PDP: unvalidated API call parameters
As discussed in recent weeks, API calls which require user input should expect userid in uuid form (userid
).
RBAC >>> (request)
POST /pdp/sessions/test-session HTTP/1.1
Host: didmos.satosa.latest.rustbucket.io
User-Agent: Go-http-client/1.1
Content-Length: 44
Authorization: Basic ZGVmYXVsdC10ZW5hbnQ6c2VjcmV0
Content-Type: application/json
X-Tenant-Id: default-tenant
Accept-Encoding: gzip
{"userid":"test-user","roles":["test-role"]}
---
RBAC <<< (response)
HTTP/1.1 200 OK
...
{"session": "test-session", "userid": "3a2560e8-f088-4b46-98df-5ad4c5362703", "roles": ["test-role"]}
- Expected: when creating a session, invalid
userid
is passed, since it's not in uuid form, and since such form doesn't exist, and error should be returned from the API - Actual: the API treats userid as username and returns a valid response