Uploaded image for project: 'mod-codex-mux'
  1. mod-codex-mux
  2. MODCXMUX-55

Endpoints w/o required permissions

    XMLWordPrintable

Details

    • eHoldings Sprint 76
    • 2
    • Spitfire

    Description

      Overview

      the codex and codex-package interfaces don't have required permissions for any of the endpoints. This means you can technically call these w/o logging in first.

        "provides" : [ {
          "id" : "codex",
          "version" : "3.3",
          "handlers" : [ {
            "methods" : [ "GET" ],
            "pathPattern" : "/codex-instances"
          }, {
            "methods" : [ "GET" ],
            "pathPattern" : "/codex-instances/{id}"
          }, {
            "methods" : [ "GET" ],
            "pathPattern" : "/codex-instances-sources"
          } ]
        }, {
          "id" : "codex-packages",
          "version" : "1.0",
          "handlers" : [ {
            "methods" : [ "GET" ],
            "pathPattern" : "/codex-packages"
          }, {
            "methods" : [ "GET" ],
            "pathPattern" : "/codex-packages/{id}"
          }, {
            "methods" : [ "GET" ],
            "pathPattern" : "/codex-packages-sources"
          } ]
        }
      

      I think we probably want to protect these with requiredPermissions and also add those same required permissions to the other modules that implement these interfaces (e.g. mod-codex-ekb, mod-codex-inventory).

      See MODCDEKB-98 and MODCXINV-41

      Reproducer

      $ curl $OKAPI/codex-packages-sources -v -H "X-Okapi-Tenant: diku" -w '\n'
      *   Trying 52.72.80.49...
      * Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0)
      * found 148 certificates in /etc/ssl/certs/ca-certificates.crt
      * found 597 certificates in /etc/ssl/certs
      * ALPN, offering http/1.1
      * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
      * 	 server certificate verification OK
      * 	 server certificate status verification SKIPPED
      * 	 common name: *.aws.indexdata.com (matched)
      * 	 server certificate expiration date OK
      * 	 server certificate activation date OK
      * 	 certificate public key: RSA
      * 	 certificate version: #3
      * 	 subject: CN=*.aws.indexdata.com
      * 	 start date: Thu, 23 May 2019 00:00:00 GMT
      * 	 expire date: Tue, 23 Jun 2020 12:00:00 GMT
      * 	 issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
      * 	 compression: NULL
      * ALPN, server accepted to use http/1.1
      > GET /codex-packages-sources HTTP/1.1
      > Host: folio-testing-okapi.aws.indexdata.com
      > User-Agent: curl/7.47.0
      > Accept: */*
      > X-Okapi-Tenant: diku
      > 
      < HTTP/1.1 200 OK
      < Date: Fri, 27 Sep 2019 17:52:51 GMT
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Connection: keep-alive
      < X-Okapi-Trace: GET mod-authtoken-2.4.0-SNAPSHOT.57 http://10.36.1.54:9132/codex-packages-sources : 202 2949us
      < x-forwarded-for: 140.234.253.9
      < x-forwarded-proto: https
      < x-forwarded-port: 443
      < host: folio-testing-okapi.aws.indexdata.com
      < x-amzn-trace-id: Root=1-5d8e4c73-ba1f95da463b1a94b4797aea
      < user-agent: curl/7.47.0
      < accept: */*
      < x-okapi-tenant: diku
      < x-okapi-request-id: 659345/codex-packages-sources
      < x-okapi-url: http://10.36.1.54:9130
      < x-okapi-request-ip: 10.36.1.246
      < x-okapi-request-timestamp: 1569606771596
      < x-okapi-request-method: GET
      < x-okapi-permissions: []
      < x-okapi-match-path-pattern: /codex-packages-sources
      < X-Okapi-Trace: GET mod-codex-mux-2.7.0-SNAPSHOT.84 http://10.36.1.54:9156/codex-packages-sources : 200 27262us
      < 
      {
        "sources" : [ {
          "id" : "kb",
          "name" : "mod-codex-ekb-1.5.0"
        } ]
      * Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
      }
      

      Please ensure that module is all tested well after addition of these permissions.

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                andrii.paias Andrii Paias
                cmcnally Craig McNally
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases