RPC user able to start a flow they don't have permissions to

Description

From external contributors:
https://github.com/corda/corda/issues/5861

Corda Open Source 4.3

I connect to my node using the standalone shell:

The config file looks like this:

My RPC user, which I used to log in the standalone shell, doesn't have the permission to run CreateEvolvableShokenType flow:

Running flow list, shows that flow:

And the user is able to start the flow:

Activity

Show:
ryan.fowler
March 4, 2020, 9:59 AM

This is very likely already fixed in 4.5 with the work put in. But do we want to try fixing it in the earlier versions too? It’s raised against OS 4.3 but targeted against OS 4.5. Just checkng.

ryan.fowler
March 23, 2020, 11:17 AM

Bump. do you have any opinions on where this gets fixed?

ryan.fowler
March 30, 2020, 12:45 PM

could you shed some light on which version Niki should target?

nikolett.nagy
April 2, 2020, 4:44 PM

It is fixed in 4.5. The versions involved in this issue, where I could reproduce the same bug are 4.3 and 4.4.

nikolett.nagy
April 9, 2020, 12:41 PM

From: Rick Parker <rick.parker@r3.com>
Date: Thursday, 9 April 2020 at 13:28
To: Nikolett Nagy <nikolett.nagy@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Re: Permission issue

 

Excellent. Can you comment on the JIRA (or cut and paste this email chain and add as comment).

 

Is there a SUP ticket linked from the CORDA ticket ? If so, you can comment on that with the simple solution (remove the overall ‘InvokeRpc.startTrackedFlowDynamic’)

 

From: Nikolett Nagy <nikolett.nagy@r3.com>
Date: Thursday, 9 April 2020 at 12:55
To: Rick Parker <rick.parker@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Re: Permission issue

 

Yes, after removing ‘InvokeRpc.startTrackedFlowDynamic’, he will be able to start specific flows which are present in the permissions.

 

All 3 versions behave the same way. To be more precise 4.4 and 4.5 has the same code for the permissions, I checked that even with a merging tool.

I was only confused at the beginning, because I was not using the exact same configs for 4.5 and 4.4, 4.3 and realized it lately. But after I found out about this I did the testing again and made sure that I am using the same config for all 3 versions.

 

From: Rick Parker <rick.parker@r3.com>
Date: Thursday, 9 April 2020 at 11:31
To: Nikolett Nagy <nikolett.nagy@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Re: Permission issue

 

So the fix is for the user is to remove ` InvokeRpc.startTrackedFlowDynamic` ? i.e. if they remove that, they can still start specific flows ?

 

Are we saying that 4.5 is inconsistent with that behaviour now? i.e. the super / wildcard permission does not override the individuals ?

 

From: Nikolett Nagy <nikolett.nagy@r3.com>
Date: Wednesday, 8 April 2020 at 10:43
To: Rick Parker <rick.parker@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Permission issue

 

Hi,

 

Looking at the issue, here’s what I found yesterday:

If you are having explicitly ‘ InvokeRpc.startTrackedFlowDynamic ‘ permission in your node.conf file, it will behave like a super permission because:

  1. For startTrackedFlowDynamic we will have a DomainPermission like this “rpc:starttrackedflowdynamic”

  2. For every flow we are creating a Permission with Shiro. In the AuthenticatedRpcOpsProxy.guard() method for every start flow we are passing “startTrackedFlowDynamic” as a String and Shiro’s DomainPermission class will create a Permission for us which looks like this: “rpc: starttrackedflowdynamic:net:corda:mypackage:myflow”

  3. After this, when we are checking if we have the permission to run a given flow, we are calling WildcardPermission’s implies method, which by default works like this:

// If this permission has less parts than the other permission, everything after the number of parts contained

// in this permission is automatically implied, so return true

“rpc:starttrackedflowdynamic” is shorter than the other one, but contains the same parts, so it will always return true for every flow! It works like a cascade, if you have permission for startTrackedFlowDynamic, you will have permission for everything under it.

 

If you are checking the JIRA (CORDA-3577) the reporter of the issue had startTrackedFlowDynamic in his config file.

I hope this will help to understand what is happening, if you have any further questions feel free to ask.

 

Regards,

Niki

 

Assignee

nikolett.nagy

Reporter

David Rapacchiale

Labels

Sprint

None

Epic Link

None

Priority

High

Severity

Medium

CVSS Score

None

CVSS Vector

None

Due Date

None

Engineering Teams

Kernel

Fix versions

Affects versions

None

Ported to...

None

Story Points / Dev Days

None
Configure