Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add connection-level security to frontend #5261

Merged
merged 7 commits into from
Aug 14, 2024
Merged

Add connection-level security to frontend #5261

merged 7 commits into from
Aug 14, 2024

Conversation

JamesNK
Copy link
Member

@JamesNK JamesNK commented Aug 12, 2024
edited by dotnet-policy-service bot
Loading

Description

This PR adds connection-level security to the frontend. The frontend can now only be accessed via the frontend point.

This change is required because the OTLP HTTP endpoint supports being accessed via browser, and we don't want people to be able to browser the dashboard UI via the OTLP HTTP endpoint.

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • Yes
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
        • No
    • No
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • Yes
        • No - Will be discussed with OTLP HTTP changes
    • No
  • Does the change require an update in our Aspire docs?
    • Yes
      • Link to aspire-docs issue:
    • No
Microsoft Reviewers: Open in CodeFlow

@drewnoakes
Copy link
Member

This change is required because the OTLP HTTP endpoint supports being accessed via browser, and we don't want people to be able to browser the dashboard UI via the OTLP HTTP endpoint.

To confirm understanding, the issue before this PR was that a user can auth for OTLP HTTP then use that token to view the Dashboard?

@JamesNK
Copy link
Member Author

JamesNK commented Aug 14, 2024
edited
Loading

I'm not sure. I didn't test what happens when someone accessed the browser dashboard when there wasn't a frontend cookie.

However, it was possible to view the dashboard via the OTLP HTTP port, which we want to prevent regardless of whether you're authenticated to view the dashboard or not.

@JamesNK
Copy link
Member Author

JamesNK commented Aug 14, 2024

It would be useful if you double checked ODIC still works. The test passes, but I'm not sure if that completely verifies it is working. I believe there was a manual test you ran when that auth type was added.

drewnoakes
drewnoakes approved these changes Aug 14, 2024
View reviewed changes
Copy link
Member

@drewnoakes drewnoakes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just some nits.

I believe there was a manual test you ran when that auth type was added.

The manual test was for certificates, and Bala's team are running that test now. The OIDC tests here look good to me.

@JamesNK @drewnoakes
Apply suggestions from code review
df93c2f 
Co-authored-by: Drew Noakes <git@drewnoakes.com>
@JamesNK JamesNK merged commit a003c23 into main Aug 14, 2024
11 checks passed
@JamesNK JamesNK deleted the jamesnk/frontend-connectionsecurity branch August 14, 2024 12:12
@github-actions github-actions bot locked and limited conversation to collaborators Sep 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@drewnoakes drewnoakes drewnoakes approved these changes

@tlmii tlmii Awaiting requested review from tlmii

@adamint adamint Awaiting requested review from adamint

@kvenkatrajan kvenkatrajan Awaiting requested review from kvenkatrajan

Assignees
No one assigned
Labels
area-dashboard
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JamesNK @drewnoakes