Bug 1466129 - Add generated HMAC token in header for webhook calls
Add generated HMAC token in header for webhook calls
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: eventsapi (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: RHGS 3.4.0
Assigned To: Aravinda VK
Sweta Anandpara
Depends On:
Blocks: 1503134 1496363 1501864 1568820
  Show dependency treegraph
Reported: 2017-06-29 02:47 EDT by Sahina Bose
Modified: 2018-06-29 09:47 EDT (History)
4 users (show)

See Also:
Fixed In Version: glusterfs-3.12.2-8
Doc Type: If docs needed, set a value
Doc Text:
Problem: Gluster was not adding HMAC signature to the Event when it is pushed to Webhook. Fix: Using the secret collected during webhook registration, Gluster events daemon now generates HMAC token and adds it to the Authorization Header while sending it to Webhook. Result: If Secret specified during Webhook registration, then Gluster adds HMAC signature to all Events before sending it to webhook
Story Points: ---
Clone Of:
: 1496363 1568820 (view as bug list)
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Sahina Bose 2017-06-29 02:47:34 EDT
Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event.

Version-Release number of selected component (if applicable):

How reproducible:
Comment 3 Aravinda VK 2017-09-27 00:54:42 EDT
As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT.

    gluster-eventsapi webhook-add <url> [--token <TOKEN>] \
        [--secret <SECRET>]

For shared secret approach use, `--secret` and for shared token approach use `--token`. With `--token` argument, Token header will be added as is.

    Authorization: Bearer <TOKEN>

In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header.

    Authorization: Bearer <GENERATED_TOKEN>

Secret/Token can be updated using `webhook-mod` command.

Generated token will include the following payload,

        "iss": "gluster",
        "exp": EXPIRY_TIME,
        "sub": EVENT_TYPE,
        "iat": EVENT_TIME

Where: iss - Issuer,  exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
Comment 4 Aravinda VK 2017-09-27 04:01:18 EDT
Upstream patch posted https://review.gluster.org/#/c/18405
Comment 7 Aravinda VK 2017-12-28 04:54:25 EST
Another patch sent to Upstream which fixes the external library dependency issue.

Comment 11 Aravinda VK 2018-04-17 10:24:37 EDT
Root caused the issue, issue is due to secret stored as Unicode string. I will work on it and send patch by tomorrow.
Comment 12 Atin Mukherjee 2018-04-20 00:55:25 EDT
upstream patch : https://review.gluster.org/#/c/19900/

Note You need to log in before you can comment on or make changes to this bug.