Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #2068 boolean flag change #2077

Merged
merged 1 commit into from
Jan 18, 2023
Merged

Conversation

johnekent
Copy link
Contributor

No description provided.

@johnekent
Copy link
Contributor Author

Updated the pre-commit as well, since flake8 location changed. That's why multiple commits.

Copy link
Contributor

@ianco ianco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This returns 401 Unauthorized is an admin api key is enabled, which is probably not what you want.

E.g aca-py as ./bin/aca-py start --endpoint 8888 --no-ledger -it http 0.0.0.0 8887 -ot http --admin 0.0.0.0 8889 --admin-api-key 666 and then in another shell curl -I http://localhost:8889/

There are a few url's that are unprotected (even when there is an api key), for example you can still curl http://localhost:8889/api/doc (as well as the status url's that Wade mentioned)

@johnekent
Copy link
Contributor Author

@ianco - This change was not initially intended to impact security behavior, but you make a good point. With allow_head = True or False, the server returns a 401 error with admin api key enabled. With the api key enabled the development proxy would not work which is currently OK, but this may have gaps in the future.
This feature only currently considers HEAD calls with admin-insecure-mode, so that the default route returns a 302 instead of a 405 with the corresponding error in the server log. In my development proxy situation, I can't configure it to use any routes other than the default.
The security risk of adding this default route to the unprotected set isn't clear to me.

Do you think it would be better to first handle the initial use case (insecure mode) now, and then consider the admin api key scenario in the future? Or, should more thought be given to adding the default route to the unprotected set (or similar)? If you provide direction on where in the code base the unprotected set is configured, I can also try to see how that works across the use case variations.

@WadeBarnes
Copy link
Contributor

I don't think it would be advisable to add the default route to the set of unprotected routes.

@johnekent, Are you able to provide more details on why your setup requires allow_head = True? Perhaps there is another way to accomplish the same thing. Would there be an issue in you're scenario if the admin api key were enabled?

@ianco
Copy link
Contributor

ianco commented Jan 16, 2023

@johnekent the list of unprotected paths is defined here: https://github.com/hyperledger/aries-cloudagent-python/blob/main/aries_cloudagent/admin/server.py#L300

These include the /api/doc endpoint (so you can connect to the swagger page and authenticate) and the status endpoints that we use for our deployments. (All of our deployments are secured by an api key, but we don't require the api key access the status endpoints.)

It's recommended to enable the api key for all deployments (other than local dev). Could your do a HEAD query against one of our existing status endpoints?

@johnekent
Copy link
Contributor Author

@WadeBarnes I am using the Coder development environment which provides a Dev URLs feature for ports (admin, endpoints, etc.) to be available as a reverse proxy - e.g. for accessing the swagger docs from a browser, or for a controller UI to connect with an agent. The majority of work will be on developing controllers, which shouldn't require admin api keys. I.e., this is for controller development, not for server administration/configuration.

@ianco the setup described above would be considered local dev, and would only be used for those purposes. The dev urls configuration can't specify any endpoints, only server and port.

If this feature can be merged, then Coder can be used for controller development. That seems like a benefit to the aries ecosystem that doesn't cause any harm and also doesn't change the current security. However, I am open to exploring alternatives.

@ianco
Copy link
Contributor

ianco commented Jan 16, 2023

OK, I'm ok with this as long as @WadeBarnes is ok with it lol

It won't cause any hard because the HEAD method can't be used if the admin api key is enabled, so it's only available in a non-secure environment.

(Btw the admin api key is definitely intended for use with controllers, it's all that's protecting aca-py's admin api from malicious use. If you deploy aca-py into a prod environment with no api key and someone gains access to the admin url they can issue themselves credentials under your identity.)

@johnekent
Copy link
Contributor Author

Thanks @ianco . I will make sure the overall development cycle for controllers includes usage of the api keys; thanks for the additional consideration.

@johnekent
Copy link
Contributor Author

@ianco and @WadeBarnes what about this addition - adding HEAD to the existing OPTIONS check. This allows both use cases while extending the existing security for method exceptions.

@WadeBarnes
Copy link
Contributor

Allowing HEAD requests to bypass security when the admin api key is enabled would falsely indicate the endpoints were available when in fact they would not respond to any other request. It also opens the door for the API to be more easily scanned when it's supposed to be secured.

Allowing HEAD under the regular security constraints would be fine. Meaning HEAD requests could be used in insecure mode, or secure mode provided the api key was also supplied in the request.

@@ -323,7 +323,7 @@ async def check_token(request: web.Request, handler):
if (
valid_key
or is_unprotected_path(request.path)
or (request.method == "OPTIONS")
or (request.method in ["OPTIONS","HEAD"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert this change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted. Put it for review because it was another approach, similar to OPTIONS. Thanks for reviewing.

@johnekent johnekent requested review from ianco and WadeBarnes and removed request for ianco and WadeBarnes January 17, 2023 22:11
@WadeBarnes
Copy link
Contributor

@johnekent, Looks good to me. Could you please squash and rebase your changes into a single commit and add DCO sign-off please?

@johnekent johnekent force-pushed the main branch 2 times, most recently from 17e5033 to 1bdf726 Compare January 18, 2023 01:41
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@johnekent
Copy link
Contributor Author

Appreciate the patience and feedback here @WadeBarnes and @ianco . Squashed back to what's ultimately the initial commit, and I believe the DCO's on that one. Will check back after the scans. Thanks.

@WadeBarnes
Copy link
Contributor

@ianco, ready for your review and approval.

@ianco ianco merged commit 5c9ce16 into openwallet-foundation:main Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants