Remove hard-coded skey
This wasn't intended to make its way into a public repo. :) The existing key was a long-forgotten kluge that was supposed to be temporary, allowing internal services to create quotes without authentication. The chances of this being practically exploited are minimal in our environment, and it's auditable using webserver logs. This moves the skey into a configuration file, which allows it to vary by server and be rotated until a better solution is made available. skey is disabled by default (empty string), and when used by us internally, the keys are now generated using a CSPRNG rather than a brute-forcable 5-byte key that was hard-coded. The fact that this appears in webserver logs is a big issue as well. I added a task to address that. * conf/vanilla-server.json (skey): New key. Default empty. * src/server/daemon/Daemon.js (start): Provide skey to `#getRouters'. (getRouters): Provide skey to `#getProgramController'. (getProgramController): Set skey on `controller'. * src/server/daemon/controller.js (skey): New mutable export (unideal; quick change). (has_skey): Use it.master
parent
460a533777
commit
6733556582
|
@ -18,6 +18,8 @@
|
|||
}
|
||||
},
|
||||
|
||||
"skey": "",
|
||||
|
||||
"user": {
|
||||
"session": {
|
||||
"handler": {
|
||||
|
|
|
@ -112,7 +112,8 @@ module.exports = AbstractClass( 'Daemon',
|
|||
return Promise.all( [
|
||||
this._createDebugLog(),
|
||||
this._createAccessLog(),
|
||||
] ).then( ([ debug_log, access_log ]) =>
|
||||
this._conf.get( 'skey' ),
|
||||
] ).then( ([ debug_log, access_log, skey ]) =>
|
||||
{
|
||||
this._debugLog = debug_log;
|
||||
this._accessLog = access_log;
|
||||
|
@ -121,7 +122,7 @@ module.exports = AbstractClass( 'Daemon',
|
|||
this._rater = liza.server.rater.ProcessManager();
|
||||
this._encService = this.getEncryptionService();
|
||||
this._memcache = this.getMemcacheClient();
|
||||
this._routers = this.getRouters();
|
||||
this._routers = this.getRouters( skey );
|
||||
} )
|
||||
.then( () => this._startDaemon() );
|
||||
},
|
||||
|
@ -181,11 +182,16 @@ module.exports = AbstractClass( 'Daemon',
|
|||
},
|
||||
|
||||
|
||||
'protected getProgramController': function()
|
||||
'protected getProgramController': function( skey )
|
||||
{
|
||||
var controller = require( './controller' );
|
||||
controller.rater = this._rater;
|
||||
|
||||
if ( skey )
|
||||
{
|
||||
controller.skey = skey;
|
||||
}
|
||||
|
||||
return controller;
|
||||
},
|
||||
|
||||
|
@ -270,10 +276,10 @@ module.exports = AbstractClass( 'Daemon',
|
|||
'abstract protected getEncryptionService': [],
|
||||
|
||||
|
||||
'protected getRouters': function()
|
||||
'protected getRouters': function( skey )
|
||||
{
|
||||
return [
|
||||
this.getProgramController(),
|
||||
this.getProgramController( skey ),
|
||||
this.getScriptsController(),
|
||||
this.getClientErrorController(),
|
||||
];
|
||||
|
|
|
@ -94,6 +94,7 @@ var sflag = {};
|
|||
|
||||
// TODO: kluge to get liza somewhat decoupled from lovullo (rating module)
|
||||
exports.rater = {};
|
||||
exports.skey = "";
|
||||
|
||||
|
||||
exports.init = function( logger, enc_service, conf )
|
||||
|
@ -619,12 +620,24 @@ function createQuoteQuick( id )
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check whether the proper skey (session key) was provided
|
||||
*
|
||||
* This is a basic authentication token that allows bypassing authentication
|
||||
* for internal tasks (like creating quotes).
|
||||
*
|
||||
* XXX: A single shared secret is a terrible idea; this was intended to
|
||||
* be a temporary solution. Fix this crap in favor of proper authentication
|
||||
* between services.
|
||||
*/
|
||||
function has_skey( user_request )
|
||||
{
|
||||
// a basic authentication token that allows our systems to bypass
|
||||
// authentication...this isn't really secure, but it doesn't need to be,
|
||||
// because for our uses, they really cannot do any damage
|
||||
return ( user_request.getGetData().skey === 'fd29d02ac1' )
|
||||
if ( !exports.skey )
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return ( user_request.getGetData().skey === exports.skey );
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue