[jira] [Commented] (SLING-3154) Add Topology Message Verification to the Discovery service.

[Stefan Egli (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13790170#comment-13790170
 ] 

Stefan Egli commented on SLING-3154:


I think we might be able to cover both aspects (the whitelist, and the 
encrypt/decrypt) with one API - basically provide one hook to 'pack' a payload 
for posting and one for 'unpacking' (and thus verifying) upon reception. Eg the 
API could be along the following lines:

public interface DiscoveryPayloadHandler {

public RequestEntity pack(String json);

public String unpack(SlingHttpServletRequest request) throws 
RejectException;

}

Whereas pack() would be used in the TopologyConnectorClient before posting the 
request, and unpack() would be used in the TopologyConnectorServlet when 
handling the PUT/DELETE requests. Throwing of the RejectException would imply 
ignoring/rejecting the request/announcement.

pack/unpack could be doing encrypt/decrypt/verify - but they could also do 
things like gizp for example.

 Add Topology Message Verification to the Discovery service.
 ---

 Key: SLING-3154
 URL: https://issues.apache.org/jira/browse/SLING-3154
 Project: Sling
  Issue Type: Improvement
  Components: General
Affects Versions: Discovery Impl 1.0.0
Reporter: Ian Boston
Assignee: Ian Boston
 Fix For: Discovery Impl 1.0.2


 The discovery service provides support for whitelisting sources of topology 
 information, but in a cluster where the topology this creates a 
 re-configuration load of order M*(n*(n-1)) where n is the number of nodes in 
 the topology and M is the number of changes. That load rises rapidly as the 
 number of changes and/or nodes increases. 
 To address this there are 2 proposals.
 1. To provide an SPI exported from the Discovery Impl bundle that allows 
 implementors to implement whitelisting based on the request. This will need 
 to support creating the request and validating the request.
 2. Embed functionality within the Discovery Impl bundle that supports 
 validation and encryption of topology requests.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (SLING-3154) Add Topology Message Verification to the Discovery service.

[Ian Boston (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13790445#comment-13790445
 ] 

Ian Boston commented on SLING-3154:
---

I am thinking of a different approach.
Embed everything inside the discovery implementation (it is an implementation 
after all) and support whitelist or signing with optional encryption of the 
payload.

This should make it much simpler for anyone to configure.

Adding a SPI only becomes relevant if the internal impl doesn't cover whats 
needed, and if there is an SPI, then the impl becomes more complex.


 Add Topology Message Verification to the Discovery service.
 ---

 Key: SLING-3154
 URL: https://issues.apache.org/jira/browse/SLING-3154
 Project: Sling
  Issue Type: Improvement
  Components: General
Affects Versions: Discovery Impl 1.0.0
Reporter: Ian Boston
Assignee: Ian Boston
 Fix For: Discovery Impl 1.0.2


 The discovery service provides support for whitelisting sources of topology 
 information, but in a cluster where the topology this creates a 
 re-configuration load of order M*(n*(n-1)) where n is the number of nodes in 
 the topology and M is the number of changes. That load rises rapidly as the 
 number of changes and/or nodes increases. 
 To address this there are 2 proposals.
 1. To provide an SPI exported from the Discovery Impl bundle that allows 
 implementors to implement whitelisting based on the request. This will need 
 to support creating the request and validating the request.
 2. Embed functionality within the Discovery Impl bundle that supports 
 validation and encryption of topology requests.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (SLING-3154) Add Topology Message Verification to the Discovery service.

[Stefan Egli (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13790458#comment-13790458
 ] 

Stefan Egli commented on SLING-3154:


Hi [~ianeboston], 

not quite sure I follow you here. 

Whitelisting is already supported but if I understand the reason for this 
ticket correctly, then it was the limited nature of the current whitelisting 
feature which is not 'enough' - hence, an API (or SPI..) for doing custom 
whitelisting - as you suggested on the list - to me does make a lot of sense. 
Or asked differently: how would the whitelisting feature you require for your 
use case look like (that would be generalizable enough to be put in the 
discovery.impl)?

Regarding encrypting/decrypting: do we have all the APIs on the Sling level for 
this?

Cheers,
Stefan

 Add Topology Message Verification to the Discovery service.
 ---

 Key: SLING-3154
 URL: https://issues.apache.org/jira/browse/SLING-3154
 Project: Sling
  Issue Type: Improvement
  Components: General
Affects Versions: Discovery Impl 1.0.0
Reporter: Ian Boston
Assignee: Ian Boston
 Fix For: Discovery Impl 1.0.2


 The discovery service provides support for whitelisting sources of topology 
 information, but in a cluster where the topology this creates a 
 re-configuration load of order M*(n*(n-1)) where n is the number of nodes in 
 the topology and M is the number of changes. That load rises rapidly as the 
 number of changes and/or nodes increases. 
 To address this there are 2 proposals.
 1. To provide an SPI exported from the Discovery Impl bundle that allows 
 implementors to implement whitelisting based on the request. This will need 
 to support creating the request and validating the request.
 2. Embed functionality within the Discovery Impl bundle that supports 
 validation and encryption of topology requests.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (SLING-3154) Add Topology Message Verification to the Discovery service.

[Ian Boston (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13790563#comment-13790563
 ] 

Ian Boston commented on SLING-3154:
---

Hi [~egli]
I need the ability to have a single shared configuration for an entire topology 
that allows automated and secure discovery of all active members of that 
topology without any whitelisting. That configuration should be static and not 
dependent on the topology itself or reference anything in the physical topology.

Regarding encrypting/decrypting: do we have all the APIs on the Sling level 
for this?

I might be missing something but last time I looked the JDK supported 
encrypting/decrypting. It may not have a huge range of algorithms, but 
HmacSHA256 and AES/CBC/PKCS5Padding is probably good enough for this.

I have working code that doesn't do anything to the existing IP whitelisting 
unless configured to be active.

Best Regards
Ian

 Add Topology Message Verification to the Discovery service.
 ---

 Key: SLING-3154
 URL: https://issues.apache.org/jira/browse/SLING-3154
 Project: Sling
  Issue Type: Improvement
  Components: General
Affects Versions: Discovery Impl 1.0.0
Reporter: Ian Boston
Assignee: Ian Boston
 Fix For: Discovery Impl 1.0.2


 The discovery service provides support for whitelisting sources of topology 
 information, but in a cluster where the topology this creates a 
 re-configuration load of order M*(n*(n-1)) where n is the number of nodes in 
 the topology and M is the number of changes. That load rises rapidly as the 
 number of changes and/or nodes increases. 
 To address this there are 2 proposals.
 1. To provide an SPI exported from the Discovery Impl bundle that allows 
 implementors to implement whitelisting based on the request. This will need 
 to support creating the request and validating the request.
 2. Embed functionality within the Discovery Impl bundle that supports 
 validation and encryption of topology requests.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (SLING-3154) Add Topology Message Verification to the Discovery service.

[Ian Boston (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13790633#comment-13790633
 ] 

Ian Boston commented on SLING-3154:
---

Changes committed with code coverage for the new code for the passing use cases.
Verified no impact on current implementation, as none of the existing tests 
were touched.
All discovery bundles build and pass tests.
Will need to deploy so some live instances and configure to validate in the 
wild.

This is a brief description

Uses HmacSHA256 with a derived key that lasts 4h for signatures.
Uses AES/CBC/PKCS5Padding with a 128 bit key and random 9 byte salt for 
encryption if enabled.

Configuration is via the Config Component. To enable white listing is turned 
off, a shared key is set and optionally, encryption and the signature key 
lifetime is set.

Signature is performed by performing a HMAC on a SHA of the body, url and 
direction message (request or response). The SHA is put in X-SlingTopologyHash 
header, the HMAC is put in X-SlingTopologyTrust header.

Verifying the message can be trusted rebuilds checks that the HMAC of the SHA 
is the same as in the request. No reference is made to the body of the request. 

When extracting the body of the request or response the SHA is rebuilt and 
checked against the body of the message (encrypted if the body was encrypted)

Encryption takes the String body, and encrypts into a json object with a single 
key payload containing a JSONArray made up of the base64 encoded 10 byte 
salt, the Cipher initialisation vector as base64 encoded bytes, and the 
encrypted data.

Decryption uses the salt to generate the key and initialisation vector to 
decrypt the data.

It is possible to replay the same identical message 2x.
It is not possible to replay a different message using an old hash/hmac
It is not possible to replay an empty message (eg DELETE, where the body is 
null) on different urls.
Requests and responses do not share hash/hmac pairs and both directions are 
secured.

I will leave the issue open in case there objections to this change from the 
community or if testing turns up issues.



 Add Topology Message Verification to the Discovery service.
 ---

 Key: SLING-3154
 URL: https://issues.apache.org/jira/browse/SLING-3154
 Project: Sling
  Issue Type: Improvement
  Components: General
Affects Versions: Discovery Impl 1.0.0
Reporter: Ian Boston
Assignee: Ian Boston
 Fix For: Discovery Impl 1.0.2


 The discovery service provides support for whitelisting sources of topology 
 information, but in a cluster where the topology this creates a 
 re-configuration load of order M*(n*(n-1)) where n is the number of nodes in 
 the topology and M is the number of changes. That load rises rapidly as the 
 number of changes and/or nodes increases. 
 To address this there are 2 proposals.
 1. To provide an SPI exported from the Discovery Impl bundle that allows 
 implementors to implement whitelisting based on the request. This will need 
 to support creating the request and validating the request.
 2. Embed functionality within the Discovery Impl bundle that supports 
 validation and encryption of topology requests.



--
This message was sent by Atlassian JIRA
(v6.1#6144)