First Last Prev Next    This bug is not in your last search results.
Bug 53454 - Kelvin API can be used with unsigned authentication tokens
Kelvin API can be used with unsigned authentication tokens
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: HTTP-API (Kelvin)
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Ole Schwiegert
Tobias Wenzel
:
Depends on:
Blocks: 54075
  Show dependency treegraph
 
Reported: 2021-06-16 09:45 CEST by Tobias Wenzel
Modified: 2021-11-19 02:44 CET (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Wenzel univentionstaff 2021-06-16 09:45:57 CEST 
The Kelvin API can be used with unsigned authentication tokens. This has to be fixed.
Comment 1 Ole Schwiegert univentionstaff 2021-06-16 15:41:26 CEST 
The reason is that with the change to OPA we unfortunately did not include the verification with the secret that was implemented in the get_current_user function, that was used in protected routes before.

To solve this problem we now implemented the function get_token, which can be used as a Depends in protected routes. This function verifies the token properly and raises an Exception if that fails. With that the old behavior in that regard is recovered.

Additionally we had to change the build_docker_image script. OPA changed its way of distributing binaries: https://github.com/open-policy-agent/opa/releases/tag/v0.29.4

so that we need to use the _static opa binary for our alpine docker image.

A test was also added that ensures, that an arbitrary token cannot be used to authenticate against the Kelvin API

Changes can be tested from the TestAppCenter (1.4.3).
Comment 2 Tobias Wenzel univentionstaff 2021-06-16 16:48:20 CEST 
QA: all OK, verify

- New appversion in test appcenter
- changelog & readmes, version.txt
- new test
- all tests pass on test vm

manually testing:
I build a web $token with a wrong payload and ran:


curl -v -X GET "http://$host/ucsschool/kelvin/v1/classes/?school=DEMOSCHOOL"  -H "accept: application/json" -H "Authorization: Bearer $token"
(also tested for users, schools & roles)
→ HTTP/1.1 401 Unauthorized

The behaviour with a correct token is:
curl  -X GET "http://$host/ucsschool/kelvin/v1/classes/?school=DEMOSCHOOL"  -H "accept: application/json" -H "Authorization: Bearer $token"
[{"dn":"cn=DEMOSCHOOL-Democlass,cn=klassen,cn=schueler,cn=groups,ou=DEMOSCHOOL,dc=dc-we,dc=intranet","url":"https:\/\/10.200.47.83\/ucsschool\/kelvin\/v1\/classes\/DEMOSCHOOL\/Democlass","ucsschool_roles":["school_class:school:DEMOSCHOOL"],"name":"Democlass","school":"https:\/\/10.200.47.83\/ucsschool\/kelvin\/v1\/schools\/DEMOSCHOOL","description":null,"users":["https:\/\/10.200.47.83\/ucsschool\/kelvin\/v1\/users\/demo_student"]}]


mails → OK
install via appcenter → OK
Comment 3 Ole Schwiegert univentionstaff 2021-06-16 16:49:17 CEST 
Kelvin App released in version 1.4.3.

If that problem occurs again, please create/clone a new bug.
Comment 4 Florian Best univentionstaff 2021-11-19 02:44:35 CET 
The corresponding commits were:

aca7caaf0817 | Bug #53454: Use correct OPA binary for alpine image
7b0c0a5aa77b | Bug #53454: Prevent using the API with an unsigned jwt
First Last Prev Next    This bug is not in your last search results.