Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: Scoped tokens #347

Closed
peterthomassen opened this issue Apr 18, 2020 · 18 comments
Closed

api: Scoped tokens #347

peterthomassen opened this issue Apr 18, 2020 · 18 comments

Comments

@peterthomassen
Copy link
Member

e.g. by domain, or use case (_acme-challenge)

@appliedprivacy
Copy link

coming from: https://talk.desec.io/t/restricted-access-tokens-for-letsencrypt-dns-challenge/37

When designing scoped tokens please allow for a token that is authorized to create multiple
DNS records in one or multiple zones so that this use case can be achieved:

Token is authorized to edit/create:

  • _acme-challenge.desec1.example.com TXT
  • _acme-challenge.desec2.example.com TXT
  • _acme-challenge.desec1.example2.com TXT

but not

  • _acme-challenge.desec1.example.com AAAA
  • _acme-challenge.desec3.example.com
  • _acme-challenge.desec4.example2.com

Multiple tokens should be possible with the same set of permissions.
This would be handy when a multiple servers requests a certificate for multiple domains using the dns-01 challenge.

@Knight1
Copy link
Contributor

Knight1 commented Apr 27, 2020

From my other Ticket I would like to see a Limit for IP addresses in Ranges like (1.1.1.1/32), (1.1.1.1/30).

@nils-wisiol
Copy link
Contributor

I'd love to see tokens limited by IP range, but any implementation should be compatible to further extension of scopes, e.g. by domain, namespace (as in "everything below foobar.example.com"), record type, yada yada.

@peterthomassen
Copy link
Member Author

consider to allow token expiration after a certain time

@peterthomassen
Copy link
Member Author

peterthomassen commented Aug 21, 2020

blocked by #430

@peterthomassen
Copy link
Member Author

drafting in #456

peterthomassen added a commit that referenced this issue Nov 6, 2020
The migration sets perm_manage_tokens = True for all existing tokens,
and then sets the default to False.

Related: #347
peterthomassen added a commit that referenced this issue Nov 6, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 7, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 9, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
peterthomassen added a commit that referenced this issue Nov 10, 2020
The migration sets `perm_manage_tokens = True` for all existing tokens,
and then sets the default to `False`.

Related: #347
@peterthomassen
Copy link
Member Author

#474 (subnet scoping) is done and has been deployed.

@peterthomassen
Copy link
Member Author

#478 (expiration by age and non-use) is done and has been deployed.

@Valodim
Copy link

Valodim commented Jan 25, 2021

This is pretty useful already, thanks 👍

As originally requested, please consider implementing scoped tokens by domain and record type. That would be a killer feature and a considerable security improvement over the current "all or nothing" permission scheme.

@generalmanager
Copy link

Great to see that some parts of this feature are already implemented.
I'm especially looking forward to be able to hand out subdomain-specific tokens to be saved on several routers, vms and appliances which update dyndns records of my custom domains.
Right now I have to use several accounts as I don't like credentials with rw access to my whole account saved on hardware of customers, family & friends.

@MrSuicideParrot
Copy link

I saw the accepted pull request to implement the scoped tokens. Do you have any idea when it will be put into production?

@peterthomassen
Copy link
Member Author

It is in production. The docs describe in which ways the token scope can be narrowed, and how to do that using the API: https://desec.readthedocs.io/en/latest/auth/tokens.html#token-scoping-domain-policies

Some more features may come in the future (e.g. ACME-only tokens).

@Valodim
Copy link

Valodim commented Feb 7, 2022

Great to see this moving forward, I appreciate it 👍

I did notice that token access can only be narrowed to dyndns or RRSet access per managed domain, and not to specific subdomains or record types. Those latter options will make the feature really shine. I imagine is why this issue is still open, are there any plans yet along those lines?

@peterthomassen
Copy link
Member Author

Yes, that's why the issue is open (and ACME scoping, which is kind of a sub-case) of what you're proposing. However, I'm planning to work on 2FA (#316) first (starting this month).

Subdomains / record types token scoping is challenging as far as the API data schemas are concerned. I played with it a bit on paper a while ago, and couldn't come up with "the obvious solution". Perhaps we can do some sparring when the time has come.

@Valodim
Copy link

Valodim commented Feb 7, 2022

Subdomains / record types token scoping is challenging as far as the API data schemas are concerned. I played with it a bit on paper a while ago, and couldn't come up with "the obvious solution". Perhaps we can do some sparring when the time has come.

I don't know much about desec's internals, but feel free to give me a ping if you need someone to bounce some thoughts off of :)

@peterthomassen
Copy link
Member Author

Not really internal data structures, rather interface aspects / exposed schemas. Such as: how to deal with wildcards like _acme-challenge.*.$DOMAIN? This particular instance is not a valid DNS name, as DNS requires wildcard labels to the leftmost label; parsing with dnspython may fail etc. So perhaps there should be an perm_acme permission flag, instead of going the subname route? Also, how does that interact with building a client (aka: does it integrate nicely with the web GUI)?

Things like that -- I'll let you know.

@s-hamann
Copy link

s-hamann commented Feb 7, 2022

So perhaps there should be an perm_acme permission flag, instead of going the subname route?

Personally, I would prefer the subname/record-type route. It covers more use cases. For example, my own ACME-update token also needs to have permission to manage my TLSA records on certificate renewal.

@peterthomassen
Copy link
Member Author

For those interested: We're working on an implementation of this feature, and it is mostly done (modulo review + potential adjustments). If you're interested, you can preview the new functionality's documentation here: https://desec--840.org.readthedocs.build/en/840/auth/tokens.html#token-scoping-policies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants