Univention Bugzilla – Bug 53454
Kelvin API can be used with unsigned authentication tokens
Last modified: 2021-11-19 02:44:35 CET
The Kelvin API can be used with unsigned authentication tokens. This has to be fixed.
The reason is that with the change to OPA we unfortunately did not include the verification with the secret that was implemented in the get_current_user function, that was used in protected routes before. To solve this problem we now implemented the function get_token, which can be used as a Depends in protected routes. This function verifies the token properly and raises an Exception if that fails. With that the old behavior in that regard is recovered. Additionally we had to change the build_docker_image script. OPA changed its way of distributing binaries: https://github.com/open-policy-agent/opa/releases/tag/v0.29.4 so that we need to use the _static opa binary for our alpine docker image. A test was also added that ensures, that an arbitrary token cannot be used to authenticate against the Kelvin API Changes can be tested from the TestAppCenter (1.4.3).
QA: all OK, verify - New appversion in test appcenter - changelog & readmes, version.txt - new test - all tests pass on test vm manually testing: I build a web $token with a wrong payload and ran: curl -v -X GET "http://$host/ucsschool/kelvin/v1/classes/?school=DEMOSCHOOL" -H "accept: application/json" -H "Authorization: Bearer $token" (also tested for users, schools & roles) → HTTP/1.1 401 Unauthorized The behaviour with a correct token is: curl -X GET "http://$host/ucsschool/kelvin/v1/classes/?school=DEMOSCHOOL" -H "accept: application/json" -H "Authorization: Bearer $token" [{"dn":"cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=dc-we,dc=intranet","url":"https:\/\/10.200.47.83\/ucsschool\/kelvin\/v1\/classes\/DEMOSCHOOL\/Democlass","ucsschool_roles":["school_class:school:DEMOSCHOOL"],"name":"Democlass","school":"https:\/\/10.200.47.83\/ucsschool\/kelvin\/v1\/schools\/DEMOSCHOOL","description":null,"users":["https:\/\/10.200.47.83\/ucsschool\/kelvin\/v1\/users\/demo_student"]}] mails → OK install via appcenter → OK
Kelvin App released in version 1.4.3. If that problem occurs again, please create/clone a new bug.
The corresponding commits were: aca7caaf0817 | Bug #53454: Use correct OPA binary for alpine image 7b0c0a5aa77b | Bug #53454: Prevent using the API with an unsigned jwt