ARSN-387: check for forwarded proto header #2210
Conversation
Hello kaztoozs,My role is to assist you with the merge of this Status report is not available. |
KazToozs
force-pushed
the
bugfix/ARSN-387-ssl-check-fix
branch
from
37a29f0
to
92bd028
Compare
KazToozs
force-pushed
the
bugfix/ARSN-387-ssl-check-fix
branch
from
ba62f33
to
7965670
Compare
KazToozs
force-pushed
the
bugfix/ARSN-387-ssl-check-fix
branch
from
c5c7897
to
0466eb4
Compare
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
|
/create_integration_branches |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
You can set option The following options are set: create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_integration_branches |
| @@ -38,7 +38,7 @@ function findVariable(variable: string, requestContext: RequestContext): string | |||
| // aws:SecureTransport is boolean value that represents whether the | |||
| // request was sent using SSL | |||
| map.set('aws:SecureTransport', | |||
| requestContext.getSslEnabled() ? 'true' : 'false'); | |||
| headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false'); | |||
There was a problem hiding this comment.
Headers shouldn't be blindly trusted, as they could be forged if not explicitly overwritten by the http frontend - and since I'm not sure artesca is in scope for this PR, the forward port will automatically introduce the vulnerability.
This should be disabled by default and wrapped and enabled with explicit configuration, similar to how client IP conditions are handled.
https://github.com/scality/Arsenal/blob/development/7.10/lib/policyEvaluator/requestUtils.ts
There was a problem hiding this comment.
Supposing I revert this Arsenal change, would something like this in Cloudserver work according to you?:
scality/cloudserver@a66f293
function _checkBucketPolicyConditions(request, conditions, log) {
const ip = request ? requestUtils.getClientIp(request, config) : undefined;
if (!conditions) {
return true;
}
const viaProxy = config.requests.viaProxy;
const sslEnabled = (viaProxy ?
request.headers['x-forwarded-proto'] === 'https' : request.connection.encrypted);
// build request context from the request!
const requestContext = new RequestContext(request.headers, request.query,
request.bucketName, request.objectKey, ip,
sslEnabled, request.resourceType, 's3', null, null,
null, null, null, null, null, null, null, null, null,
request.objectLockRetentionDays);
return evaluators.meetConditions(requestContext, conditions, log);
}
There was a problem hiding this comment.
x-forwarded-proto should be a configurable, set by the same deployment infrastructure than the one that sets up the reverse proxy, so that no misguided cross-component assumptions are made. So for S3C that's Federation, and for artesca it's shared between artesca-installer and zenko-operator.
The reason I insist that we make it configurable and disabled by default even for RING is that I'm not sure 100% of customers go through the nginx we ship, some of them might use their own LB which may or may not overwrite x-forwarded-proto (or use a different header altogether). Or some might in the future and we don't want any surprises.
|
I may be wrong but I'm seeing that the |
This fix is for the
aws:secureTransportcondition, related to the TSKB.With load balancers in front, the check for SSL in the request must be done on the x-forwarded-proto header.
Tests have been updated accordingly.
The other necessary change for this condition to work correctly is for the nginx config to properly pass this header:
Edit:
Green CS and Vault builds:
https://github.com/scality/Vault/pull/2151
scality/cloudserver#5546