Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] /api/v1/<user.ID>/key returns 401/403 if user hasn't key #2069

Closed
nikoIkonen opened this issue Jun 8, 2021 · 0 comments
Closed

[Bug] /api/v1/<user.ID>/key returns 401/403 if user hasn't key #2069

nikoIkonen opened this issue Jun 8, 2021 · 0 comments
Assignees
@To-om
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.1.6

Comments

@nikoIkonen
Copy link

nikoIkonen commented Jun 8, 2021
edited
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian
OS version (client) Stretch
Virtualized Env. True
Dedicated RAM 6 GB
vCPU 4
TheHive version / git hash 4.1.4-1
Package Type DEB,
Database Cassandra
Index type Lucene
Attachments storage Local
Browser type & version not applicable

Problem Description

When calling API endpoint /api/v1/user//key as admin when userID does NOT have key created, will return error code 401 or 403 and not expected 404. Endpoint works correctly when api key has been generated.

Steps to Reproduce

  1. Create a new user to organization, don't create a API key.
  2. Call API to get KEY, curl -k -H 'Authorization: Bearer <adminApiKey>' https://localhost/api/v1/user/<userID>/key
  3. Get HTTP 401/403 See another issue 2070
  4. Get correct error message in thehive application.log "User hasn't key"

Complementary information

To me it seems like getKey returns failure and it is then interpreted as failure in authentication.

Excerpt from the application.log:
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] session fails: org.thp.scalligraph.AuthorizationError: Operation not supported
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] basic fails: org.thp.scalligraph.AuthorizationError: Operation not supported
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] local fails: org.thp.scalligraph.AuthorizationError: Operation not supported
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] key fails: org.thp.scalligraph.NotFoundError: User userID hasn't key
2021-06-08 16:20:19,452 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-12 [00000005|] GET /api/v1/user/~16432/key returned 403
@nikoIkonen nikoIkonen added bug TheHive4 TheHive4 related issues labels Jun 8, 2021
@nikoIkonen nikoIkonen mentioned this issue Jun 8, 2021
Closed
@nikoIkonen nikoIkonen changed the title [Bug] /api/v1/<user.ID>/key returns 401/403 if key does not found [Bug] /api/v1/<user.ID>/key returns 401/403 if user hasn't key Jun 8, 2021
@nadouani nadouani added this to the 4.1.6 milestone Jun 11, 2021
To-om added a commit that referenced this issue Jun 14, 2021
@To-om
#2069 #2070 Make auth related errors more coherent
97f3bac
@To-om To-om closed this as completed Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.6
Development

No branches or pull requests
3 participants
@nadouani @To-om @nikoIkonen