Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api-server-rest should not produce HTTP 500 on failed policy validation #587

Open
mkulke opened this issue Jun 14, 2024 · 0 comments
Open

Comments

@mkulke
Copy link
Contributor

mkulke commented Jun 14, 2024

At the moment, if a user requests a secret via ASR and in a CoCoAS the requests does not pass the rego police, the result for the user will be http status "500 internal error". this error code is probably not correct, since it indicates that the fault is not a fixable issue, but a technical problem in the guts of KBS or AS. However, the service works as intended, the policy needs to be adjusted to allow the release of the secret to this particular TEE.

An appropriate response code would be 401 unauthorized, IMO. I think KBS will already answer with this error code, but we would need to wire it through all layers of intermediate RPCs.

ASR response:

curl -v http://127.0.0.1:8006/cdh/resource/default/key/doesntexist
*   Trying 127.0.0.1:8006...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8006 (#0)
> GET /cdh/resource/default/key/doesntexist HTTP/1.1
> Host: 127.0.0.1:8006
> User-Agent: curl/7.74.0
> Accept: */*
>
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< content-length: 216
< date: Fri, 14 Jun 2024 09:30:14 GMT
<
{ [216 bytes data]
100   216  100   216    0     0     45      0  0:00:04  0:00:04 --:--:--    45
* Connection #0 to host 127.0.0.1 left intact
rpc status: Status { code: INTERNAL, message: "[CDH] [ERROR]: Get Resource failed", details: [], special_fields: SpecialFields { unknown_fields: UnknownFields { fields: None }, cached_size: CachedSize { size: 0 } } }

KBS log:

[2024-06-14T08:24:41Z INFO  actix_web::middleware::logger] 10.244.1.1 "POST /kbs/v0/attest HTTP/1.1" 401 215 "-" "attestation-agent-kbs-client/0.1.0" 0.005681
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant