Problem with endpoint_info permission on Back-End side

[ct-anaalbic]

Describe the bug
On GUI side, if user which not have endpoint_info permission try to find endpoint without account permission, it will not work. Also if the same user try to edit or delete endpoint in every case it won't be possible. But in tests, scenario like this is passed.

To Reproduce
Steps to reproduce the behavior:

1. Login as kapua-sys or any other user that has proper permissions
2. Create user user1
3. Create role role1
4. Create endpoint endpoint1
5. Create permission with domain endpoint_info, and add permission to the role role1
6. Add role1 to the user user1
7. Logout
8. Login as user user1
9. Try to find, edit or delete endpoint endpoint1

Expected behavior
This scenario can not be reproduced on GUI side (if user has account permission he can see endopoint in settings tab, but can't add or delete endpoint). In Cucumber test scenarios, this is possible.

Screenshots
Screenshot1 (GUI - User has account and endpoint permissions and he can see endpoint - deployment info, but can't add new one, or delete and edit existing endpoint)

Screenshot2 (Cucumber Test Scenario - find, edit and delete endpoint steps passed when user has only endpoint_info permission)

Version of Kapua
develop Kapua

Type of deployment
[ ] Local Vagrant deployment
[ ] Docker
[ ] Openshift (in its variants)
[ ] Others

Main component affected
[ ] Console (in case of console please report info on which browser you encountered the problem)
[ ] REST API
[ ] Message Broker
[ ] - Others

Additional context
I am not sure but is this really a issue?

[Coduz]

Hi @ct-anaalbic ,

Uhmmm it seems like a corner case. All you said is true.
But this is due to the fact that the Settings view is reserved to user with account:view permission.

A strange thing is that the user1 is able to edit and delete since permission required to perform those actions are:
update: AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(EndpointInfoDomains.ENDPOINT_INFO_DOMAIN, Actions.write, null));

delete:
AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(EndpointInfoDomains.ENDPOINT_INFO_DOMAIN, Actions.delete, null));

So both require admin access or at least a permission like endpoint_info:*:*

I can see that the permission on the test are created with the scopeId but not the targetScopeId.
This likely means that permission assigned to that role are:
endpoint_info:read:*
endpoint_info:write:*
endpoint_info:delete:*

Could you please check?

Regards,

Alberto

[ct-anaalbic]

Hi @Coduz,

Yes, I will check this.

Regards,
Ana

[ct-anaalbic]

Hi @Coduz,

I checked this. If role permissions are created with scopeId, than permissions which are assigned to role are:
endpoint_info:read:*
endpoint_info:write:*
endpoint_info:delete:*

But can the user modify or add endpoints in any case? On GUI user is not able to work completely with endpoints. User only can see endpoints if has permissions with endpoint_info and account domain, but adding or deleting endpoints is disabled in every case. In test scenario all actions with endpoints have passed only with endpoint_info permission (adding endpoint, deleting endpoint and so on).

Regards,

Ana

[ct-anaalbic]

I just tried to delete or edit endpoint with user which has endpoint_info permissions created with targetScopeId. On this way, only searching for endpoints are enabled. Other actions, like editing or adding endpoints are not allowed. Maybe this is the solution?

Regards,

Ana

[Coduz]

Hi @ct-anaalbic ,

Sorry for the long awaiting.

The endpoint can be only edited by kapua-sys. This is because the host name usually must match a DNS record or a specific IP of the deployment.
So this is something that a regular user should not be able to manage.

Instead this info must be available to all user since they are meant to be of public domain to know which is the broke URL for example.

Regards,

Alberto

[ct-anaalbic]

I closed this because issue is resolved.