Moonshot Trust-Router

Internal Processing Error in TR when domain constraint does not match

Bug #1464800 reported by Stefan Paetow
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Moonshot Trust-Router
Triaged
Low
Unassigned

Bug Description

Today I made a spelling mistake when I set up a new trust router infrastructure. I misspelled the domain constraint for the down-stream trust router in the infrastructure, using 'l2tr.level1.localdomain' when its actual name is 'l2tr.level2.localdomain'.

The consequence of this is that I saw an 'Internal Processing Error' during an initial TIDC request to check whether the infrastructure was set up correctly.

The log and config from the L1TR (upstream) and the config from the L2TR (down-stream) trust routers are attached.

The command used on the down-stream trust router was this:

tidc l2tr.level2.localdomain tr.level2.realm apc.trust.realm apc.trust.realm

Revision history for this message
Stefan Paetow (stefan-paetow) wrote :
Revision history for this message
Stefan Paetow (stefan-paetow) wrote :
Revision history for this message
Stefan Paetow (stefan-paetow) wrote :
Revision history for this message
Sam Hartman (hartmans) wrote :

The interesting output to see here would be the output from the ultimate tids.
Looking at the code, what's probably happening is that the intersected constraint set in handle_authorizations is empty for domain, so that function returns -1. It probably should print an error at that point.
In this instance we have an authorization problem. It's not clear we want to return a very helpful error to the client (or intermediate trust routers).
How reasonable would it be to return "unauthorized request" or similar in this situation? Or perhaps better "Responding TIDS declines authorization," to give someone a hint that what they really want to do is look at the tids logs.

Revision history for this message
Stefan Paetow (stefan-paetow) wrote :

Which TIDS would that be? The TIDS on the APC?

If the domain constraints are empty in a trust configuration, does it generate the same error?

Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 1464800] Re: Internal Processing Error in TR when domain constraint does not match

>>>>> "Stefan" == Stefan Paetow <email address hidden> writes:

    Stefan> Which TIDS would that be? The TIDS on the APC? If the
    Stefan> domain constraints are empty in a trust configuration, does
    Stefan> it generate the same error?

I'd assume the tids on the target idp realm.

If all constraints are empty you get a different behavior.
Namely, you get no authorization database entries.

Revision history for this message
Stefan Paetow (stefan-paetow) wrote :

Yes, in that case that would be the APC then. I can re-generate that. It's easily reproduced :-)

Margaret Cullen (mrw42)
Changed in moonshot-tr:
importance: Undecided → Low
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.