-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revamp public shares authentication model #1549
Comments
cc @C0rby |
I agree the the public shares authentication model needs to be revamped. |
While I was implementing the signed URL public links I got some insights and see some more problems now. First I think we need to revert this API change cs3org/cs3apis#113. The process to authenticate a signed URL request roughly looks like this:
But step 2 is already problematic. With basic authentication we could just call What we would need instead is an 'internal' way to get the share + share password hash without an authenticated context. Another possible way would be if the But I guess this also depends on how we revamp the public share authentication model. |
But then they would be able to access the shared files, right? I mean wouldn't it be possible to set put this user into the request context and issue a |
Nevermind. With the share token and password it's of course possible to access the share files... 🤦 |
@C0rby for the brute-force attack a very simple solution is to add a delay on wrong password (like when you wrongly type your password when |
Isn't expiration also part of the hashed signature, as per this cs3org/cs3apis#110? How do you retrieve that?
What I propose above won't solve this. That is just to prevent exposing the creator's token to random users and is not really related to how we want to design the signed URLs
I don't really see the problem here. Do you mean that if a user knows the password to a share, and if he accesses |
A better way IMO, instead of having the public share service return the password would be to delegate the whole signing process to it. Add a method called |
Or better yet, make the password parameter in |
@ishank011 if the logic is to just "sign" that can be added to the CS3APIS. If the logic is "craft a signature that allows fine-grained permissions to download this file" I think that doesn't fit there. |
In the old Reva implementation (pre-CS3APIs) we had a dedicated module to craft tokens: And it did created "tokens" for public links authentication: |
@labkode if we follow this approach
then we just need to add a signature field to the |
That doesn't work. If someone has the hash they can just calculate hashes and compare them with the share hash. |
The expiration is included in the signing process. When someone is using the signed URL then the expiration needs to be included in the request in a query parameter.
No I mean currently the share can only be accessed by doing a But if the attacker has the hash then the only limit to bruteforcing is the computational complexity of the hash and the computing power of the attacker. |
So based of your comments I propose these changes cs3org/cs3apis#118 |
👍 conceptually it makes sense. I'm not aware of the side effects compared to other approaches, such as using a dedicated "maintenance" user only for public shares. On a performance note, I wonder how much of a toll for a system would be due to the overhead of looking for a given user (not getting into indices here 🙈). Wondering as well if such users have to be filtered out from the UI, but these are implementation details. The concept is clear to me. My only remarks are:
|
@refs thanks a lot for the comments! Sorry, I didn't mention this in the explanation. We won't actually be creating any users. These would just be used to generate the jwt token. So when the reva/pkg/auth/manager/publicshares/publicshares.go Lines 121 to 128 in e8a00d9
instead of returning the creator of the share, we'll return
The middleware will generate a token for this user which will be used to allow access to the shared file. When dismantling the token, we'll check that it's a special public-shares-only user and make sure that it has access only to the
This is also an option, but the ACLs on all the shared resources will have the same principal then. So an attacker might use the token to access all such files.
True but the token won't be of much use as the middleware will block access for these special users. They'll only be able to access the file shared with them (which they can anyway since they have the token). |
Ace! thanks @ishank011 for taking the time to go through the point :) all clear |
This approach has been superseded by #1669 |
Why?
With the current workflow with which public shares are handled, we run the risk of exposing the resource owner's token to random users who access the shared link. Using only the token corresponding to the public shares, the
Authenticate
gateway method can be called, which will return the owner's token.reva/internal/http/services/owncloud/ocdav/dav.go
Lines 177 to 183 in 3b7e1f0
Anonymous users
I propose using anonymous users to grant share-specific access. When a public share is created, a temporary user is created and assigned the appropriate grant for the shared file.
#/s/RMxHPGhqbRySVOH
, we add an ACLu:public_RMxHPGhqbRySVOH:rwx
.Authenticate
method of typepublicshares
returns this user if it's able to find the share corresponding to it.Possible issues
/remote.php/dav/public-files/
endpoint and those exposed by the public storage provider service.Please let me know your thoughts about this @labkode @butonic @refs @dragotin
The text was updated successfully, but these errors were encountered: