Allow authentication against the _vmdb_session cookie for UI only #543
Conversation
Looks like this is still missing the header code. Without it, when the cookie expires, the request will be done without a cookie, |
|
@himdel you're right, we're also missing the CSRF token validation ... the question is how we want to have them. I assume that GET requests to the API should be also verified against the CSRF token, but maybe i'm off the rails with this (pun intended). ping @martinpovolny |
skateman
force-pushed
the
cookie-auth
branch
3 times, most recently
from
72377e0 to
4b3da56
Compare
|
@martinpovolny I've added the CSRF token verification, it was way simpler than I thought. I assume we also want to verify the origin, but please let me know if not. cc @himdel |
|
This pull request is not mergeable. Please rebase and repush. |
|
I worked with @skateman to test these changes. The testing done was with SAML via Keycloak, External Auth and SSO (kerberos) via IPA. I believe this is a good test sampling. LGTM JoeV |
skateman
changed the title
|
@miq-bot rm_label unmergeable |
wow 😮 |
| # only the CSRF token is being sent and we want the API to know that the request was | ||
| # initiated from the UI. Otherwise the response to a such request would force the | ||
| # browser to throw an undesired HTTP basic authentication dialog. | ||
| :cookie_ui |
There was a problem hiding this comment.
What I'm reading in your comment is that the CSRF token will always exist, so why have the check for the session cookie here at all. That is, it seems this code can just be
...
elsif request.x_csrf_token
:cookie_ui
else
...There was a problem hiding this comment.
So, that being said, where do we use the SESSION_COOKIE at all after this point? Even in your tests, I don't see you setting the cookie at all.
There was a problem hiding this comment.
@Fryguy in my tests the session cookie is sent automatically, that's AFAIK default rack behavior. You'll have a session cookie in Rails after your first request to the site, even if you're not logged in. But you're right, I'll simplify this part...
| when :basic, :basic_ui, nil | ||
| when :cookie_ui | ||
| raise AuthenticationError unless valid_ui_session? | ||
| auth_user(session[:userid]) |
There was a problem hiding this comment.
I'm assuming the cookie check is in here?
There was a problem hiding this comment.
It actually happens earlier in the valid_ui_session? when validating the CSRF token as it is also part of the session.
|
I have a few questions but overall I'm ok with this approach. I would like another set of eyes though... @jrafanie ? |
Yeah, I looked at it. @skateman and I chatted and I neglected to comment here. I'm good with the changes although I'm not sure what to do about the verifying of the origin. |
|
Some comments on commit skateman@c8cfce3 spec/requests/authentication_spec.rb
|
|
Checked commit skateman@c8cfce3 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 spec/requests/authentication_spec.rb
|
|
@jrafanie I've added the origin verification, it doesn't hurt as it allows |
|
As discussed f2f: when talking with the API from a browser there should be 2 secrets:
The 1st is vulnerable to XSRF but relatively safe from XSS, the 2nd is vulnerable to XSS but relatively safe from XSRF. Then together with CSP we should be safe. (We still have to work on making the CSP policy stricter.) I have to confess that I have not read this PR in details but I believe that your solution is implemented as we discussed. 👍 |
|
@martinpovolny yes it is, now it hangs on the UI side here: ManageIQ/manageiq-ui-classic#5164 |
We're consuming the API from our UI with token authentication, which is not the best because we have to poll the API to renew the token. This made the complexity of the login code unnecessarily high and also the token renewal floods the log with useless information every X seconds.
The API and the UI workers are both using the same memcached server to store short-living information, such as sessions or tokens. As the two workers are basically the same application, they implicitly have the same session cookie and so through memcached, sharing the access to the same session. However, the API was not using this session, for now.
I'm proposing a new authentication mechanism for the UI only (replaces #542) that will test if the CSRF header is set on the API request. This header will be used from the UI only and will also prevent from opening a HTTP basic auth dialog even if the session times out. This will make #542 completely obsolete.
I've discussed this with @Fryguy already and honestly, due to the simplicity of this feature I am afraid that this is too good to be true. Anyway, we will use this PR with @himdel to work further on the UI part and make changes if something goes wrong. The behavior of the API should not be affected by this change, however, we will be able to drop a few hunderd lines of JS from the UI.
When using external authentication, the apache would force basic auth on every unauthorized API request, but there's a fix for that here: ManageIQ/manageiq-appliance#224