REST API - 401, role problems

Hello
so the last nightly build, corrected the https problem i had … .but there seem to be a problem with the roles now.

here is a simple test

$Test = New-UDEndpoint -Url "/test" -Method GET -Endpoint {
	"a"
} -AuthorizedRole "Admin"

$AuthMethod = New-UDAuthenticationMethod -Endpoint {
  param([PSCredential]$Credential)
  $role = @('Admin')
  $token = Grant-UDJsonWebToken -Identity $Credential.UserName -Role $role
  New-UDAuthenticationResult -Success -UserName $Credential.UserName -Token $token -Role $role
}

Start-UDRestApi -Port 10001 -Endpoint @(
  $Test
) -AuthenticationMethod $AuthMethod

I can get a token, but then if i test my test route i get a 401 unauthorized return

PS C:\Temp> 10:29:49 [Info] Microsoft.AspNetCore.Hosting.Internal.WebHost Request starting HTTP/1.1 GET http://localhost:10001/api/test
10:29:49 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Route matched with {action = "GetEndpoint", controller = "Component"}. Executing action UniversalDashboard.Controllers.ComponentController.GetEndpoint (UniversalDashboard)
10:29:49 [Debug] AuthorizationHandler Configuring authorization for session:47df1c52-e18b-48bb-b3cd-f5f04a78045d
10:29:49 [Debug] AuthorizationHandler No valid authorization policies for session.
10:29:49 [Debug] AuthorizationHandler No valid roles for session.
10:29:49 [Info] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService Authorization failed.
10:29:49 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
10:29:49 [Info] Microsoft.AspNetCore.Mvc.ChallengeResult Executing ChallengeResult with authentication schemes (Cookies).
10:29:49 [Info] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Cookies was challenged.
10:29:49 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.ComponentController.GetEndpoint (UniversalDashboard) in 2.2556ms
10:29:49 [Info] Microsoft.AspNetCore.Session.DistributedSession Session started; Key:6e36d955-940b-52c4-ed87-4c8e5eebe214, Id:c77fcfa3-df02-b237-e714-1adc06b6674b
10:29:49 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Route matched with {action = "GetEndpoint", controller = "Component"}. Executing action UniversalDashboard.Controllers.ComponentController.GetEndpoint (UniversalDashboard)
10:29:49 [Debug] AuthorizationHandler Configuring authorization for session:2c18bc5a-379d-4985-85e7-78ed571338af
10:29:49 [Debug] AuthorizationHandler No valid authorization policies for session.
10:29:49 [Debug] AuthorizationHandler No valid roles for session.
10:29:49 [Info] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService Authorization failed.
10:29:49 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
10:29:49 [Info] Microsoft.AspNetCore.Mvc.ChallengeResult Executing ChallengeResult with authentication schemes (Cookies).
10:29:49 [Info] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Cookies was challenged.
10:29:49 [Info] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.ComponentController.GetEndpoint (UniversalDashboard) in 2.393ms
10:29:49 [Info] Microsoft.AspNetCore.Session.DistributedSession Session started; Key:4ec60dfb-f1e2-77ed-bd8f-af5f8494d9c9, Id:f3c42067-29ef-53f9-2747-5e33b2e1f6a6
10:29:49 [Info] Microsoft.AspNetCore.Hosting.Internal.WebHost Request finished in 15.4597ms 401

i’m using this release: https://github.com/ironmansoftware/universal-dashboard-enterprise/releases/tag/nightly.20191211.1

Am i doing something wrong ???

i tried the new nightly but the problem is stiil present, i know have an error 500 instead of a 401 …

i enabled logging, and when i do a start-udrestapi i have the following warning:

23:22:56 [Info] StartDashboardCommand  -  - False
23:22:57 [Debug] CustomAssemblyLoadContext Pointer Size:8
23:22:57 [Debug] CustomAssemblyLoadContext Loading files in native directory: C:\temp\universaldashboard\net472\runtimes\win-x64\native
23:22:57 [Warn] CustomAssemblyLoadContext Native file path does not exist. Universal Dashboard may not work. C:\temp\universaldashboard\net472\runtimes\win-x64\native
23:22:57 [Debug] EndpointService Register() 7618430e-b194-4e45-b362-c1c0648e1bd3 /test
23:22:57 [Debug] EndpointService Register() login

I’m not sure that the warning is related - CustomAssemblyLoadContext Native file path does not exist

Fixed in the latest version

The nightly was failing. I fixed the issue with it and you shouldn’t get the 500 error any more.

Yes the error is fixed, even if the warning is still present when u start the server.
Roles seems broken too as described in my initial post, i got a 401 unauthorized, even if the token contains the right role

Ok. I will file a bug and look to get that fixed.

Thanks

in this type of case do you prefer an issue on you github directly ?

Yeah. In the case of a bug like this feel free to open an issue on GitHub. I’ve already filed one for this case but feel free to do so in the future.

I’ve fixed an issue with REST API roles and will be in tonight’s build. Please give that a shot and let me know if it works for you.

The fix doest no appear in the last nightly of UD Enterprise.
You did put a milestone on this issue, so i can wait for the 2.8.1

This was in last night’s build…

These are the tests that have been added to check for role access. Am I missing a test case?

    Context "authenticated endpoint" {
        $AdminEndpoint = New-UDEndpoint -Url "admin" -Method "GET" -endpoint {
            "Admin"
        } -AuthorizedRole "Admin"

        $UserEndpoint = New-UDEndpoint -Url "notAdmin" -Method "GET" -endpoint {
            "User"
        } -AuthorizedRole @("Admin", "User")

        $Server = Start-UDRestApi -Port 10001 -Endpoint @($AdminEndpoint, $UserEndpoint) -AuthenticationMethod (
            New-UDAuthenticationMethod -Issuer "Adam"
        )

        It "should return admin to admin" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "Admin" -Issuer "Adam"
            Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "Admin"
        }

        It "should not return admin to user" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "User" -Issuer "Adam"

            try {
                Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json"
                $true | should be $false
            }
            catch {

            }
        }

        It "should return user to user" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "User" -Issuer "Adam"
            Invoke-RestMethod http://localhost:10001/api/notAdmin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "User"
        }

        It "should return user  to admin" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "Admin" -Issuer "Adam"
            Invoke-RestMethod http://localhost:10001/api/notAdmin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "User"
        }

        $Server| Stop-UDDashboard
        Stop-UDRestApi $Server
    }

you are right it’s working … the only difference i see, is that the grant-udtoken is invoked inside the authmethod in my case and it’s still not working …

Ok. Adding a test case for that to see if I can reproduce locally.

This is working for me in the latest:

        $AdminEndpoint = New-UDEndpoint -Url "admin" -Method "GET" -endpoint {
            "Admin"
        } -AuthorizedRole "Admin"

        $UserEndpoint = New-UDEndpoint -Url "notAdmin" -Method "GET" -endpoint {
            "User"
        } -AuthorizedRole @("Admin", "User")

        $Server = Start-UDRestApi -Port 10001 -Endpoint @($AdminEndpoint, $UserEndpoint) -AuthenticationMethod @(
            New-UDAuthenticationMethod -Issuer "Adam"
            New-UDAuthenticationMethod -Endpoint {
                param([PSCredential]$Credential)
                $role = @('Admin')
                $token = Grant-UDJsonWebToken -Identity $Credential.UserName -Role $role -Issuer 'Adam'
                New-UDAuthenticationResult -Success -UserName $Credential.UserName -Token $token -Role $role
              }
        )
$Token = (Invoke-RestMethod http://localhost:10001/api/login -Method POST -Body @{ UserName = "Admin"; Password = "Test" }).Token
Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "Admin"

I think the trick is that I specified 2 auth methods. One is for the auth creds and then one is for the JWT.

If the remove the first AuthMethod, I get 401s for a bunch of my tests.

ok, so do i need to specify 2 auth methods ? or is this a bug ??

After some thought, I’m going to call this expected behavior but it needs to be documented.

The reason is that you need a way to configure the JWT options like Issuer and SigningKey. That’s why we need the additional authentication method.

I’ll file an issue to get something documented for this.

Ah … i touhgt i could do this with grant-udtoken directly, so i was wrong from the start xD sorry