Develop Reference

Why does this rule not block all requests?

I have a chrome extension to block YouTube as a whole, but it's only blocking some requests. For example, all embedded videos are blocked, but when I go to https://www.youtube.com or https://www.youtube.com/watch?v=dQw4w9WgXcQ it'll block only some elements.
https://www.youtube.com as far as I can tell loads everything except for elements loaded due to user navigation--for example, the collapsed hamburger menu doesn't load when clicked.
manifest.json:
{
"manifest_version": 2,
"name": "Test",
"version": "0.0.1",
"permissions": [
"*://*.youtube.com/*",
"declarativeNetRequest"
],
"declarative_net_request": {
"rule_resources": [
{
"id": "1",
"enabled": true,
"path": "rules.json"
}
]
}
}
rules.json:
[
{
"id": 3,
"priority": 1,
"action": {
"type": "block"
},
"condition": {
"urlFilter": "youtube.com"
}
}
]

Why does URL redirect permission work in Chrome Manifest v2 but not v3?

I'm trying to redirect a URL using the Chrome declarativeWebRequest API but it does not work.
The match pattern in the "permissions" key worked with Manifest V2 but it's now throwing a Permission '*://www.youtube.com/*' is unknown or URL pattern is malformed error in V3.
manifest.json:
{
"manifest_version": 3,
"name": "Redirect Test",
"version": "0.0.1",
"permissions": [
"declarativeNetRequest",
"*://www.youtube.com/*"
],
"host_permissions": [
"*://www.youtube.com/*"
],
"declarative_net_request": {
"rule_resources": [
{
"id": "1",
"enabled": true,
"path": "rules.json"
}
]
}
}
rules.json:
[
{
"id": 1,
"priority": 1,
"action": {
"type": "redirect",
"redirect": {"url": "https://www.google.com"}
},
"condition": {
"urlFilter": "*://www.youtube.com/*",
"resourceTypes": [
"main_frame"
]
}
}
]
I'm using Chrome 88.0.4324.104

The manifest documentation for declarative net requests at the time of posting isn't exactly accurate.
This is the
Permissions key in manifest.json from the documentation:
"permissions": [
"declarativeNetRequest",
"declarativeNetRequestFeedback",
"*://example.com/*"
],
However, the site should be specified in just host_permissions instead:
"host_permissions": [
"*://example.com/*"
],
It should be noted that this explicit declaration is only necessary if action.redirect is specified like in this example:
{
"id": 1,
"priority": 3,
"action": {
"type": "redirect",
"redirect": {
"regexSubstitution": "www.youtube.com/embed/"
}
},
"condition": {
"regexFilter": "(www\\.youtube\\.com\/watch\\?v=)",
"resourceTypes": [
"main_frame"
]
}
}

Request with initiator=localhost gets intercepted by DeclarativeNetRequest even though the rule says otherwise

[
{
"id": 1,
"priority": 2,
"action": {
"type": "redirect",
"redirect": { "regexSubstitution": "http://localhost:28438/check-url?url=\\0" }
},
"condition": {
"regexFilter": "^(https?\\://)?[^\\:]+$",
"resourceTypes": [ "main_frame" ],
"excludedDomains":["localhost"]
}
},
{
"id": 2,
"priority": 1,
"action": {
"type": "redirect",
"redirect": {
"regexSubstitution": "\\1"
}
},
"condition": {
"regexFilter": "^(?:http\\://)?localhost.+pass\\?url=(.+)$",
"resourceTypes": [ "main_frame" ]
}
}
]
According to the above rule #1, every request originating from localhost should be ignored and the rest should be redirected to the local server.
I have added the rule #2 for a possibly broader view of the case; it's really redundant to post it here.
My expectation, however, is not satisfied and the request gets intercepted, resulting in an infinite loop:
In this case, I try to open the msn website and it gets intercepted by the first rule (the second rule acts OK).

Getting access denied after keycloak login. I dont have any roles in my keycloak server

I am implementing Keycloak authorization to my Node.js application. I created a realm and a client inside of it. I don't have any roles either in realm or in client. I have a route "/test" which is protected with Keycloak.
My keycloak.json looks like this:
{
"realm": "demo",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "myapp",
"public-client": true,
"confidential-port": 0
}

Define roles (realm roles or client roles), assign the roles to your user (user which you use to perform the test), check your role scope mappings (or you can configure your client as full-scope for testing purpouse), and check that you are protecting your '/test' route with those same permissions.
E.g. you can try with keycloak-nodejs adapter (example).
Look at this configuration file (keycloak realm configuration example):
{
"realm": "nodejs-example",
"enabled": true,
"sslRequired": "external",
"registrationAllowed": true,
"privateKey": "...................",
"publicKey": ".....................",
"requiredCredentials": [ "password" ],
"users" : [
{
"username" : "user",
"enabled": true,
"email" : "sample-user#nodejs-example",
"firstName": "Sample",
"lastName": "User",
"credentials" : [
{ "type" : "password",
"value" : "password" }
],
"realmRoles": [ "user" ],
"clientRoles": {
"account": ["view-profile", "manage-account"]
}
}
],
"roles" : {
"realm" : [
{
"name": "user",
"description": "User privileges"
},
{
"name": "admin",
"description": "Administrator privileges"
}
]
},
"scopeMappings": [
{
"client": "nodejs-connect",
"roles": ["user"]
}
],
"clients": [
{
"clientId": "nodejs-connect",
"enabled": true,
"publicClient": true,
"baseUrl": "/",
"adminUrl" : "http://localhost:3000/",
"baseUrl" : "http://localhost:3000/",
"redirectUris": [
"http://localhost:3000/*"
],
"webOrigins": []
},
{
"clientId": "nodejs-apiserver",
"enabled": true,
"secret": "secret",
"redirectUris": [
"http://localhost:3000/*"
],
"webOrigins": [
"http://localhost:3000/*"
],
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"authorizationSettings": {
"resources": [
{
"name": "resource",
"type": "urn:nodejs-apiserver:resources:default",
"ownerManagedAccess": false,
"uris": [
"/*"
],
"scopes": [
{
"name": "view"
},
{
"name": "write"
}
]
}
],
"policies": [
{
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
},
{
"name": "Default Permission",
"description": "A permission that applies to the default resource type",
"type": "resource",
"config": {
"defaultResourceType": "urn:nodejs-apiserver:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
}
]
}
}
]
}
Explanation:
From this sample, look at how a user has roles assigned (realm roles: "user", account client roles: "account": ["view-profile", "manage-account"]):
{
...
"users" : [
{
"username" : "user",
"enabled": true,
"email" : "sample-user#nodejs-example",
"firstName": "Sample",
"lastName": "User",
"credentials" : [
{ "type" : "password",
"value" : "password" }
],
"realmRoles": [ "user" ],
"clientRoles": {
"account": ["view-profile", "manage-account"]
}
}
],
...
}
Look at how realm Roles are defined:
{
...
"roles" : {
"realm" : [
{
"name": "user",
"description": "User privileges"
},
{
"name": "admin",
"description": "Administrator privileges"
}
]
},
...
}
Look at how this sample uses a 'scope mapping' to map roles from realm to a user authenticated by a client (read more about this here role scope mapping):
{
...
"scopeMappings": [
{
"client": "nodejs-connect",
"roles": ["user"]
}
],
...
}
Look at how clients are defined. Check that 'nodejs-connect' client is public and 'nodejs-apiserver' is secret. In this sample, server is using the 'Authorization Api' to protect resources but you could protect your resources by granted roles only (if you want).
{
...
"clients": [
{
"clientId": "nodejs-connect",
"enabled": true,
"publicClient": true,
"baseUrl": "/",
"adminUrl" : "http://localhost:3000/",
"baseUrl" : "http://localhost:3000/",
"redirectUris": [
"http://localhost:3000/*"
],
"webOrigins": []
},
{
"clientId": "nodejs-apiserver",
"enabled": true,
"secret": "secret",
"redirectUris": [
"http://localhost:3000/*"
],
"webOrigins": [
"http://localhost:3000/*"
],
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"authorizationSettings": {
"resources": [
{
"name": "resource",
"type": "urn:nodejs-apiserver:resources:default",
"ownerManagedAccess": false,
"uris": [
"/*"
],
"scopes": [
{
"name": "view"
},
{
"name": "write"
}
]
}
],
"policies": [
{
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
},
{
"name": "Default Permission",
"description": "A permission that applies to the default resource type",
"type": "resource",
"config": {
"defaultResourceType": "urn:nodejs-apiserver:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
}
]
}
}
]
...
}
Finally, look at javascript (index.js) file to see how it uses 'keycloak-connect' (adapter) to protect and enforce access policies (usage of Authorization Api).
Tip
In development, you can get an access token and use this page to decode and see the token's content.
JWT.IO
I hope this helps.

I also had a 403 - Access Denied. What helped was stepping through the auth code of keycloak-connect. The token validation happens in the function validateToken in node_modules\keycloak-connect\middleware\auth-utils\grant-manager.js
if (!token) {
reject(new Error('invalid token (missing)'))
} else if (token.isExpired()) {
reject(new Error('invalid token (expired)'))
} else if (!token.signed) {
reject(new Error('invalid token (not signed)'))
} else if (token.content.typ !== expectedType) {
reject(new Error('invalid token (wrong type)'))
} else if (token.content.iat < this.notBefore) {
reject(new Error('invalid token (stale token)'))
} else if (token.content.iss !== this.realmUrl) {
reject(new Error('invalid token (wrong ISS)'))
}
...
For me, the problem was that I configured the url to the keycloak server without the schema (https). token.content.iss includes the schema and so it rejected because of token.content.iss !== this.realmUrl.
Unfortunately they seem to swallow those valuable Error messages without logging or returning them. I opened a question regarding this behavior.

No results match your search criteria in kibana with timestamp

I created an index in elasticsearch 6.5.1 successfully loaded the data to that index. there is one field "submitted_date" which is the timestamp. below is the mapping like of this field.
"submitted_date": { "type": "date", "format":"yyyy-MM-dd HH:mm:ss.SSS" },
then I created the index pattern. I used the Time Filter field name as "submitted_date". after that, I tried to check the data in Discover tab, but data are not showing. there is a message saying that No results match your search criteria.
NOTE that I have changed the time in time range picker in every possible way which is on top of the right corner in kibana dashboard.
data appear in Dev Tools tab with elastic queries.
ps : I inserted the data using nodejs with elasticsearch official library, did not used logstash.
I followed this article, but it did not help me.
UPDATE : sample document
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 10480,
"max_score" : 1.0,
"hits" : [
{
"_index" : "test",
"_type" : "tests",
"_id" : "1214334",
"_score" : 1.0,
"_source" : {
"priority" : "4",
"submitted_date" : "2018-01-04T18:32:21.000Z",
"submitted_month" : 0,
"submitted_month_name" : "January",
"submitted_day" : 4,
"submitted_weekday" : "Tuesday",
"submitted_hour" : 18,
"submitted_year_month" : "2018-0",
"submitted_year_month_name" : "2018-January",
"date_key" : "20180104",
"year_month_key" : "201801",
"status" : "Closed"
}
}
]
}
}
Inspect request
{
"version": true,
"size": 500,
"sort": [
{
"_score": {
"order": "desc"
}
}
],
"_source": {
"excludes": []
},
"aggs": {
"2": {
"date_histogram": {
"field": "submitted_date",
"interval": "1d",
"time_zone": "Asia/Kolkata",
"min_doc_count": 1
}
}
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "close_date",
"format": "date_time"
},
{
"field": "last_modified_date",
"format": "date_time"
},
{
"field": "last_resolved_date",
"format": "date_time"
},
{
"field": "submitted_date",
"format": "date_time"
},
{
"field": "time_to_resolve",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [
{
"match_all": {}
},
{
"range": {
"submitted_date": {
"gte": 1514745000000,
"lte": 1543937620414,
"format": "epoch_millis"
}
}
}
],
"filter": [],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": [
"#kibana-highlighted-field#"
],
"post_tags": [
"#/kibana-highlighted-field#"
],
"fields": {
"*": {}
},
"fragment_size": 2147483647
}
}
Index pattern
function _putMapping() {
return client.indices.create({
index: process.env.ELASTICSEARCH_INDEX,
body: {
settings:{
index:{
"number_of_shards": 1,
"number_of_replicas": 5
},
"index.mapping.ignore_malformed" : true
},
mappings:{
tests:{
properties:{
"last_modified_date": { "type": "date" },
"last_resolved_date": { "type": "date" },
"time_to_resolve": { "type": "date" },
"submitted_date": { "type": "date", "format":"yyyy-MM-dd HH:mm:ss.SSS" },
"date_key": { "type": "integer" },
"priority": { "type": "long" },
"submitted_hour": { "type": "long" },
"submitted_month": { "type": "long" },
"submitted_year": { "type": "long" },
"submitted_year": { "type": "keyword" },
"submitted_year_month": { "type": "keyword" },
"submitted_year_month_name": { "type": "keyword" },
}
}
}
}
});
}

Your mYour submitted_date is coming like 2018-01-04T18:32:21.000Z but your mapping is set as yyyy-MM-dd HH:mm:ss.SSS.
You need to change it to "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'".