[Bugs] [Bug 1501864] New: Add generated HMAC token in header for webhook calls
bugzilla at redhat.com
bugzilla at redhat.com
Fri Oct 13 11:18:32 UTC 2017
https://bugzilla.redhat.com/show_bug.cgi?id=1501864
Bug ID: 1501864
Summary: Add generated HMAC token in header for webhook calls
Product: GlusterFS
Version: 3.12
Component: eventsapi
Severity: medium
Priority: medium
Assignee: bugs at gluster.org
Reporter: avishwan at redhat.com
CC: rhs-bugs at redhat.com, sabose at redhat.com,
sanandpa at redhat.com
Depends On: 1466129, 1496363
+++ This bug was initially created as a clone of Bug #1496363 +++
+++ This bug was initially created as a clone of Bug #1466129 +++
Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook
requests sent by gluster-eventsd. If a Header was added that contains an HMAC
token generated using content and secret key, this would ensure that server can
validate the request is genuine before processing the event.
--- Additional comment from Aravinda VK on 2017-09-27 00:54:42 EDT ---
As discussed over IRC, Events API will implement JWT(JSON Web Tokens).
Additional argument will be added to webhook-add command to accept the secret
which is required to generate JWT.
gluster-eventsapi webhook-add <url> [-t <TOKEN>] \
[--secret <SECRET>]
For shared secret approach use, `--secret` and for shared token approach use
`--token`. With `-t` argument, Token header will be added as is.
Authorization: Bearer <TOKEN>
In case of shared secret, Gluster will generate JWT token using the secret and
then add it to Authorization header.
Authorization: Bearer <GENERATED_TOKEN>
Secret/Token can be updated using `webhook-mod` command.
Generated token will include the following payload,
{
"iss": "gluster",
"exp": EXPIRY_TIME,
"sub": EVENT_TYPE,
"iat": EVENT_TIME
}
Where: iss - Issuer, exp - Expiry Time, sub - Event Type used as Subject, iat
- Event Time used as Issue Time
--- Additional comment from Worker Ant on 2017-09-27 04:00:11 EDT ---
REVIEW: https://review.gluster.org/18405 (eventsapi: Add JWT signing support)
posted (#1) for review on master by Aravinda VK (avishwan at redhat.com)
--- Additional comment from Worker Ant on 2017-10-13 07:17:43 EDT ---
COMMIT: https://review.gluster.org/18405 committed in master by Aravinda VK
(avishwan at redhat.com)
------
commit add7116efa1f31e86f9c00c72c71872b1161370f
Author: Aravinda VK <avishwan at redhat.com>
Date: Mon Sep 18 14:34:54 2017 +0530
eventsapi: Add JWT signing support
New argument added to accept secret to generate JWT token. This patch
does not affect the backward compatibility.
Usage:
gluster-eventsapi webhook-add <url> [-t <TOKEN>] \
[-s SECRET]
With `--token` argument, Token header will be added as is.
Authorization: Bearer <TOKEN>
In case of shared secret, Gluster will generate JWT token using the
secret and then add it to Authorization header.
Authorization: Bearer <GENERATED_TOKEN>
Secret/Token can be updated using `webhook-mod` command.
Generated token will include the following payload,
{
"iss": "gluster",
"exp": EXPIRY_TIME,
"sub": EVENT_TYPE,
"iat": EVENT_TIME
}
Where: iss - Issuer, exp - Expiry Time, sub - Event Type
used as Subject, iat - Event Time used as Issue Time
BUG: 1496363
Change-Id: Ib6b6fab23fb212d7f5e9bbc9e1416a9e9813ab1b
Signed-off-by: Aravinda VK <avishwan at redhat.com>
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1466129
[Bug 1466129] Add generated HMAC token in header for webhook calls
https://bugzilla.redhat.com/show_bug.cgi?id=1496363
[Bug 1496363] Add generated HMAC token in header for webhook calls
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Bugs
mailing list