Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Disable REST basic and legacy certificate auth by default #4972

Merged
merged 1 commit into from
Nov 14, 2023
Merged

fix: Disable REST basic and legacy certificate auth by default #4972

merged 1 commit into from
Nov 14, 2023

Conversation

nicolatimeus
Copy link
Contributor

Note: We are using the Conventional Commits convention for our pull request titles. Please take a look at the PR title format document for the supported types and scopes.

Brief description of the PR. [e.g. Added null check on object to avoid NullPointerException]

Disables all REST authentication methods leaving only session based authentication enabled by default.

@mattdibi
Copy link
Contributor

mattdibi commented Nov 14, 2023
edited
Loading

Tested on Raspberry Pi 64bit generic profile.

Configuration out-of-the-box:

image

Trying to perform a request on the REST API results in a 401 error as expected:

curl -k -u $ESF_USER:$ESF_PASS https://$ADDRESS/services/deploy/v2/ -v
*   Trying 192.168.1.111:443...
* Connected to 192.168.1.111 (192.168.1.111) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  start date: Nov 14 08:05:55 2023 GMT
*  expire date: Aug 10 08:05:55 2026 GMT
*  issuer: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET /services/deploy/v2/ HTTP/1.1
> Host: 192.168.1.111
> Authorization: Basic YWRtaW46ZXVyb3RlY2g=
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 0
<
* Connection #0 to host 192.168.1.111 left intact

Using the Session V1 APIs everything works:

curl -k -X POST  -H 'Content-Type: application/json' https://$ADDRESS/services/session/v1/login/password -d '{"password": "$KURA_PASS", "username": "$KURA_USER"}' -v

*   Trying 192.168.1.111:443...
* Connected to 192.168.1.111 (192.168.1.111) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  start date: Nov 14 08:05:55 2023 GMT
*  expire date: Aug 10 08:05:55 2026 GMT
*  issuer: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
> POST /services/session/v1/login/password HTTP/1.1
> Host: 192.168.1.111
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 45
>
< HTTP/1.1 200 OK
< Date: Tue, 14 Nov 2023 08:17:26 GMT
< Set-Cookie: JSESSIONID=myawesomecookie; Path=/; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: application/json
< Content-Length: 30
<
* Connection #0 to host 192.168.1.111 left intact
{"passwordChangeNeeded":false}%
curl -k -X GET -b "JSESSIONID=myawesomecookie" https://$ADDRESS/services/session/v1/xsrfToken -v

*   Trying 192.168.1.111:443...
* Connected to 192.168.1.111 (192.168.1.111) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  start date: Nov 14 08:05:55 2023 GMT
*  expire date: Aug 10 08:05:55 2026 GMT
*  issuer: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET /services/session/v1/xsrfToken HTTP/1.1
> Host: 192.168.1.111
> User-Agent: curl/7.88.1
> Accept: */*
> Cookie: JSESSIONID=myawesomecookie
>
< HTTP/1.1 200 OK
< Date: Tue, 14 Nov 2023 08:25:00 GMT
< Content-Type: application/json
< Vary: Accept-Encoding, User-Agent
< Content-Length: 52
<
* Connection #0 to host 192.168.1.111 left intact
{"xsrfToken":"myawesometoken"}%
curl -k -X GET -H 'X-XSRF-Token: myawesometoken' -b "JSESSIONID=myawesomecookie" https://$ADDRESS/services/deploy/v2/ -v
*   Trying 192.168.1.111:443...
* Connected to 192.168.1.111 (192.168.1.111) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  start date: Nov 14 08:05:55 2023 GMT
*  expire date: Aug 10 08:05:55 2026 GMT
*  issuer: C=CA; ST=Ontario; L=Ottawa; O=Eclipse Foundation; OU=Kura; CN=Kura
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET /services/deploy/v2/ HTTP/1.1
> Host: 192.168.1.111
> User-Agent: curl/7.88.1
> Accept: */*
> Cookie: JSESSIONID=myawesomecookie
> X-XSRF-Token: myawesometoken
>
< HTTP/1.1 200 OK
< Date: Tue, 14 Nov 2023 08:29:38 GMT
< Content-Type: application/json
< Vary: Accept-Encoding, User-Agent
< Content-Length: 2
<
* Connection #0 to host 192.168.1.111 left intact
[]%

@mattdibi
Copy link
Contributor

@nicolatimeus please update the release notes mentioning this change in the description. It's a change big enough that deserves the spotlight in the notes.

@mattdibi mattdibi merged commit 5509ed8 into eclipse-kura:develop Nov 14, 2023
2 checks passed
@github-actions github-actions bot mentioned this pull request Nov 14, 2023
Merged
github-actions bot pushed a commit that referenced this pull request Nov 14, 2023
@nicolatimeus @github-actions
fix: Disable REST basic and legacy certificate auth by default (#4972)
01e3da2 
Signed-off-by: Nicola Timeus <[email protected]>
(cherry picked from commit 5509ed8)
mattdibi pushed a commit that referenced this pull request Nov 14, 2023
@github-actions @nicolatimeus
fix: Disable REST basic and legacy certificate auth by default [backp…
2815ab7 
…ort release-5.4.0] (#4976)

fix: Disable REST basic and legacy certificate auth by default (#4972)

Signed-off-by: Nicola Timeus <[email protected]>
(cherry picked from commit 5509ed8)

Co-authored-by: nicolatimeus <[email protected]>
This was referenced Nov 23, 2023
Closed
Merged
@nicolatimeus nicolatimeus deleted the fix_disable-legacy-auth branch March 22, 2024 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcellorinaldo marcellorinaldo marcellorinaldo approved these changes

@mattdibi mattdibi mattdibi approved these changes

Assignees
No one assigned
Labels
backport release-5.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nicolatimeus @mattdibi @marcellorinaldo