Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

20200916 token policy domains #456

Merged
merged 7 commits into from
Jan 6, 2022
Merged

Conversation

peterthomassen
Copy link
Member

No description provided.

@peterthomassen peterthomassen mentioned this pull request Oct 2, 2020
@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 2 times, most recently from ed41a2f to b8bd45a Compare November 23, 2020 20:30
@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 6 times, most recently from c4c6bb8 to 8c37b2e Compare March 2, 2021 20:06
@peterthomassen peterthomassen deleted the branch main April 14, 2021 11:45
@peterthomassen
Copy link
Member Author

closed accidentally during master branch rename

@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 4 times, most recently from 0cee6ca to c5789bb Compare May 5, 2021 14:46
@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 8 times, most recently from 97262d4 to 4b5ca43 Compare August 31, 2021 16:35
api/desecapi/models.py Outdated Show resolved Hide resolved
Copy link
Contributor

@nils-wisiol nils-wisiol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some questions, but this lgtm

## can't create policy for other user's domain
data = dict(domain=self.other_domain.name, perm_dyndns=True, perm_rrsets=True)
response = self.client.create_policy(self.token, using=self.token_manage, data=data)
self.assertStatus(response, status.HTTP_400_BAD_REQUEST)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this leaking information?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the error is that the domain does not exist in the user's domain set, and the serializer turns it into 400 (instead of 404) because it's only about a domain reference from a payload field (and not a URL resource).

The same error is returned when the domain does not exist at all, i.e. the error does not expose whether the domain is owned by another user. Further, you can always check whether a domain is owned by another user by checking whether deSEC nameservers have SOA records.


If you have a token that is restricted to example.com, you can try to work on another domain's RRsets (of the same user), and you will get 403 instead of 400 or 404. That exposes to the token user that the other domain is in the same account. However, the token user could also just GET domains/ and look at the list of domains, so there's no additional exposure. (Unsafe methods on domains/ require a token without a domain policy, i.e. an unrestricted token.) One can argue that a domain-scoped token should not be able to access the domain list. However, if we block that, then the 403 side-channel occurs.

Do you think it's fine that a restricted token can read the list of domains in the account?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine, but I also don't see what could be the benefit. So maybe remove that permission?

@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 3 times, most recently from a66706e to 2df698e Compare January 6, 2022 10:40
@nils-wisiol
Copy link
Contributor

As far as I can tell, the last remaining question is whether a scoped token should have the permission to list all domains belonging to user account.

@peterthomassen
Copy link
Member Author

As discussed in person, we'll keep it as is for now, and may later implement something like perm_view; the domains/ queryset can then be filtered such that it only has domains for which the token has view permission.

@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 8 times, most recently from 816bd64 to 5ff138b Compare January 6, 2022 14:37
@peterthomassen peterthomassen force-pushed the 20200916_token_policy_domains branch 2 times, most recently from 260382f to 50edce9 Compare January 6, 2022 14:53
Copy link
Contributor

@nils-wisiol nils-wisiol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

endpoint reference is missing

docs/auth/tokens.rst Outdated Show resolved Hide resolved
docs/auth/tokens.rst Outdated Show resolved Hide resolved
docs/auth/tokens.rst Show resolved Hide resolved
@peterthomassen peterthomassen merged commit 66e32ab into main Jan 6, 2022
@peterthomassen peterthomassen deleted the 20200916_token_policy_domains branch January 6, 2022 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants