Bug 1466129

Summary: Add generated HMAC token in header for webhook calls
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Sahina Bose <sabose>
Component: eventsapiAssignee: Aravinda VK <avishwan>
Status: CLOSED ERRATA QA Contact: Sweta Anandpara <sanandpa>
Severity: medium Docs Contact:
Priority: medium    
Version: rhgs-3.3CC: amukherj, avishwan, rhinduja, rhs-bugs, sheggodu, srmukher
Target Milestone: ---   
Target Release: RHGS 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glusterfs-3.12.2-8 Doc Type: Bug Fix
Doc Text:
Earlier, gluster did not add HMAC signature (hash-based message authentication code) to the events pushed to the webhook. With this update, gluster event daemon generates an HMAC token and adds it to the authorization header while sending it to the webhook.
 Story Points: ---
Clone Of:
: 1496363 1568820 (view as bug list) Environment:
Last Closed: 2018-09-04 06:32:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1496363, 1501864, 1503134, 1568820    

Description Sahina Bose 2017-06-29 06:47:34 UTC 
Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event.


Version-Release number of selected component (if applicable):
3.3

How reproducible:
Always
Comment 3 Aravinda VK 2017-09-27 04:54:42 UTC 
As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT.

    gluster-eventsapi webhook-add <url> [--token <TOKEN>] \
        [--secret <SECRET>]

For shared secret approach use, `--secret` and for shared token approach use `--token`. With `--token` argument, Token header will be added as is.

    Authorization: Bearer <TOKEN>

In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header.

    Authorization: Bearer <GENERATED_TOKEN>

Secret/Token can be updated using `webhook-mod` command.

Generated token will include the following payload,

    {
        "iss": "gluster",
        "exp": EXPIRY_TIME,
        "sub": EVENT_TYPE,
        "iat": EVENT_TIME
    }

Where: iss - Issuer,  exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
Comment 4 Aravinda VK 2017-09-27 08:01:18 UTC 
Upstream patch posted https://review.gluster.org/#/c/18405
Comment 7 Aravinda VK 2017-12-28 09:54:25 UTC 
Another patch sent to Upstream which fixes the external library dependency issue.

https://review.gluster.org/19102
Comment 11 Aravinda VK 2018-04-17 14:24:37 UTC 
Root caused the issue, issue is due to secret stored as Unicode string. I will work on it and send patch by tomorrow.
Comment 12 Atin Mukherjee 2018-04-20 04:55:25 UTC 
upstream patch : https://review.gluster.org/#/c/19900/
Comment 16 Srijita Mukherjee 2018-09-03 14:44:12 UTC 
Updated the doc text. Kindly review and confirm.
Comment 17 errata-xmlrpc 2018-09-04 06:32:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2607
Comment 18 Red Hat Bugzilla 2023-09-14 04:00:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days