Introduce HTTP header authentication

[lucamilanesio]

ISSUE-703: Introduce HTTP header authentication

Allow to select read-only and read/write users based on an arbitrary HTTP header.

This enable the simplest integration with K8s ingress restrictions where traffic coming from the outside of the cluster should be allowed to change any entry in the registry.

Closes #703

[gcsaba2]

Hi Luca, I've looked at your PR and it looks good. My question is, does it make sense to allow any header to be defined?

The way I see it, with this we could set "readonly.header.name" to the value of "Color" and then we'd require the server to send such a header with some predefined values, like "Color: blue". Is there a use case for this?

What if we restrict the headers to a set of predefined values, like Host, User, User-Agent, Cookie? Do you think it makes sense?

[lucamilanesio]

Hi @gcsaba2 thanks for looking at my PR and providing your feedback on it. See my comments below.

Kind Regards. Luca.

Hi Luca, I've looked at your PR and it looks good. My question is, does it make sense to allow any header to be defined?

There is no advantage in reducing the possible headers and we would lose flexibility in terms of use-cases.

The typical use-case (my one) is to restrict the access for different K8s ingresses, and thus using the Host header. However, I do know that sometimes some SSO systems have some custom X-Something header for authenticated calls that could be used with this authentication mechanism.

The way I see it, with this we could set "readonly.header.name" to the value of "Color" and then we'd require the server to send such a header with some predefined values, like "Color: blue". Is there a use case for this?

Color, possibly not :-) but X-SSO-Role yes (I made X-SSO-Role up for this example, but yes, there could be some other use-case).

What if we restrict the headers to a set of predefined values, like Host, User, User-Agent, Cookie? Do you think it makes sense?

Do you see any advantage in doing that?

[gcsaba2]

You're right about the X-headers. I can't think of any advantage of restricting the list of headers, other than the old rule in security that it's better to restrict as much as possible :)

I'll try to think of ways how to break this code and will get back to you next week. If no one has any objection I think we can merge this. Thank you for your contribution!

One scenario that popped in my mind. Java regex is always unreliable because you don't know if it's greedy or not. Let's say you want to restrict POST method to just the readwrite users and everything else to readonly.

You would have something like this:

readonly.resources: "(GET|PUT|POST|DELETE) ." readwrite.resources: "(POST) ."

Because there is no ^ at the beginning of the regex, we don't necessarily match from the start. So as a hacker with only "readonly" permissions, I could send this request:

POST /dropAllTables?GET%20/someSafePage

The string after the ? would be matched and the user would be permitted to enter the website. The HTTP server would interpret the request correctly as a POST request and would delete all tables as requested.

Small java code to demonstrate this:

String requestHdr = "POST /dropAllTables?GET%20/someSafePage";
Pattern regex = Pattern.compile("(GET|PUT|POST|DELETE) .*");
System.out.println("Is this req allowed? " + regex.matcher(requestHdr).matches());  // true

Let me know if you see this scenario as a possibility. I know we're talking about kubernetes which is usually inside an intranet, but it's better to be safe than sorry.