fix: cache items only when coming from trusted proxy#4651
Conversation
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
…in config Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
# Conflicts: # caching-service-package/src/main/resources/bin/start.sh # caching-service/src/test/java/org/zowe/apiml/caching/config/SecurityConfigTest.java
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
…lient certificate was provided Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
github-project-automation
Bot
moved this to New
in API Mediation Layer Backlog Management
github-actions
Bot
added
the
Sensitive
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
| log.debug("DEBUG: isForwardingEnabled = {}", certificateValidator.isForwardingEnabled()); | ||
| log.debug("DEBUG: hasGatewayChain = {}", certificateValidator.hasGatewayChain(certsFromTls)); |
There was a problem hiding this comment.
These messge don't make sense here. They should be before the if (here it is clear what is the value) and also evaluate the same code is not needed.
| ); | ||
|
|
||
| logIgnoredCertificates(new X509Certificate[]{clientCertFromHeader.get()}, clientAuthCerts); | ||
| log.debug("DEBUG: clientAuthCerts.length = {}", clientAuthCerts.length); |
There was a problem hiding this comment.
I would say for debugging an issue it would be helpfull to write some information about certificates. Not necessary the whole key, but serial number for example.
| caching-service: | ||
| image: ghcr.io/balhar-jakub/caching-service:${{ github.run_id }}-${{ github.run_number }} | ||
| env: | ||
| APIML_SECURITY_X509_ACCEPTFORWARDEDCERT: true |
There was a problem hiding this comment.
This value is in application.yaml. It is not needed to set again. Btw. I guess the URL of cert should be detected by CS automatically.
| private static final String VALID_BASIC_AUTH = "Basic " + Base64.getEncoder().encodeToString((USER + ":" + PASSWORD).getBytes()); | ||
| private static final String INVALID_BASIC_AUTH = "Basic " + Base64.getEncoder().encodeToString((USER + ":invalidPassword").getBytes()); | ||
| private static final String X_CS_SERVICE_ID = "X-CS-Service-ID"; | ||
| private static final String X_CS_SERVICE_ID = "Client-Cert"; |
There was a problem hiding this comment.
field X_CS_SERVICE_ID is unclear
| -Dapiml.service.ssl.trust-store="${client_truststore_location}" \ | ||
| -Dapiml.service.ssl.trust-store-password="${client_truststore_pass}" \ | ||
| -Dapiml.service.ssl.trust-store-type="${client_truststore_type}" \ | ||
| -Dapiml.security.x509.acceptForwardedCert=${ZWE_configs_apiml_security_x509_enabled:-${ZWE_components_gateway_apiml_security_x509_enabled:-true}} \ |
There was a problem hiding this comment.
Regarding these changes does it make sense have certificate forwarding configurable
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
|
pavel-jares-bcm
left a comment
pavel-jares-bcm
left a comment
There was a problem hiding this comment.
Please take a look also on Sonar issues.
| hostname: caching-service | ||
| banner: console | ||
|
|
||
| security: |
There was a problem hiding this comment.
All configuration should be updated, including local config
| VPx2 | ||
| """.replaceAll("\\s+", ""); | ||
|
|
||
| @org.junit.jupiter.api.BeforeEach |
There was a problem hiding this comment.
| @org.junit.jupiter.api.BeforeEach | |
| @BeforeEach |
- import org.junit.jupiter.api.BeforeEach
| enabled: true | ||
| security: | ||
| x509: | ||
| certificatesUrl: https://localhost:10010/gateway/certificates |
There was a problem hiding this comment.
Shouldn't we prefer the full URL (https://localhost:10010/gateway/api/v1/certificates). Both of them are supported, but I would say the i'm should be use the one with API version.
There was a problem hiding this comment.
this is only for local run, in start.sh it uses the same URL as zaas service
| certificateValidator.hasGatewayChain(certsFromTls)) { | ||
| Optional<X509Certificate> clientCertFromHeader = getClientCertFromHeader(exchange.getRequest()); | ||
| log.debug("clientCertFromHeader.isPresent = {}", clientCertFromHeader.isPresent()); | ||
| if (clientCertFromHeader.isPresent()) { |
There was a problem hiding this comment.
The logic was changed, when the request is signed by Zowe certificate and there is no client cert header certificates are not logged and no attibute is set. I would say, the original implementation is better. We should process that in the else statement. It has probably no impact to caching service, but the behaviour could be different for internal API. Basically, I guess it just could make debugging of an issue more complicated.
There was a problem hiding this comment.
the only thing that changed is a log message, what exactly is wrong about it?
There was a problem hiding this comment.
now I got, it's moved back to original condition
| void whenNoBasicAuth_thenReturnForbidden() { | ||
| given() | ||
| .header(new Header(X_CS_SERVICE_ID, "apimtst")) | ||
| .header(new Header(CLIENT_CERT_HEADER_NAME, MOCK_FORWARDED_CERT)) |
There was a problem hiding this comment.
Do we have somewhere test with clientCert and service prefix?
Signed-off-by: ac892247 <a.chmelo@gmail.com>
Signed-off-by: ac892247 <a.chmelo@gmail.com>
2 participants
Description
Caching service allows to store items under the arbitrary value in header if the request is authenticated with client certificate. This change makes the validation more strict and allow to items only when the request is coming from a trusted proxy. It also drops support for custom header and keeps only standard Client-Cert header.
Linked to # (issue)
Part of the # (epic)
Type of change
Please delete options that are not relevant.
Checklist:
For more details about how should the code look like read the Contributing guideline