You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment, if a user requests a secret via ASR and in a CoCoAS the requests does not pass the rego police, the result for the user will be http status "500 internal error". this error code is probably not correct, since it indicates that the fault is not a fixable issue, but a technical problem in the guts of KBS or AS. However, the service works as intended, the policy needs to be adjusted to allow the release of the secret to this particular TEE.
An appropriate response code would be 401 unauthorized, IMO. I think KBS will already answer with this error code, but we would need to wire it through all layers of intermediate RPCs.
ASR response:
curl -v http://127.0.0.1:8006/cdh/resource/default/key/doesntexist
* Trying 127.0.0.1:8006...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 8006 (#0)
> GET /cdh/resource/default/key/doesntexist HTTP/1.1
> Host: 127.0.0.1:8006
> User-Agent: curl/7.74.0
> Accept: */*
>
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< content-length: 216
< date: Fri, 14 Jun 2024 09:30:14 GMT
<
{ [216 bytes data]
100 216 100 216 0 0 45 0 0:00:04 0:00:04 --:--:-- 45
* Connection #0 to host 127.0.0.1 left intact
rpc status: Status { code: INTERNAL, message: "[CDH] [ERROR]: Get Resource failed", details: [], special_fields: SpecialFields { unknown_fields: UnknownFields { fields: None }, cached_size: CachedSize { size: 0 } } }
At the moment, if a user requests a secret via ASR and in a CoCoAS the requests does not pass the rego police, the result for the user will be http status "500 internal error". this error code is probably not correct, since it indicates that the fault is not a fixable issue, but a technical problem in the guts of KBS or AS. However, the service works as intended, the policy needs to be adjusted to allow the release of the secret to this particular TEE.
An appropriate response code would be
401 unauthorized
, IMO. I think KBS will already answer with this error code, but we would need to wire it through all layers of intermediate RPCs.ASR response:
KBS log:
The text was updated successfully, but these errors were encountered: