ubuntu/fiware-idm/node_modules/raw-body/index.js:213:7)   
    at IncomingMessage.onEnd (/home/ubuntu/fiware-idm/node_modules/raw-body/i
ndex.js:273:7)                                                               
    at emitNone (events.js:106:13)                                           
    at IncomingMessage.emit (events.js:208:7)                                
    at endReadableNT (_stream_readable.js:1064:12)                           
    at _combinedTickCallback (internal/process/next_tick.js:138:11)          
    at process._tickCallback (internal/process/next_tick.js:180:9)           

Any help why I got this error

When npm installing an fresh installation, the xml2json dependency throws the following error:
child_process: customFds option is deprecated, use stdio instead.

After this the terminal throws quite a bit of errors, I have listed them below:

[device]:fi-ware-pep-proxy [username]$ npm install
-
> [email protected] install /Users/[username]/[company]/git/fi-ware-pep-proxy/node_modules/xml2json/node_modules/node-expat
> node-gyp rebuild

child_process: customFds option is deprecated, use stdio instead.
  CC(target) Release/obj.target/expat/deps/libexpat/lib/xmlparse.o
  CC(target) Release/obj.target/expat/deps/libexpat/lib/xmltok.o
../deps/libexpat/lib/xmltok.c:471:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:484:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:504:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:517:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:730:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:749:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:762:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:775:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:871:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
../deps/libexpat/lib/xmltok.c:890:1: warning: missing
      field 'isName2' initializer
      [-Wmissing-field-initializers]
};
^
10 warnings generated.
  CC(target) Release/obj.target/expat/deps/libexpat/lib/xmlrole.o
  LIBTOOL-STATIC Release/libexpat.a
  CXX(target) Release/obj.target/node_expat/node-expat.o
In file included from ../node-expat.cc:1:
../node_modules/nan/nan.h:318:13: error: no member named
      'New' in 'v8::String'
    return  _NAN_ERROR(v8::Exception::Error, errmsg);
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:298:50: note: expanded from
      macro '_NAN_ERROR'
  ..._NAN_ERROR(fun, errmsg) fun(v8::String::New(errmsg))
                                 ~~~~~~~~~~~~^
../node_modules/nan/nan.h:322:5: error: no member named
      'ThrowException' in namespace 'v8'
    _NAN_THROW_ERROR(v8::Exception::Error, errmsg);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:303:11: note: expanded from
      macro '_NAN_THROW_ERROR'
      v8::ThrowException(_NAN_ERROR(fun, errmsg))...
      ~~~~^
../node_modules/nan/nan.h:322:5: error: no member named
      'New' in 'v8::String'
    _NAN_THROW_ERROR(v8::Exception::Error, errmsg);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:303:26: note: expanded from
      macro '_NAN_THROW_ERROR'
      v8::ThrowException(_NAN_ERROR(fun, errmsg))...
                         ^~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:298:50: note: expanded from
      macro '_NAN_ERROR'
  ..._NAN_ERROR(fun, errmsg) fun(v8::String::New(errmsg))
                                 ~~~~~~~~~~~~^
../node_modules/nan/nan.h:327:9: error: no type named
      'ThrowException' in namespace 'v8'
    v8::ThrowException(error);
    ~~~~^
../node_modules/nan/nan.h:334:65: error: no member named
      'New' in 'v8::String'
  ...err = v8::Exception::Error(v8::String::New(msg));
                                ~~~~~~~~~~~~^
../node_modules/nan/nan.h:336:26: error: no member named
      'New' in 'v8::String'
    obj->Set(v8::String::New("code"), v8::Int32::...
             ~~~~~~~~~~~~^
../node_modules/nan/nan.h:336:65: error: too few
      arguments to function call, expected 2, have 1
  ...v8::Int32::New(errorNumber));
     ~~~~~~~~~~~~~~            ^
/Users/[username]/.node-gyp/0.12.0/deps/v8/include/v8.h:2012:3: note: 
      'New' declared here
  static Local New(Isolate* isolate, int...
  ^
In file included from ../node-expat.cc:1:
../node_modules/nan/nan.h:348:12: error: no member named
      'New' in 'v8::String'
    return _NAN_ERROR(v8::Exception::TypeError, errmsg);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:298:50: note: expanded from
      macro '_NAN_ERROR'
  ..._NAN_ERROR(fun, errmsg) fun(v8::String::New(errmsg))
                                 ~~~~~~~~~~~~^
../node_modules/nan/nan.h:352:5: error: no member named
      'ThrowException' in namespace 'v8'
    _NAN_THROW_ERROR(v8::Exception::TypeError, errmsg);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:303:11: note: expanded from
      macro '_NAN_THROW_ERROR'
      v8::ThrowException(_NAN_ERROR(fun, errmsg))...
      ~~~~^
../node_modules/nan/nan.h:352:5: error: no member named
      'New' in 'v8::String'
    _NAN_THROW_ERROR(v8::Exception::TypeError, errmsg);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:303:26: note: expanded from
      macro '_NAN_THROW_ERROR'
      v8::ThrowException(_NAN_ERROR(fun, errmsg))...
                         ^~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:298:50: note: expanded from
      macro '_NAN_ERROR'
  ..._NAN_ERROR(fun, errmsg) fun(v8::String::New(errmsg))
                                 ~~~~~~~~~~~~^
../node_modules/nan/nan.h:356:12: error: no member named
      'New' in 'v8::String'
    return _NAN_ERROR(v8::Exception::RangeError, errmsg);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:298:50: note: expanded from
      macro '_NAN_ERROR'
  ..._NAN_ERROR(fun, errmsg) fun(v8::String::New(errmsg))
                                 ~~~~~~~~~~~~^
../node_modules/nan/nan.h:360:5: error: no member named
      'ThrowException' in namespace 'v8'
    _NAN_THROW_ERROR(v8::Exception::RangeError, errmsg);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:303:11: note: expanded from
      macro '_NAN_THROW_ERROR'
      v8::ThrowException(_NAN_ERROR(fun, errmsg))...
      ~~~~^
../node_modules/nan/nan.h:360:5: error: no member named
      'New' in 'v8::String'
    _NAN_THROW_ERROR(v8::Exception::RangeError, errmsg);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:303:26: note: expanded from
      macro '_NAN_THROW_ERROR'
      v8::ThrowException(_NAN_ERROR(fun, errmsg))...
                         ^~~~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:298:50: note: expanded from
      macro '_NAN_ERROR'
  ..._NAN_ERROR(fun, errmsg) fun(v8::String::New(errmsg))
                                 ~~~~~~~~~~~~^
../node_modules/nan/nan.h:668:49: error: too few
      arguments to function call, single argument
      'isolate' was not specified
    v8::Local obj = v8::Object::New();
                                ~~~~~~~~~~~~~~~ ^
/Users/[username]/.node-gyp/0.12.0/deps/v8/include/v8.h:2388:3: note: 
      'New' declared here
  static Local New(Isolate* isolate);
  ^
In file included from ../node-expat.cc:1:
../node_modules/nan/nan.h:669:14: error: no member named
      'NewSymbol' in 'v8::String'; did you mean
      'IsSymbol'?
    obj->Set(NanSymbol("callback"), fn);
             ^~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:159:38: note: expanded from
      macro 'NanSymbol'
#define NanSymbol(value) v8::String::NewSymbol(value)
                         ~~~~~~~~~~~~^
/Users/[username]/.node-gyp/0.12.0/deps/v8/include/v8.h:1379:8: note: 
      'IsSymbol' declared here
  bool IsSymbol() const;
       ^
In file included from ../node-expat.cc:1:
../node_modules/nan/nan.h:669:14: error: call to
      non-static member function without an object
      argument
    obj->Set(NanSymbol("callback"), fn);
             ^~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:159:38: note: expanded from
      macro 'NanSymbol'
#define NanSymbol(value) v8::String::NewSymbol(value)
                         ~~~~~~~~~~~~^~~~~~~~~
../node_modules/nan/nan.h:675:12: error: no member named
      'Dispose' in 'v8::Persistent >'
    handle.Dispose();
    ~~~~~~ ^
../node_modules/nan/nan.h:676:12: error: no member named
      'Clear' in 'v8::Persistent >'
    handle.Clear();
    ~~~~~~ ^
../node_modules/nan/nan.h:680:46: error: no member named
      'NewSymbol' in 'v8::String'; did you mean
      'IsSymbol'?
  ...NanSymbol("callback"))
     ^~~~~~~~~~~~~~~~~~~~~
../node_modules/nan/nan.h:159:38: note: expanded from
      macro 'NanSymbol'
#define NanSymbol(value) v8::String::NewSymbol(value)
                         ~~~~~~~~~~~~^
/Users/[username]/.node-gyp/0.12.0/deps/v8/include/v8.h:1379:8: note: 
      'IsSymbol' declared here
  bool IsSymbol() const;
       ^
fatal error: too many errors emitted, stopping now
      [-ferror-limit=]
20 errors generated.
make: *** [Release/obj.target/node_expat/node-expat.o] Error 1
gyp ERR! build error 
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/usr/local/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:267:23)
gyp ERR! stack     at ChildProcess.emit (events.js:110:17)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (child_process.js:1067:12)
gyp ERR! System Darwin 14.3.0
gyp ERR! command "node" "/usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/[username]/[company]/git/fi-ware-pep-proxy/node_modules/xml2json/node_modules/node-expat
gyp ERR! node -v v0.12.0
gyp ERR! node-gyp -v v1.0.2
gyp ERR! not ok 
npm ERR! Darwin 14.3.0
npm ERR! argv "node" "/usr/local/bin/npm" "install"
npm ERR! node v0.12.0
npm ERR! npm  v2.5.1
npm ERR! code ELIFECYCLE

npm ERR! [email protected] install: `node-gyp rebuild`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] install script 'node-gyp rebuild'.
npm ERR! This is most likely a problem with the node-expat package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR!     node-gyp rebuild
npm ERR! You can get their info via:
npm ERR!     npm owner ls node-expat
npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request:
npm ERR!     /Users/[username]/[company]/git/fi-ware-pep-proxy/npm-debug.log

Here follows the npm-debug.log, for further details:
0 info it worked if it ends with ok
1 verbose cli [ 'node', '/usr/local/bin/npm', 'info' ]
2 info using [email protected]
3 info using [email protected]
4 verbose config Skipping project config: /Users/[username]/.npmrc. (matches userconfig)
5 verbose stack Error: Invalid package.json
5 verbose stack     at /usr/local/lib/node_modules/npm/lib/view.js:79:30
5 verbose stack     at /usr/local/lib/node_modules/npm/node_modules/read-package-json/read-json.js:51:40
5 verbose stack     at /usr/local/lib/node_modules/npm/node_modules/read-package-json/read-json.js:97:49
5 verbose stack     at evalmachine.:265:20
5 verbose stack     at OpenReq.Req.done (/usr/local/lib/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:141:5)
5 verbose stack     at OpenReq.done (/usr/local/lib/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:61:22)
5 verbose stack     at FSReqWrap.oncomplete (evalmachine.:99:15)
6 verbose cwd /Users/[username]
7 error Darwin 14.3.0
8 error argv "node" "/usr/local/bin/npm" "info"
9 error node v0.12.0
10 error npm  v2.5.1
11 error Invalid package.json
12 error If you need help, you may report this error at:
12 error     
13 verbose exit [ 1, true ]

Hello Álvaro,

I have tried to install the Pep Proxy Wilma over an Ubuntu Server 14.04 and I always get the same problem when I run the following command:

npm install

The error I get is the following one:

gyp: Call to 'node -e "reqyre('nan')"' returned exit 127. while trying to load binding.gyp.

Do you have an idea about what can be happening?

Thanks in advance.

Hi,

I have deployed wilma and idm in two different servers.

Following documentation, my application asked for a code to IDM that is used in PEP Proxy access to get the token. Please see below

[Thu Sep 10 15:52:14 2015] [error] DEBUG:idm_logger:API_KEYSTONE: POST to http://127.0.0.1:5000/v3/OS-OAUTH2/access_token with body redirect_uri=http://www.google.com&grant_type=authorization_code&code=ohcIKEnZ3ZnjhpQzZqz1h8Phzff76B and headers {'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic ZTkwNjJiNGFlNTNlNDY2YmEwOGEwZGRmZDk2NGJkYzc6ZTEwNzkyMDMyODMxNDk0NGFhZGZlZTI5ZTNjYjFiNGU='}

curl -X POST -v http://127.0.0.1/oauth2/token
-u "e9062b4ae53e466ba08a0ddfd964bdc7:e107920328314944aadfee29e3cb1b4e"
-d "redirect_uri=http://www.google.com"
-d "grant_type=authorization_code"
-d "code=ohcIKEnZ3ZnjhpQzZqz1h8Phzff76B"

• Closing connection #0
  {"access_token": "0xDy1ebB13V1VNJ35boJkBdjxwrmgE", "expires_in": 3600, "token_type": "Bearer", "state": "xyz", "scope": "all_info", "refresh_token": "d0tmVk5TJXeNiZuI996ipwQWKqfocl"}

And this token is used to access to PEP Proxy
curl --header "X-Auth-Token: d0tmVk5TJXeNiZuI996ipwQWKqfocl" http://localhost

But the answer is
[TOKEN] Checking token with IDM...
User access-token not authorized

This is my config.js

config.account_host = 'http://192.168.90.20';

config.keystone_host = '192.168.90.20';
config.keystone_port = 5000;

config.app_host = '92.222.171.203';
config.app_port = '80';

config.username = 'pepproxy';
config.password = 'pepproxy';
config.check_permissions = false;

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

Do you have any idea about what could be wrong?

A test suite is currently failing from the public codebase for this GE, and the tests should be run on CI. The standard testing framework is failing because it is attempting to connect to an external service Keystone . The IDM at that endpoint does not support the current Keyrock /version endpoint which is being used as a heartbeat, hence the test does not run successfully.

The Unit tests should be self-contained and runnable without reference to an external service

Related: PR #78 , Issue: #74 , #50

Running tests on CI is a TSC SHOULD requirement

I am running a FIWARE system using Docker Compose which includes Orion, Keyrock, and Wilma. I use Wilma as a proxy in front of Orion, and using Keyrock as basic PDP. This system works as expected with Wilma 7.0.2 Docker Hub image, and I can request Orion entities if I have a correct access token. However, if I change the Wilma Docker Hub image used in docker-compose.yml from 7.0.2 to 7.4.0 or any later, this causes an error:

fiware-orion-proxy | TypeError: Cannot read property 'secret' of undefined
fiware-orion-proxy |     at pep (/opt/fiware-pep-proxy/controllers/root.js:58:28)
fiware-orion-proxy |     at Layer.handle [as handle_request] (/opt/fiware-pep-proxy/node_modules/express/lib/router/layer.js:95:5)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:137:13)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:131:14)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:131:14)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:131:14)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:131:14)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:131:14)
fiware-orion-proxy |     at next (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:131:14)
fiware-orion-proxy |     at Route.dispatch (/opt/fiware-pep-proxy/node_modules/express/lib/router/route.js:112:3)

Problem seems to be connected to these lines in /controllers/root.js

 if (config.pep.token.secret) {
        jsonwebtoken.verify(authToken, config.pep.token.secret, function(
          err,
          userInfo
        ) {
...

Any help on getting to use the newer versions of Wilma running would be greatly appreciated!

I just installed PEP Proxy and I am trying to validate an access token through it.

PEP Proxy is running on my VM (192.168.112.130) on port 2000, as I configured it that way.

After I authenticate manually with Keystone, I take the subject token it returns and with it I make a GET request on:

http://192.168.112.130:2000

putting in as a header with name "X-Auth-Token", as described on the project's home page.

On the Keystone's console, where I can see all requests coming into Keystone, I see one to:

v3/access-token/{acce-token}

which comes from PEP Proxy's attempt to validate my token.

The result PEP Proxy returns is:

User token not authorized

even though the token is indeed valid.

On Keystone's API specs, the /v3/auth/tokens is the endpoint specified to handle token validation instead of the one that PEP Proxy seems to be using, for which I didn't manage to find documentation somewhere.

Can you please give me some help with it?

Forgive me if I am missing some detail which might be the problem.

Please click the edit button at the head of the repo and amend the description link and topics as shown (or similar):

Description:

Support for proxy functions within OAuth2-based authentication schemas. Also implements PEP functions within an XACML-based access control schema.

Link

https://fiware-pep-proxy.rtfd.io/

Topics

fiware, access-control, pep, pep-proxy

• SHOULD requirement from the TSC.

The Dockerfile used for the release 5.2 image does not install the 5.2 release but uses master:

# Download latest version of the code and install npm dependencies
RUN git clone https://github.com/ging/fiware-pep-proxy.git && \
    cd fiware-pep-proxy && \
    npm install

Adding:

git checkout 5.2 && \

right after the clone should be enough.

Based on the reformulated definition of stale PRs, there are outstanding PRs over 3 months old which do not include a comment as to why they have not been merged or rejected.

Please update or close the PRs and close this issue once completed.

• MUST requirement from TSC.

I had some trouble with not being able to disable the organization header checking by setting the environment variable PEP_PROXY_ORG_ENABLED to false. But when I changed the config.js by changing config.organizations to:

config.organizations = {
  enabled: toBoolean(process.env.PEP_PROXY_ORG_ENABLED, false),
  header: process.env.PEP_PROXY_ORG_HEADER || 'fiware-service'
}

everything worked. It seems that using toBoolean function was needed.

.travis is missing a before_script check to ensure the files are linted - i.e. npm run lint

Related PR - #78

• Adding a lint check is a SHOULD requirement from the TSC

When running npm install with the latest version of node (6.3.1) it crashes, with quite an extensive log (have a look in the attachments).

dump.txt

This crash seems to occur due to an old dependency..