400 The secrets of all the users having access to the resource are required

grufo · June 6, 2023, 12:43pm

When I try to add a user to an existing resource I get this error 400: The secrets of all the users having access to the resource are required

secrets_provided

Passbolt Version: 4.0.2
Platform and Target:
– Operating system: Ubuntu 22.04
– PHP: 8.1
– Web server: nginx 1.18.0
– Database server: mariadb 10.6.12

What you did

tried to add a new user to a resource, the resource has already granted access for the api-user and an group

What happened

we get the error message above: 400 The secrets of all the users having access to the resource are required

What you expected to happen

the new user should get access granted

we have got 2 permissions in the database for this record:

MariaDB [passboltdb]> select * from permissions where aco_foreign_key="b68f85d7-2963-4c1c-ba60-ab969a0a0354";

+--------------------------------------+----------+--------------------------------------+-------+--------------------------------------+------+---------------------+---------------------+
| id                                   | aco      | aco_foreign_key                      | aro   | aro_foreign_key                      | type | created             | modified            |
+--------------------------------------+----------+--------------------------------------+-------+--------------------------------------+------+---------------------+---------------------+
| aa4ff85f-1cde-4015-bd32-eff9dcee7986 | Resource | b68f85d7-2963-4c1c-ba60-ab969a0a0354 | Group | e9f0ce33-7b52-4f67-b89a-d797e0c3c8ed |   15 | 2022-12-20 08:30:21 | 2022-12-20 08:30:21 |
| f99c7bff-0644-492c-8deb-a4e9cc273d4f | Resource | b68f85d7-2963-4c1c-ba60-ab969a0a0354 | User  | fd848340-9168-46e7-b9c7-492946cefe2f |   15 | 2023-02-14 14:01:30 | 2023-02-14 14:01:30 |
+--------------------------------------+----------+--------------------------------------+-------+--------------------------------------+------+---------------------+---------------------+

when I try to add one more user I get this error (expanded the source code a little bit to see which ressource drops that error):

{
    "code": 400,
    "body": {
        "secrets": {
            "secrets_provided": "The secrets of all the users having access to the resource are required. recourse-id b68f85d7-2963-4c1c-ba60-ab969a0a0354 | usersIdsHavingAccess: ed7a9fde-c62b-4f36-8db1-dd7797b8595e !==  usersIdsHavingASecret: "
        }
    }
}

So it seems that there is no secret for the user with the id ed7a9fde-c62b-4f36-8db1-dd7797b8595e

When I select that user from the secrets-table I see this:

MariaDB [passboltdb]> select id, user_id, resource_id from secrets where user_id="ed7a9fde-c62b-4f36-8db1-dd7797b8595e" and resource_id="b68f85d7-2963-4c1c-ba60-ab969a0a0354";

+--------------------------------------+--------------------------------------+--------------------------------------+
| id                                   | user_id                              | resource_id                          |
+--------------------------------------+--------------------------------------+--------------------------------------+
| b63f6dfe-2485-424f-926e-740511fec842 | ed7a9fde-c62b-4f36-8db1-dd7797b8595e | b68f85d7-2963-4c1c-ba60-ab969a0a0354 |
+--------------------------------------+--------------------------------------+--------------------------------------+

In the data field there is a PGP-Message.

./bin/cake passbolt cleanup → all OK
./bin/cake passbolt datacheck → all OK
./bin/cake passbolt datacheck → all OK

any idea what I can do to get this going?

garrett · June 6, 2023, 1:32pm

Also The secrets of all the users having access to the resource are required · Issue #484 · passbolt/passbolt_api · GitHub

garrett · June 6, 2023, 1:33pm

What stands out to me is a user is “api user”. Can you elaborate a bit on this?

max · June 6, 2023, 1:35pm

Hey @grufo,

Any manual deletion in the database?
I’ve seen similar senarii when users tried to delete secrets directly in database.

Did you run those queries ?

grufo · June 6, 2023, 1:36pm

I tried to create a new record with the same permissions an there is a difference in the database:

old record:
MariaDB [passboltdb]> select id, user_id, resource_id from secrets where resource_id="f4c7947a-0e18-4185-add6-e122e4a5a883";

+--------------------------------------+--------------------------------------+--------------------------------------+
| id                                   | user_id                              | resource_id                          |
+--------------------------------------+--------------------------------------+--------------------------------------+
| 9e7ef010-60a1-48bc-8ce8-05e5510530f3 | 093f2fcf-cdfc-454d-a319-77211f1cf94d | f4c7947a-0e18-4185-add6-e122e4a5a883 |
| af0cc50f-5bbf-4497-b691-b619e5684b39 | ed7a9fde-c62b-4f36-8db1-dd7797b8595e | f4c7947a-0e18-4185-add6-e122e4a5a883 |
+--------------------------------------+--------------------------------------+--------------------------------------+

new record:
MariaDB [passboltdb]> select id, user_id, resource_id from secrets where resource_id="beb4960a-8993-4d3f-9b4d-0068b9de2791";

+--------------------------------------+--------------------------------------+--------------------------------------+
| id                                   | user_id                              | resource_id                          |
+--------------------------------------+--------------------------------------+--------------------------------------+
| 691801dc-fd09-400f-afdb-a1ab01e5174a | fd848340-9168-46e7-b9c7-492946cefe2f | beb4960a-8993-4d3f-9b4d-0068b9de2791 |
| 7239ed8e-8562-4099-898a-f25ed66f8362 | cd53516e-f905-4b8e-8ebd-29ab761abad8 | beb4960a-8993-4d3f-9b4d-0068b9de2791 |
| 8464d2a1-9e2a-4ba4-bc60-9ae030c92ac5 | ed7a9fde-c62b-4f36-8db1-dd7797b8595e | beb4960a-8993-4d3f-9b4d-0068b9de2791 |
| e1a636c9-cd3f-46b3-a66b-9f8a978590d0 | 093f2fcf-cdfc-454d-a319-77211f1cf94d | beb4960a-8993-4d3f-9b4d-0068b9de2791 |
+--------------------------------------+--------------------------------------+--------------------------------------+

so there are two users missing!

we expanded the group “allgemein” after creating the records with two more users, maybere there is/was a bug and the system did not create those missing accounts when we added them to the group!?

grufo · June 6, 2023, 1:38pm

@garrett the api user is the first user from the installation, we use that user to create entries from cli with the passbolt cli tool.

grufo · June 6, 2023, 1:40pm

hi @max ,
yes I did run those queries:

MariaDB [passboltdb]> select * from permissions p where p.aro_foreign_key IN ( select u.id from users u where u.deleted = 1 OR u.active = 0 );
Empty set (0.002 sec)

MariaDB [passboltdb]> SELECT s.resource_id, s.user_id, min(s.modified) as min_modified FROM secrets s GROUP BY s.user_id, s.resource_id HAVING count(*) > 1;
Empty set (0.010 sec)

garrett · June 6, 2023, 2:03pm

Thanks @grufo this can help the devs consider what is behind this or what next to try.

garrett · June 6, 2023, 2:06pm

Let’s post here going forward so it’s consolidated a bit.

grufo · June 13, 2023, 7:49am

Any idea how I can fix this problem?
Any news from the dev-team?