Issue 13042

Don't use request URI for signing requests with the GBIF authentication scheme

13042
Reporter: mdoering
Assignee: mdoering
Type: Improvement
Summary: Don't use request URI for signing requests with the GBIF authentication scheme
Priority: Blocker
Resolution: Fixed
Status: Closed
Created: 2013-03-20 12:11:42.246
Updated: 2013-12-06 12:06:38.673
Resolved: 2013-09-05 15:14:46.174
        
Description: Currently the gbif authentication scheme in proxied user requests, e.g. from the portal, signs the http request by looking at various http  headers of the request. In particular it includes the request uri which can be modified by varnish thereby breaking the signature.

Consider to remove the request uri from the signature? This might be a bit dangerous as the same DELETE request can then be used for various resources as the id is in the requested uri]]>
Attachment varnish.log

Author: mdoering@gbif.org
Created: 2013-03-20 12:23:45.517
Updated: 2013-03-20 12:23:45.517
        
Modified headers by varnish as in the attached logs:
b=backend, c=client
{noformat}
16 TxRequest    b POST
16 TxURL        b /occurrence-download-ws/occurrence/download/
16 TxHeader     b Content-Type: application/json
16 TxHeader     b x-gbif-date: 20 Mar 2013 11:01:07 GMT
16 TxHeader     b x-gbif-user: markus
16 TxHeader     b x-gbif-content-hash: 2124300471


15 RxRequest    c POST
15 RxURL        c /occurrence/download/
15 RxHeader     c Content-Type: application/json
15 RxHeader     c x-gbif-date: 20 Mar 2013 11:01:07 GMT
15 RxHeader     c x-gbif-user: markus
15 RxHeader     c x-gbif-content-hash: 2124300471
{noformat}
    


Author: trobertson@gbif.org
Created: 2013-08-28 08:02:11.252
Updated: 2013-08-28 08:08:39.134
        
Is the signing that you refer to happening here please?
https://code.google.com/p/gbif-common-resources/source/browse/gbif-common-ws/trunk/src/main/java/org/gbif/ws/security/GbifAppAuthService.java#177

which is subsequently calling:
https://code.google.com/p/gbif-common-resources/source/browse/gbif-common-ws/trunk/src/main/java/org/gbif/ws/security/GbifAppAuthService.java#100

If so...

Should we consider getting a bit smarter and in varnish do the likes of:
{code}
set    req.http.X-Original-Url = req.url
{code}

and then in the signing look for that custom header, and if present use it, otherwise use the observed URL?

Have we inspected all the HEADERS that the backend sees?  It could be varnish already does something like this, or perhaps there is a standard way of doing this with Varnish (or at least a common header name to use for this when things are proxying and url rewriting)

    


Author: mdoering@gbif.org
Comment: A good idea, much better than to simply remove the URL from the hash as it would allow with simple manipulations to send a validly signed request to a totally different URL. I'll see if varnish add some header already or if we can configure it to copy the original (I think thats possible)
Created: 2013-08-28 09:30:41.226
Updated: 2013-08-28 09:30:41.226


Author: mdoering@gbif.org
Created: 2013-09-05 15:14:46.206
Updated: 2013-09-05 15:14:46.206
        
works in general, but we now face POST problems with chunked encodings in varnish, see related issue.

https://code.google.com/p/gbif-common-resources/source/detail?r=1674
https://code.google.com/p/gbif-common-resources/source/detail?r=1676