Description of problem: Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event. Version-Release number of selected component (if applicable): 3.3 How reproducible: Always
As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT. gluster-eventsapi webhook-add <url> [--token <TOKEN>] \ [--secret <SECRET>] For shared secret approach use, `--secret` and for shared token approach use `--token`. With `--token` argument, Token header will be added as is. Authorization: Bearer <TOKEN> In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header. Authorization: Bearer <GENERATED_TOKEN> Secret/Token can be updated using `webhook-mod` command. Generated token will include the following payload, { "iss": "gluster", "exp": EXPIRY_TIME, "sub": EVENT_TYPE, "iat": EVENT_TIME } Where: iss - Issuer, exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
Upstream patch posted https://review.gluster.org/#/c/18405
Another patch sent to Upstream which fixes the external library dependency issue. https://review.gluster.org/19102
Root caused the issue, issue is due to secret stored as Unicode string. I will work on it and send patch by tomorrow.
upstream patch : https://review.gluster.org/#/c/19900/
Updated the doc text. Kindly review and confirm.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2607
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days