Bug 1496363

Summary: Add generated HMAC token in header for webhook calls
Product: [Community] GlusterFS Reporter: Aravinda VK <avishwan>
Component: eventsapiAssignee: Aravinda VK <avishwan>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: mainlineCC: rhs-bugs, sabose, sanandpa
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glusterfs-3.13.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1466129
: 1501864 (view as bug list) Environment:
Last Closed: 2017-12-08 17:42:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1466129, 1568820    
Bug Blocks: 1501864    

Description Aravinda VK 2017-09-27 07:57:42 UTC 
+++ This bug was initially created as a clone of Bug #1466129 +++

Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event.


--- Additional comment from Aravinda VK on 2017-09-27 00:54:42 EDT ---

As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT.

    gluster-eventsapi webhook-add <url> [-t <TOKEN>] \
        [--secret <SECRET>]

For shared secret approach use, `--secret` and for shared token approach use `--token`. With `-t` argument, Token header will be added as is.

    Authorization: Bearer <TOKEN>

In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header.

    Authorization: Bearer <GENERATED_TOKEN>

Secret/Token can be updated using `webhook-mod` command.

Generated token will include the following payload,

    {
        "iss": "gluster",
        "exp": EXPIRY_TIME,
        "sub": EVENT_TYPE,
        "iat": EVENT_TIME
    }

Where: iss - Issuer,  exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
Comment 1 Worker Ant 2017-09-27 08:00:11 UTC 
REVIEW: https://review.gluster.org/18405 (eventsapi: Add JWT signing support) posted (#1) for review on master by Aravinda VK (avishwan)
Comment 2 Worker Ant 2017-10-13 11:17:43 UTC 
COMMIT: https://review.gluster.org/18405 committed in master by Aravinda VK (avishwan) 
------
commit add7116efa1f31e86f9c00c72c71872b1161370f
Author: Aravinda VK <avishwan>
Date:   Mon Sep 18 14:34:54 2017 +0530

    eventsapi: Add JWT signing support
    
    New argument added to accept secret to generate JWT token. This patch
    does not affect the backward compatibility.
    
    Usage:
    
        gluster-eventsapi webhook-add <url> [-t <TOKEN>] \
            [-s SECRET]
    
    With `--token` argument, Token header will be added as is.
    
        Authorization: Bearer <TOKEN>
    
    In case of shared secret, Gluster will generate JWT token using the
    secret and then add it to Authorization header.
    
        Authorization: Bearer <GENERATED_TOKEN>
    
    Secret/Token can be updated using `webhook-mod` command.
    
    Generated token will include the following payload,
    
        {
           "iss": "gluster",
           "exp": EXPIRY_TIME,
           "sub": EVENT_TYPE,
           "iat": EVENT_TIME
         }
    
    Where: iss - Issuer, exp - Expiry Time, sub - Event Type
           used as Subject, iat - Event Time used as Issue Time
    
    BUG: 1496363
    Change-Id: Ib6b6fab23fb212d7f5e9bbc9e1416a9e9813ab1b
    Signed-off-by: Aravinda VK <avishwan>
Comment 3 Shyamsundar 2017-12-08 17:42:08 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.13.0, please open a new bug report.

glusterfs-3.13.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2017-December/000087.html
[2] https://www.gluster.org/pipermail/gluster-users/