##########################################################################################

       JILS-37: Add "Authorised Proxies" to authentication model

##########################################################################################


Issue Type: New Feature 
-----------------------------------------------------------------------------------------

Issue Information
====================

Priority: Major					Status:      Closed
Resolution:  Done (2016-04-29 15:05:17)
Project: Jira Issue Listing Script (JILS)


Reported By: btasker					
Assigned To: btasker


Affected Versions:		
	- 0.01b  			


Targeted for fix in version: 
	- 0.01b

Labels: Security, 

Time Estimate: 77 minutes
Time Logged:   43 minutes


-----------------------------------------------------------------------------------------

Issue Description
==================

The current authentication model works OK when communicating directly with JILS.

However, if the JILS server is behind a reverse proxy, it's not currently possible to
identify whether the originating IP is authorised or not.

Most reverse proxies will set an _X-Forwarded-For_ header, however we cannot simply rely
on that as a malicious client could simply send a request with a known authorised IP in
that header.

So, we need an extra configuration parameter to list known authorised reverse proxies. If
the connection has come from one of those IP's the source IP should be extracted from
_X-Forwarded-For_ and authentication performed based on that.

This makes a couple of assumptions which *must* be true in order for the planned model to
work

- Downstream Proxy will _always_ set _X-Forwarded-For_ 
- Downstream Proxy will pass through the client's User-Agent

If either of those is untrue then the planned model won't work (or will give unexpected
results). They don't seem like unreasonable constraints though.

-----------------------------------------------------------------------------------------

Activity
==========

	
-----------------------------------------------------------------------------------------
2015-11-06 12:34:57              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'In Progress'
	
-----------------------------------------------------------------------------------------
2015-11-06 12:46:13              btasker
-----------------------------------------------------------------------------------------

I've made a change in the codebase which should do what's needed. The only test performed
on it so far is a lint test as I need to set up a reverse proxy to test against.


Edit:

Earlier commit message referenced the wrong issue. Tit.


-- BEGIN QUOTE --


Repo: Jira-Issue-Listing
Commit: a923157a198e2a79dcfdefe8d5ee4b81fbcb8fe3
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 06 12:45:18 2015 +0000
Commit Message: UNTESTED. Allowing designation of authorised proxies for LAN-37

Modified (-)(+)
-------
config.php 
utils.class.php



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/785bc96
 -- END SNIPPET --

https://github.com/bentasker/Jira-Issue-Listing/commit/a923157a198e2a79dcfdefe8d5ee4b81fbcb8fe3

Not sure where I got LAN-37 from, that's ages old and not in anyway related (facepalm)
	
-----------------------------------------------------------------------------------------
2015-11-06 13:10:40              btasker
-----------------------------------------------------------------------------------------


Tested direct from an authorised host, and there's no change in behaviour there.

*Via Unauthorised Proxy*


-- BEGIN SNIPPET --

ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "Host: $HOST" -v
http://192.168.4.5/browse/GPXIN-1.html

 -- END SNIPPET --
Gives a 302 as expected

With an authorised UA

-- BEGIN SNIPPET --

ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "User-Agent: $UA" -H
"Host: $HOST" -v http://192.168.4.5/browse/GPXIN-1.html

 -- END SNIPPET --
Gives a 302 as expected


*Via Authorised Proxy*


-- BEGIN SNIPPET --

ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "Host: $HOST" -v
http://192.168.4.5/browse/GPXIN-1.html

 -- END SNIPPET --
Gives a 302 as expected

With an authorised UA

-- BEGIN SNIPPET --

ben@milleniumfalcon:~/Documents/src.old/Jira-Issue-Listing$ curl -H "User-Agent: $UA" -H
"Host: $HOST" -v http://192.168.4.5/browse/GPXIN-1.html

 -- END SNIPPET --
Gives the document content as expected


*Unauthorised Host pretending to be proxy*
From an unauthorised host, tried spoofing the X-Forwarded for header and going direct to
the origin


-- BEGIN SNIPPET --

ben@tp1:~$ curl -H "X-Forwarded-For: 192.168.1.3" -H "User-Agent: $UA" -H "Host: $HOST" -v
http://$HOST/browse/GPXIN-1.html

 -- END SNIPPET --
Got a 302 as expected

Looks good to me
	
-----------------------------------------------------------------------------------------
2015-11-06 13:12:56              
-----------------------------------------------------------------------------------------

btasker changed status from 'In Progress' to 'Open'
	
-----------------------------------------------------------------------------------------
2015-11-06 13:13:15              
-----------------------------------------------------------------------------------------

btasker changed timespent from '0 minutes' to '38 minutes'
	
-----------------------------------------------------------------------------------------
2015-11-06 13:14:04              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: Jira-Issue-Listing
Commit: e076e2e9f19bbd05a27ab343b6bbe85eae6fde1c
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 06 13:11:39 2015 +0000
Commit Message: Removed untested markers. Tested and working in JILS-37



Modified (-)(+)
-------
config.php
utils.class.php



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/785bc96
 -- END SNIPPET --

https://github.com/bentasker/Jira-Issue-Listing/commit/e076e2e9f19bbd05a27ab343b6bbe85eae6fde1c


	
-----------------------------------------------------------------------------------------
2015-11-06 13:22:42              btasker
-----------------------------------------------------------------------------------------

All should be working, but will give this a heavier test in a little while. Will close
then if all goes well
	
-----------------------------------------------------------------------------------------
2015-11-06 14:59:59              btasker
-----------------------------------------------------------------------------------------

Did some more testing, and the basic authorisation works, but also need to update the
project filters functionality. Currently passing through a proxy removes all configured
restrictions, which is pretty not-good :)
	
-----------------------------------------------------------------------------------------
2015-11-06 15:05:43              
-----------------------------------------------------------------------------------------

btasker changed timespent from '38 minutes' to '43 minutes'
	
-----------------------------------------------------------------------------------------
2015-11-06 15:05:57              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: Jira-Issue-Listing
Commit: 50a7d963e0fd32711221ba683737927b73547f33
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 06 15:03:37 2015 +0000
Commit Message: Factored in reverse proxies when building project filters. See JILS-37



Modified (-)(+)
-------
utils.class.php



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/785bc96
 -- END SNIPPET --

https://github.com/bentasker/Jira-Issue-Listing/commit/50a7d963e0fd32711221ba683737927b73547f33


	
-----------------------------------------------------------------------------------------
2015-11-06 15:53:05              btasker
-----------------------------------------------------------------------------------------

All testing has passed, so marking as complete
	
-----------------------------------------------------------------------------------------
2015-11-06 15:53:05              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2015-11-06 15:53:05              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2015-11-06 15:53:54              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'
	
-----------------------------------------------------------------------------------------
2016-04-29 14:54:08              btasker
-----------------------------------------------------------------------------------------

Re-opening to assign to a version
	
-----------------------------------------------------------------------------------------
2016-04-29 14:54:08              
-----------------------------------------------------------------------------------------

btasker removed 'Done' from resolution
	
-----------------------------------------------------------------------------------------
2016-04-29 14:54:08              
-----------------------------------------------------------------------------------------

btasker changed status from 'Closed' to 'Reopened'
	
-----------------------------------------------------------------------------------------
2016-04-29 14:55:34              btasker
-----------------------------------------------------------------------------------------

Assigning to v0.01b
	
-----------------------------------------------------------------------------------------
2016-04-29 14:55:35              
-----------------------------------------------------------------------------------------

btasker added '0.01b' to Version
	
-----------------------------------------------------------------------------------------
2016-04-29 14:55:35              
-----------------------------------------------------------------------------------------

btasker added '0.01b' to Fix Version
	
-----------------------------------------------------------------------------------------
2016-04-29 15:05:17              btasker
-----------------------------------------------------------------------------------------

Re-Closing
	
-----------------------------------------------------------------------------------------
2016-04-29 15:05:17              
-----------------------------------------------------------------------------------------

btasker changed status from 'Reopened' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2016-04-29 15:05:17              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2016-04-29 15:05:22              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'


-----------------------------------------------------------------------------------------

Worklog
========

 
-----------------------------------------------------------------------------------------
2015-11-06 13:13:15              btasker

38 minutes
-----------------------------------------------------------------------------------------

Implementing and testing
 
-----------------------------------------------------------------------------------------
2015-11-06 15:05:43              btasker

5 minutes
-----------------------------------------------------------------------------------------

Fixing project filters bug