Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requests to /cloudfoundryapplication possibly return results for /actuator #1293

Closed
TimHess opened this issue May 10, 2024 · 5 comments · Fixed by #1393
Closed

Requests to /cloudfoundryapplication possibly return results for /actuator #1293

TimHess opened this issue May 10, 2024 · 5 comments · Fixed by #1393
Assignees
@TimHess
Labels
Component/Management Issues related to Steeltoe Management (actuators) ReleaseLine/4.x Identified as a feature/fix for the 4.x release line Type/bug Something isn't working
Milestone
4.0.0-m1

Comments

@TimHess
Copy link
Member

TimHess commented May 10, 2024

Describe the bug

In CF context, only /health and /info are reported as being enabled

Sample response:

{
    "type": "steeltoe",
    "_links": {
        "info": {
            "href": "https://steeltoe-samples-server.apps.dhaka.cf-app.com/cloudfoundryapplication/info",
            "templated": false
        },
        "health": {
            "href": "https://steeltoe-samples-server.apps.dhaka.cf-app.com/cloudfoundryapplication/health",
            "templated": false
        },
        "self": {
            "href": "https://steeltoe-samples-server.apps.dhaka.cf-app.com/cloudfoundryapplication",
            "templated": false
        }
    }
}

Steps to reproduce

Steps to reproduce the behavior:

  1. Add Actuators to app
  2. Deploy to CF
  3. View app in apps manager

Expected behavior

All endpoints supported on Cloud Foundry should be returned/enabled automatically

Environment (please complete the following information):

  • Steeltoe Version main
  • Platform: Cloud Foundry
  • OS: Linux
  • .NET Version 8.0
@TimHess TimHess added Type/bug Something isn't working Component/Management Issues related to Steeltoe Management (actuators) ReleaseLine/4.x Identified as a feature/fix for the 4.x release line labels May 10, 2024
@TimHess TimHess added this to the 4.0.0-m1 milestone May 10, 2024
@TimHess
Copy link
Member Author

TimHess commented May 29, 2024

Probably related:

2024-05-29T13:57:16.458-05:00 [APP/PROC/WEB/0] [OUT] IDX10242: Security token: '[Security Artifact of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]' has a valid signature.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] IDX10239: Lifetime of the token is valid.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] IDX10214: Audience validation failed. Audiences: 'cloud_controller, actuator, apps_manager_js'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'sampleapi, 4e6f8e34-f42b-440e-a042-f2b13c1d5bed'.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] Failed to validate the token.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'cloud_controller, actuator, apps_manager_js'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'sampleapi, 4e6f8e34-f42b-440e-a042-f2b13c1d5bed'.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]

@TimHess TimHess mentioned this issue Jul 17, 2024
Merged
5 tasks
@bart-vmware
Copy link
Member

bart-vmware commented Aug 28, 2024
edited
Loading

While looking into this, we should take the following Sonar security hotspot into account:
image

The proposal is to replace the wildcard with the hostname obtained from VCAP_APPLICATION. If unavailable, Steeltoe shouldn't set the wildcard policy.

Once implemented, #959 can be closed.

@TimHess TimHess self-assigned this Sep 25, 2024
@TimHess TimHess mentioned this issue Oct 18, 2024
Merged
5 tasks
@bart-vmware
Copy link
Member

Once this is implemented, the test at src/Management/test/Endpoint.Test/ActuatorsHostBuilderTest.cs should be updated as described at #1386 (comment).

TimHess added a commit that referenced this issue Oct 30, 2024
@TimHess
Remove now-superfluous Exposure setting from test
446cae0 
#1293 (comment)
@TimHess
Copy link
Member Author

TimHess commented Oct 30, 2024

Probably related:

2024-05-29T13:57:16.458-05:00 [APP/PROC/WEB/0] [OUT] IDX10242: Security token: '[Security Artifact of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]' has a valid signature.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] IDX10239: Lifetime of the token is valid.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] IDX10214: Audience validation failed. Audiences: 'cloud_controller, actuator, apps_manager_js'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'sampleapi, 4e6f8e34-f42b-440e-a042-f2b13c1d5bed'.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] Failed to validate the token.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'cloud_controller, actuator, apps_manager_js'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'sampleapi, 4e6f8e34-f42b-440e-a042-f2b13c1d5bed'.
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-05-29T13:57:16.459-05:00 [APP/PROC/WEB/0] [OUT] info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]

I'm not seeing evidence this was actually related. There was no special handling present for /cloudfoundryapplication in the current version of the exposure logic for actuator endpoints. In retrospect, I think these log entries were more likely due to something specific to that sample application

@TimHess TimHess mentioned this issue Oct 30, 2024
Merged
5 tasks
@TimHess
Copy link
Member Author

TimHess commented Oct 30, 2024

While looking into this, we should take the following Sonar security hotspot into account: image

The proposal is to replace the wildcard with the hostname obtained from VCAP_APPLICATION. If unavailable, Steeltoe shouldn't set the wildcard policy.

Once implemented, #959 can be closed.

I looked at this again this morning, but I don't think there's a way to do this. The URIs provided by VCAP_APPLICATION will match app-route.apps-domain, but Apps Manager will be running under apps.system-domain, where (I think) apps-domain and system-domain can't match exactly... Even in cases (like our test environments) where they are close, we'd need to backtrack from the full route to a guess at what apps-domain probably is, and guess at where apps manager lives. We're better off improving the documentation for how to do this precisely.

TimHess added a commit that referenced this issue Oct 31, 2024
@TimHess @bart-vmware
Expose all actuators under the CloudFoundry context (#1393)
84dc1f2 
* Remove now-superfluous Exposure setting from test
#1293 (comment)

Co-authored-by: Bart Koelman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TimHess TimHess

Labels
Component/Management Issues related to Steeltoe Management (actuators) ReleaseLine/4.x Identified as a feature/fix for the 4.x release line Type/bug Something isn't working
Projects
None yet
Milestone
4.0.0-m1
Development

Successfully merging a pull request may close this issue.

Expose all actuators under the CloudFoundry context SteeltoeOSS/Steeltoe
2 participants
@TimHess @bart-vmware