Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to configure other valids referrers for HTTPS #7344

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow to configure other valids referrers for HTTPS #7344

wants to merge 1 commit into from

Conversation

Et7f3
Copy link

@Et7f3 Et7f3 commented May 16, 2024
edited
Loading

This check was added to protect against possible CRSF

However it doesn't works well behind a proxy like we saw here. This change allow to define multiple valid referers (that would solve the issue) but also related issued https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/ in the precedent message the user have to comment this check to have a working freeipa. Better to accept multiple referers so it works.

I remember comment about kerberos might not work for the added domains. Since we don't use kerberos we are not affected. It seems still possible to configure it.

User with kerberos won't see change because they will keep using the classical name.

possible improvements:

  • use only one field ? I see it in many place so I think it is safest to add a non-conflicting field. It also don't overload usage.
  • Is it really optional ?
  • Do we extend config.Env to support list ?
  • strip space between value ? Or don't and apply like the manual show ?

Et7f3
Et7f3 commented May 16, 2024
View reviewed changes
client/man/default.conf.5 Outdated
Comment on lines 103 to 104
.IP
allowed_referers = ipa.demo1.freeipa.org:443,ipa.demo1.local,ipa.demo1.freeipa.org:443/sub_folder
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might not show the sub_folder aspect to be future proof ?

@abbra
Copy link
Contributor

abbra commented May 16, 2024

Frankly speaking, I don't like to add a half-baked solution. A proper support for multi-host setup (including reverse proxying) would need to take into account more than just a referrer aliases. Please see https://vda.li/en/posts/2023/08/16/Support-multi-homed-FreeIPA-Server/ for an analysis I did.

More comments:

  • env constant definition is missing. This means if allowed_referers is not present in the config, api.env.allowed_referers will throw an exception:
>>> api.env.allowed_referers
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'Env' object has no attribute 'allowed_referers'

The discussion you are linking to has a reference to my old draft PR (https://github.com/abbra/freeipa/pull/9/files) which implements most part of the aliasing support already.

@abbra
Copy link
Contributor

abbra commented May 17, 2024

This is actually can be seen in the CI tests:

[Thu May 16 18:23:27.406873 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302] ipa: ERROR: WSGI jsonserver_kerb.__call__():
[Thu May 16 18:23:27.406901 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302] Traceback (most recent call last):
[Thu May 16 18:23:27.406916 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 498, in __call__
[Thu May 16 18:23:27.406921 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]     response = self.wsgi_execute(environ)
[Thu May 16 18:23:27.406925 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]                ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Thu May 16 18:23:27.406930 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 394, in wsgi_execute
[Thu May 16 18:23:27.406934 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]     allowed_referers = self.api.env.allowed_referers.split(',')
[Thu May 16 18:23:27.406938 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Thu May 16 18:23:27.406943 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302] AttributeError: 'Env' object has no attribute 'allowed_referers'

@Et7f3 Et7f3 force-pushed the other_referers branch 3 times, most recently from 84b4099 to 2815ee9 Compare July 17, 2024 14:57
Et7f3
Et7f3 commented Jul 17, 2024
View reviewed changes
client/man/default.conf.5
Comment on lines +100 to +112
.TP
.B allowed_referers [<hostname>[,<hostname>][,<hostname>:<exotic_port>][,<hostname>:<exotic_port>[/path]][...]]
Specifies additional allowed hostnames that can be referred to in the Referer HTTP header. This setting allows to access the application from multiple leg (behind reverse-proxy or multiple FQDN). Please note that TLS server certificate used by IPA web server must also include these hostnames or otherwise direct HTTPS connection using the alternative names will not be trusted by your browers.
.RS
.IP
allowed_referers = ipa.demo1.freeipa.org:443,ipa.demo1.local,ipa.demo1.freeipa.org:443/sub_folder
.RE
.IP
Here it is an example of the X509v3 Subject Alternative Name extension filled for certificate request using OpenSSL/LibreSSL:
.RS
.IP
subjectAltName = DNS:ipa.demo1.freeipa.org,DNS:ipa.demo1.local
.RE
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image
I have added an example how to update the certificate and added searchable word/example.

@abbra
Copy link
Contributor

abbra commented Jul 18, 2024

When you get self.api.env.allowed_referers, it might be None, so you should check for it:

[Wed Jul 17 15:25:13.966142 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558] ipa: ERROR: WSGI jsonserver_kerb.__call__():
[Wed Jul 17 15:25:13.966176 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558] Traceback (most recent call last):
[Wed Jul 17 15:25:13.966197 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 498, in __call__
[Wed Jul 17 15:25:13.966203 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558]     response = self.wsgi_execute(environ)
[Wed Jul 17 15:25:13.966207 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558]                ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Jul 17 15:25:13.966212 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 394, in wsgi_execute
[Wed Jul 17 15:25:13.966216 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558]     allowed_referers = self.api.env.allowed_referers.split(',')
[Wed Jul 17 15:25:13.966221 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558]                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Jul 17 15:25:13.966225 2024] [wsgi:error] [pid 7080:tid 7401] [remote 2001:db8:1:1::2:39558] AttributeError: 'NoneType' object has no attribute 'split'

May be replace that by

allowed_referers = getattr(self.api.env, 'allowed_referers', '')

Et7f3
Et7f3 commented Jul 19, 2024
View reviewed changes
ipaserver/rpcserver.py Outdated Show resolved Hide resolved
Et7f3
Et7f3 commented Jul 19, 2024
View reviewed changes
ipaserver/rpcserver.py Outdated Show resolved Hide resolved
@Et7f3
Copy link
Author

Et7f3 commented Jul 30, 2024

I fixed Lint warning:

./ipaserver/rpcserver.py:163:81: E501 line too long (83 > 80 characters)
./ipaserver/rpcserver.py:394:81: E501 line too long (83 > 80 characters)

The Tox failure seems ot be related to Lint failure ?

but weird it triggered only on my line.

@abbra
Copy link
Contributor

abbra commented Aug 15, 2024

Tox failure:

2024-07-30T10:14:31.5175563Z         # Test using DEFAULT_CONFIG:
2024-07-30T10:14:31.5208115Z         defaults = dict(constants.DEFAULT_CONFIG)
2024-07-30T10:14:31.5208636Z         (o, home) = self.finalize_core(None, **defaults)
2024-07-30T10:14:31.5209097Z         list_o = [key for key in o if key != 'fips_mode']
2024-07-30T10:14:31.5209352Z         assert list_o == sorted(defaults)
2024-07-30T10:14:31.5209561Z         for (key, value) in defaults.items():
2024-07-30T10:14:31.5209773Z             if value is object:
2024-07-30T10:14:31.5209945Z                 continue
2024-07-30T10:14:31.5210208Z             if key == 'mode':
2024-07-30T10:14:31.5210385Z                 continue
2024-07-30T10:14:31.5210729Z >           assert o[key] == value, '%r is %r; should be %r' % (key, o[key], value)
2024-07-30T10:14:31.5211116Z E           AssertionError: 'allowed_referers' is None; should be ''
2024-07-30T10:14:31.5211347Z E           assert None == ''
2024-07-30T10:14:31.5211450Z 
2024-07-30T10:14:31.5211678Z test_ipalib/test_config.py:596: AssertionError

Basically, default config returns None for allowed_referers but expected to have an empty string (''). I think we should probably change the default to None. We already default to '''' in the getattr(), so that should not affect us.

@Et7f3
webui: Allow to configure other valids referrers for HTTPS
80497b9 
This check was added to protect [against possible CRSF](freeipa@2d6eeb2#diff-21d951ac2d07631c0818b056e289cd02d980b05545f9eabb18b407178da0af0c)

However it doesn't works well behind a proxy like [we saw here](haproxy/haproxy#2555 (comment)). This change allow to define multiple valid referers (that would solve the issue) but also related issued https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/
in the precedent message the user have to comment this check to have a working freeipa. Better to accept multiple referers so it works.

I remember comment about kerberos might not work for the added domains. Since we don't use kerberos we are not affected.
It seems still possible to [configure it](https://freeipa-users.redhat.narkive.com/hClHC8Ny/ipa-server-ui-behind-proxy).

User with kerberos won't see change because they will keep using the classical name.

Signed-off-by: Et7f3 <cadeaudeelie@gmail.com>
@Et7f3
Copy link
Author

Et7f3 commented Aug 16, 2024

Since the default value is now None, getattr can return None (if the object has property but still not defined) so I have added the or '' as guard but the getattr might be useless (I don't see this kind of code pattern for other attribute). I am a bit confused with how env is build.

I see we can have string as default value:

freeipa/ipalib/constants.py

Line 206 in 58c1fdd

('mount_ipa', '/ipa/'),
or None

freeipa/ipalib/constants.py

Line 212 in 58c1fdd

('kinit_lifetime', None),

I searched for usage and found this:

$ git grep -e kinit_lifetime -e mount_ipa f9f96ac
f9f96ac:client/man/default.conf.5:.B kinit_lifetime <time duration spec>
f9f96ac:client/man/default.conf.5:.B mount_ipa <URI>
f9f96ac:install/ui/test/data/ipa_init.json:               "kinit_lifetime" : null,
f9f96ac:install/ui/test/data/ipa_init.json:               "mount_ipa" : "/ipa/",
f9f96ac:ipalib/constants.py:    ('mount_ipa', '/ipa/'),
f9f96ac:ipalib/constants.py:    ('kinit_lifetime', None),
f9f96ac:ipaserver/rpcserver.py:        self.url = self.env['mount_ipa']
f9f96ac:ipaserver/rpcserver.py:        self.url = self.env.mount_ipa + self.key
f9f96ac:ipaserver/rpcserver.py:                lifetime=self.api.env.kinit_lifetime)
f9f96ac:pylint_plugins.py:    api.env.kinit_lifetime = None
f9f96ac:pylint_plugins.py:    api.env.mount_ipa = ''

So it seems only filling constants.py should be enough.

I also see this file (that seems to define value for pylint ?). Since it is pylint that is not happy should I add here also a line ?

freeipa/pylint_plugins.py

Line 478 in 58c1fdd

api.env.kinit_lifetime = None
and

freeipa/pylint_plugins.py

Line 486 in 58c1fdd

api.env.ra_plugin = ''

Or maybe I should modify something in test_config.py so default value is not None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Et7f3 @abbra