Bug 1466129 - Add generated HMAC token in header for webhook calls [NEEDINFO]
Summary: Add generated HMAC token in header for webhook calls
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: eventsapi
Version: rhgs-3.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: RHGS 3.4.0
Assignee: Aravinda VK
QA Contact: Sweta Anandpara
URL:
Whiteboard:
Depends On:
Blocks: 1496363 1501864 1503134 1568820
TreeView+ depends on / blocked
 
Reported: 2017-06-29 06:47 UTC by Sahina Bose
Modified: 2018-09-25 10:33 UTC (History)
6 users (show)

Fixed In Version: glusterfs-3.12.2-8
Doc Type: Bug Fix
Doc Text:
Earlier, gluster did not add HMAC signature (hash-based message authentication code) to the events pushed to the webhook. With this update, gluster event daemon generates an HMAC token and adds it to the authorization header while sending it to the webhook.
Clone Of:
: 1496363 1568820 (view as bug list)
Environment:
Last Closed: 2018-09-04 06:32:36 UTC
srmukher: needinfo? (avishwan)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2607 None None None 2018-09-04 06:34:40 UTC

Description Sahina Bose 2017-06-29 06:47:34 UTC
Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event.


Version-Release number of selected component (if applicable):
3.3

How reproducible:
Always

Comment 3 Aravinda VK 2017-09-27 04:54:42 UTC
As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT.

    gluster-eventsapi webhook-add <url> [--token <TOKEN>] \
        [--secret <SECRET>]

For shared secret approach use, `--secret` and for shared token approach use `--token`. With `--token` argument, Token header will be added as is.

    Authorization: Bearer <TOKEN>

In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header.

    Authorization: Bearer <GENERATED_TOKEN>

Secret/Token can be updated using `webhook-mod` command.

Generated token will include the following payload,

    {
        "iss": "gluster",
        "exp": EXPIRY_TIME,
        "sub": EVENT_TYPE,
        "iat": EVENT_TIME
    }

Where: iss - Issuer,  exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time

Comment 4 Aravinda VK 2017-09-27 08:01:18 UTC
Upstream patch posted https://review.gluster.org/#/c/18405

Comment 7 Aravinda VK 2017-12-28 09:54:25 UTC
Another patch sent to Upstream which fixes the external library dependency issue.

https://review.gluster.org/19102

Comment 11 Aravinda VK 2018-04-17 14:24:37 UTC
Root caused the issue, issue is due to secret stored as Unicode string. I will work on it and send patch by tomorrow.

Comment 12 Atin Mukherjee 2018-04-20 04:55:25 UTC
upstream patch : https://review.gluster.org/#/c/19900/

Comment 16 Srijita Mukherjee 2018-09-03 14:44:12 UTC
Updated the doc text. Kindly review and confirm.

Comment 17 errata-xmlrpc 2018-09-04 06:32:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2607


Note You need to log in before you can comment on or make changes to this bug.