CNodeService API calls don't honor authoritative MN certificates
In working with Mark Reyes on calling CN.archive() and CN.setObsoletedBy() calls for the Merritt repository, he reported a NotAuthorized exception on updating system metadata fields for objects that are managed by Merritt. Using the CN certificate, I have successfully called these and other CN API calls to manipulate system metadata. Since this is more of an integration test, we don't have a unit test to ensure that MN certs are able to modify content on their system by calling the CN API.
In CNodeService, we use D1NodeService.isAdminAuthorized() to check for administrative authorization in calls like CNodeService.archive(). Within that call, we also check for MN-level node administrative authorization using isNodeAdmin(). However, isNodeAdmin() only checks to see if the cert subject is the subject of the local Member Node. It doesn't check to see if the cert subject matches the cert subject of the authoritativeMemberNode listed in the object's system metadata.
We need to add another method, something like D1NodeService.isAuthoritativeNodeAdmin(), and in calls to the CN API, check the cert subject by getting the Node entry from the NodeList in the given environment that corresponds to the authoritativeMemberNode listed in SystemMetadata, and comparing the Node Subject to the cert Subject.
This is a pretty critical bug fix since all CN calls using an MN Subject are likely going to fail. The Merritt ORE fixes are blocked by this issue.
#2 Updated by Jing Tao over 6 years ago
- Status changed from New to Resolved
Implemented the D1NodeService.isAuthoritativeNodeAdmin() method and put them into the appropriate place. The both MN and CN APIs are applied this method. I installed the fixed code on the mn-demo-9 and test the archived method. It worked.
Rober installed the fixed code on the cns in dev env. I tested the archive and setObsoletedBy method through curl. It worked well.