JILS-37: Add "Authorised Proxies" to authentication model

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Jira Issue Listing Script (JILS)
Resolution: Done (2016-04-29 15:05:17)
Affects Version: 0.01b,
Target version: 0.01b,
Labels: Security,

Created: 2015-11-06 12:30:10
Time Spent Working
Estimated:
 
120 minutes
Remaining:
  
77 minutes
Logged:
  
43 minutes


Description
The current authentication model works OK when communicating directly with JILS.

However, if the JILS server is behind a reverse proxy, it's not currently possible to identify whether the originating IP is authorised or not.

Most reverse proxies will set an X-Forwarded-For header, however we cannot simply rely on that as a malicious client could simply send a request with a known authorised IP in that header.

So, we need an extra configuration parameter to list known authorised reverse proxies. If the connection has come from one of those IP's the source IP should be extracted from X-Forwarded-For and authentication performed based on that.

This makes a couple of assumptions which must be true in order for the planned model to work

- Downstream Proxy will always set X-Forwarded-For
- Downstream Proxy will pass through the client's User-Agent

If either of those is untrue then the planned model won't work (or will give unexpected results). They don't seem like unreasonable constraints though.


Toggle State Changes

Activity


2015-11-06 12:34:57
btasker changed status from 'Open' to 'In Progress'

2015-11-06 12:46:13
I've made a change in the codebase which should do what's needed. The only test performed on it so far is a lint test as I need to set up a reverse proxy to test against.


Edit:

Earlier commit message referenced the wrong issue. Tit.


Repo: Jira-Issue-Listing
Commit: a923157a198e2a79dcfdefe8d5ee4b81fbcb8fe3
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 06 12:45:18 2015 +0000
Commit Message: UNTESTED. Allowing designation of authorised proxies for LAN-37

Modified (-)(+)
-------
config.php
utils.class.php




Webhook User-Agent 

GitHub-Hookshot/785bc96


View Commit

Not sure where I got LAN-37 from, that's ages old and not in anyway related (facepalm)

2015-11-06 13:10:40

Tested direct from an authorised host, and there's no change in behaviour there.

Via Unauthorised Proxy 

ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "Host: $HOST" -v http://192.168.4.5/browse/GPXIN-1.html

Gives a 302 as expected

With an authorised UA 
ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "User-Agent: $UA" -H "Host: $HOST" -v http://192.168.4.5/browse/GPXIN-1.html

Gives a 302 as expected


Via Authorised Proxy 

ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "Host: $HOST" -v http://192.168.4.5/browse/GPXIN-1.html

Gives a 302 as expected

With an authorised UA 
ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "User-Agent: $UA" -H "Host: $HOST" -v http://192.168.4.5/browse/GPXIN-1.html

Gives the document content as expected


Unauthorised Host pretending to be proxy
From an unauthorised host, tried spoofing the X-Forwarded for header and going direct to the origin 

ben@tp1:~$ curl -H "X-Forwarded-For: 192.168.1.3" -H "User-Agent: $UA" -H "Host: $HOST" -v http://$HOST/browse/GPXIN-1.html

Got a 302 as expected

Looks good to me

2015-11-06 13:12:56
btasker changed status from 'In Progress' to 'Open'

2015-11-06 13:13:15
btasker changed timespent from '0 minutes' to '38 minutes'

2015-11-06 13:14:04

Repo: Jira-Issue-Listing
Commit: e076e2e9f19bbd05a27ab343b6bbe85eae6fde1c
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 06 13:11:39 2015 +0000
Commit Message: Removed untested markers. Tested and working in JILS-37



Modified (-)(+)
-------
config.php
utils.class.php




Webhook User-Agent 

GitHub-Hookshot/785bc96


View Commit


2015-11-06 13:22:42
All should be working, but will give this a heavier test in a little while. Will close then if all goes well

2015-11-06 14:59:59
Did some more testing, and the basic authorisation works, but also need to update the project filters functionality. Currently passing through a proxy removes all configured restrictions, which is pretty not-good :)

2015-11-06 15:05:43
btasker changed timespent from '38 minutes' to '43 minutes'

2015-11-06 15:05:57

Repo: Jira-Issue-Listing
Commit: 50a7d963e0fd32711221ba683737927b73547f33
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 06 15:03:37 2015 +0000
Commit Message: Factored in reverse proxies when building project filters. See JILS-37



Modified (-)(+)
-------
utils.class.php




Webhook User-Agent 

GitHub-Hookshot/785bc96


View Commit


2015-11-06 15:53:05
All testing has passed, so marking as complete

2015-11-06 15:53:05
btasker changed status from 'Open' to 'Resolved'

2015-11-06 15:53:05
btasker added 'Done' to resolution

2015-11-06 15:53:54
btasker changed status from 'Resolved' to 'Closed'

2016-04-29 14:54:08
Re-opening to assign to a version

2016-04-29 14:54:08
btasker removed 'Done' from resolution

2016-04-29 14:54:08
btasker changed status from 'Closed' to 'Reopened'

2016-04-29 14:55:34
Assigning to v0.01b

2016-04-29 14:55:35
btasker added '0.01b' to Version

2016-04-29 14:55:35
btasker added '0.01b' to Fix Version

2016-04-29 15:05:17
Re-Closing

2016-04-29 15:05:17
btasker changed status from 'Reopened' to 'Resolved'

2016-04-29 15:05:17
btasker added 'Done' to resolution

2016-04-29 15:05:22
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
 Permalink
2015-11-06 13:13:15

Time Spent: 38 minutes
Log Entry: Implementing and testing
Ben Tasker
 Permalink
2015-11-06 15:05:43

Time Spent: 5 minutes
Log Entry: Fixing project filters bug