Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add JWT Auth to Integrity Checker #18690

Closed
wezell opened this issue Jun 17, 2020 · 7 comments
Closed

Add JWT Auth to Integrity Checker #18690

wezell opened this issue Jun 17, 2020 · 7 comments
Labels
Merged QA : Approved Release : 20.10.1 Type : Defect

Comments

@wezell
Copy link
Contributor

wezell commented Jun 17, 2020

Just like we did with the PushPublishing Endpoint, we need to add JWT support to the Integritychecker.

See: #16796
@wezell wezell added this to the Falcon Current milestone Jun 17, 2020
@freddyucv freddyucv assigned freddyucv and unassigned freddyucv Jun 17, 2020
@dsilvam dsilvam modified the milestones: 061620_FALCON, Falcon Current Jun 19, 2020
freddyucv pushed a commit that referenced this issue Jun 30, 2020
@freddyDOTCMS
#18690 Using JWT token in integrity checker
c57992e
@dsilvam dsilvam modified the milestones: 072820_FALCON, Falcon Current Jul 29, 2020
dsilvam pushed a commit that referenced this issue Sep 25, 2020
@freddyDOTCMS @jdotcms @victoralfaro-dotcms
Issue 16796 jwt pp auth 2 (#19273)
7804256 
* #16796 adding fixes and comments to support the jwt on pp

* #16796 Fixing error when some parameters not come in the request

* #16796 Testing

* #16796 refactoring/testing

* #16796 testing

* #16796 refactorign

* #16796 Refactoring

* Revert "#16796 refactoring/testing"

This reverts commit d06b4af.

* refactoring

* #16796 Fixing Test

* #16796 Fixing PP error

* #16796 Sending JWT token in PP request

* #16796 Removing receiver configuration from jsp

* #18690 Using JWT token in integrity checker

* #16796 Show invalid token message when IC fails with a invalid token

* #16796 Removing end poitn id from fix conflicts end point

* #16796 Adding Task Upgrade

* #16796 Not show token when it is invalid or expired

* #16796 Allow switch between old way token and JWT token in Push Publish

* #16796 Allow switch between old way token and JWT token in Push Publish

* #16796 Postman Testing

* #16796 Postman Testing

* #16796 Testing

* #16796

* #16796 testing

* #16796 undo change

* Revert "#16796 undo change"

This reverts commit b1c4fc2.

* #16796 undo change

* #16796 undo change

* #16796 undo change

* #16796 undo change

* Adding doc

* #16796 Refactoring

* refactoring

* Revert "refactoring"

This reverts commit d949dcc.

* #16796 Using PP ols way as fallback

* #18780 Fixing Push publish fallback

* Fixing test

* fixing test

* Testing

* fixing test

* Fixing test

* fixing test

* fixing test

* Fixing testing

* fixing testing

* Fixing integration test

* Fixing test

* Fix testing

* Fixing test

* Fixing testing

* Fixing test

* #16796: Chaging Quartz 'isJobRunning' implementation

* Fixing testing

* Fixing test

* Testing

* Java doc

Co-authored-by: jdotcms <jonathan.sanchez@dotcms.com>
Co-authored-by: Victor Alfaro <victor.alfaro@dotcms.com>
@victoralfaro-dotcms
Copy link
Contributor

Tested with receiver cluster with Apache load balancer.
Defined a token in the receiver cluster.

image

And used it as "secret" in the PP endpoint configuration:
image

Conflicts were detected successfully and token validation is mentioned in the logs.
These are the logs from one of the nodes picking the first request:

01-Oct-2020 16:54:00.144 WARNING [url:GET//demo.dotcms.com/api/v1/apitoken/dotcms.org.1/tokens | lang:1 | ip:0:0:0:0:0:0:0:1 | Admin:false | start:10-01-2020 03:37:10 CST  ref:http://localhost:8082/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=users&p_p_action=0&&dm_rlout=1&r=1601588341224&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=users  ?showRevoked=false] org.glassfish.jersey.servlet.WebComponent.filterFormParameters A servlet request to the URI http://localhost:8082/api/v1/apitoken/dotcms.org.1/tokens?showRevoked=false contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
16:54:08.339  INFO  timedcache.TimedCacheProvider - ***	 Building Cache : apitokencache, size:1000, seconds:3600,Concurrency:32 (every 60000 millis)
01-Oct-2020 16:54:08.405 WARNING [url:GET//demo.dotcms.com/api/v1/apitoken/dotcms.org.1/tokens | lang:1 | ip:0:0:0:0:0:0:0:1 | Admin:false | start:10-01-2020 03:37:12 CST  ref:http://localhost:8082/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=users&p_p_action=0&&dm_rlout=1&r=1601588341224&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=users  ?showRevoked=false] org.glassfish.jersey.servlet.WebComponent.filterFormParameters A servlet request to the URI http://localhost:8082/api/v1/apitoken/dotcms.org.1/tokens?showRevoked=false contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
16:56:34.486  INFO  rest.IntegrityResource - Receiver at localhost:8082:> job triggered for endpoint id: 127.0.0.1 and requester id: 5497c54a-03a5-499e-9833-3430221c869b
16:56:34.512  INFO  integritycheckers.IntegrityUtil - Starting integrity data generation job for endpoint apib84de3c2-4277-4930-a8f9-3ad721f80581
16:56:34.514  INFO  integritycheckers.IntegrityUtil - Writing '/Users/victoralfaro/dev/dotcms/dotcms-data/assets/integrity/apib84de3c2-4277-4930-a8f9-3ad721f80581/FoldersToCheck.csv' to zip file
16:56:34.517  INFO  integritycheckers.IntegrityUtil - Writing '/Users/victoralfaro/dev/dotcms/dotcms-data/assets/integrity/apib84de3c2-4277-4930-a8f9-3ad721f80581/StructuresToCheck.csv' to zip file
16:56:34.533  INFO  integritycheckers.IntegrityUtil - Writing '/Users/victoralfaro/dev/dotcms/dotcms-data/assets/integrity/apib84de3c2-4277-4930-a8f9-3ad721f80581/ContentPagesToCheck.csv' to zip file
16:56:34.536  INFO  integritycheckers.IntegrityUtil - Writing '/Users/victoralfaro/dev/dotcms/dotcms-data/assets/integrity/apib84de3c2-4277-4930-a8f9-3ad721f80581/ContentFileAssetsToCheck.csv' to zip file
16:56:34.540  INFO  integritycheckers.IntegrityUtil - Writing '/Users/victoralfaro/dev/dotcms/dotcms-data/assets/integrity/apib84de3c2-4277-4930-a8f9-3ad721f80581/CmsRolesToCheck.csv' to zip file
16:56:34.544  INFO  job.IntegrityDataGenerationJob - Job execution for endpoint apib84de3c2-4277-4930-a8f9-3ad721f80581 has finished

Then the second node picks the request asking about the status:

01-Oct-2020 16:56:11.046 WARNING [url:GET//demo.dotcms.com/api/v1/apitoken/dotcms.org.1/tokens | lang:1 | ip:0:0:0:0:0:0:0:1 | Admin:false | start:10-01-2020 04:54:52 CST  ref:http://localhost:8081/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=users&p_p_action=0&&dm_rlout=1&r=1601592905302&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=users  ?showRevoked=false] org.glassfish.jersey.servlet.WebComponent.filterFormParameters A servlet request to the URI http://localhost:8081/api/v1/apitoken/dotcms.org.1/tokens?showRevoked=false contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
16:56:50.504  INFO  timedcache.TimedCacheProvider - ***	 Building Cache : apitokencache, size:1000, seconds:3600,Concurrency:32 (every 60000 millis)
16:56:51.084  INFO  rest.IntegrityResource - Receiver at localhost:8081:> integrity data generation for endpoint id apib84de3c2-4277-4930-a8f9-3ad721f80581 has finished and saved at /Users/victoralfaro/dev/dotcms/dotcms-data/assets/integrity/apib84de3c2-4277-4930-a8f9-3ad721f80581/DataToCheck.zip

@bryanboza
Copy link
Member

After those changes, now we can run the Integrity checker if you don't have license on the receiver side, this because you can generate the token in the community edition and don't need an extra configuration on the receiver side. Then we need to find some way to validate the license on the receiver side.

@dsilvam dsilvam modified the milestones: Falcon Current, Maintenance Sprint Oct 21, 2020
@wezell
Copy link
Contributor Author

wezell commented Oct 21, 2020

This should do it :
new WebResource.InitBuilder().requireLicense(true)

@freddyucv
Copy link

PR: #19488

freddyucv pushed a commit that referenced this issue Oct 23, 2020
@freddyDOTCMS
#18690 Allow Push publish just for enterprise license in the receiver
5b01474
dsilvam pushed a commit that referenced this issue Oct 23, 2020
@freddyDOTCMS
#18690 Allow Push publish just for enterprise license in the receiver (
39ab51d 
…#19492)

* #18690 Allow Push publish just for enterprise license in the receiver

* testing

* Fixing test
@victoralfaro-dotcms
Copy link
Contributor

victoralfaro-dotcms commented Oct 27, 2020
edited
Loading

Integrity Check is not running do to the JWT issues. This is the log:

0:37:35.931  INFO  util.SecurityLogger - class com.dotcms.auth.providers.jwt.factories.ApiTokenAPI : JWT Failed from ipaddress:127.0.0.1 JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. -- ip:127.0.0.1,user:null
00:37:35.931  WARN  factories.ApiTokenAPI - JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
00:37:35.932  WARN  pusher.PushPublisher - Endpoint or endpoint key is null:null
00:37:35.932  ERROR rest.IntegrityResource - Receiver at localhost:8082> :Receiver at localhost:8082:> Authentication Token is invalid for ip: 127.0.0.1
00:37:37.959  INFO  util.SecurityLogger - class com.dotcms.auth.providers.jwt.factories.ApiTokenAPI : JWT Failed from ipaddress:127.0.0.1 JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. -- ip:127.0.0.1,user:null
00:37:37.959  WARN  factories.ApiTokenAPI - JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
00:37:37.959  WARN  pusher.PushPublisher - Endpoint or endpoint key is null:null
00:37:37.959  ERROR rest.IntegrityResource - Receiver at localhost:8082> :Receiver at localhost:8082:> Authentication Token is invalid for ip: 127.0.0.1

image

@bryanboza bryanboza mentioned this issue Oct 28, 2020
Closed
@bryanboza
Copy link
Member

Problems trying to fix integrity conflicts:
To reproduce:
1- Create a new folder and add some pages into it
2- Push it
3- Delete the folder from sender and create a new folder with the same name
4- Try to fix conflicts on receiver
5- Repeat the steps 3 and 4 again

Here the log: https://gist.github.com/bryanboza/65e87393af56bcb431ee971f0068397b

@bryanboza
Copy link
Member

Fixed, tested on release-20.10.1 // Postgres // FF

dsilvam added a commit that referenced this issue Nov 4, 2020
@dsilvam @jdotcms
@erickgonzalez @hmoreras @freddyDOTCMS @wezell
Release 20.10.1 (#19544)
cf173d7 
* Update dotcmsReleaseVersion and coreWebReleasion version

* update release version

* #18505 JSONTool does not return sub arrays

* #18505 now the JSONTool uses the Jackson to map the string json as a single Maps and Lists

* #18505 now the JSONTool uses the Jackson to map the string json as a single Maps and Lists

* #19364 Unable to edit category permissions as limited user even you have full rights

* #18314 Make Query Tool Use fetch() to fill response

* #19098 SAML update logout page.  (#19450)

* include css in jsp

* label updated

* Updating sql files (#19478)

* Updating sql files to remove contraints

* Updating sql files to remove contraints

* #18690 Allow Push publish just for enterprise license in the receiver (#19492)

* #18690 Allow Push publish just for enterprise license in the receiver

* testing

* Fixing test

* Issue 19500 sql injection containers (#19501)

* #18605 pauses and then unpauses based on a cache invalidation

* #18605 adding ttl to the cache put in the logger

* #18605 less logging

* #19500 sanitize sql

* #19500 fixes potential sql vunerabilities

* #19500 writing tests

* #19500 tests

* we should not need TLS set to true

* #19500 removing unneeded files

* #19338 dont lowercase (#19506)

* #19338 dont lowercase

* #19338 integration test

* #19338 missing test resource

* #19509 use proper db columm in query (#19510)

* #19509 use proper db columm in query

* #19509 use proper property from contentlet

* #19509 fix integration test

* #19509 fix integration test

* #19471 Use proper value when discarding conflicts (#19519)

* #18780 fixes job when new hostname starts with  original hostname (#19522)

* #19509 Fixing bug when use comma in host's name (#19528)

* #19509 Fixing bug when use comma in host's name

* Fixing test

* update core-web version

* merge with master

* Update .gitmodules

* Update gradle.properties

Co-authored-by: Jonathan <jonathan.sanchez@dotcms.com>
Co-authored-by: erickgonzalez <erick.gonzalez@dotcms.com>
Co-authored-by: hmoreras <31667212+hmoreras@users.noreply.github.com>
Co-authored-by: Freddy Rodriguez <freddy0309@gmail.com>
Co-authored-by: Will Ezell <will@dotcms.com>
@wezell wezell closed this as completed Nov 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Merged QA : Approved Release : 20.10.1 Type : Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@wezell @dsilvam @bryanboza @nollymar @freddyucv @victoralfaro-dotcms