Merge pull request #9413 from kaltura/Propus-16.2.0-PLAT-10806

PLAT-10806 authenticate uri
kaltura · May 18, 2020 · d55fff9 · d55fff9
2 parents 5c9f3db + 53f37a5
commit d55fff9
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 2 deletions.
diff --git a/alpha/apps/kaltura/lib/request/kNetworkUtils.php b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
@@ -0,0 +1,49 @@
+<?php
+/**
+ * @package server-infra
+ * @subpackage request
+ */
+class kNetworkUtils
+{
+	const KALTURA_AUTH_HEADER = 'HTTP_X_KALTURA_AUTH';
+	/**
+	 * @return bool
+	 * @throws Exception
+	 */
+	public static function isAuthenticatedURI()
+	{
+		if (!isset($_SERVER[self::KALTURA_AUTH_HEADER]))
+		{
+			KalturaLog::warning("Missing Header Parameter - ". self::KALTURA_AUTH_HEADER);
+			return false;
+		}
+		$xKalturaAuth = $_SERVER[self::KALTURA_AUTH_HEADER];
+		$parts = explode(',', $xKalturaAuth);
+		if (count($parts) != 3)
+		{
+			KalturaLog::warning('Invalid Fromat for ' . self::KALTURA_AUTH_HEADER);
+			return false;
+		}
+
+		$version = $parts[0];
+		$timestamp = $parts[1];
+		$expectedSignature = $parts[2];
+		$url = $_SERVER['REQUEST_URI'];
+		$secret = kConf::get('authentication_secret','local', null);
+		if (!$secret)
+		{
+			KalturaLog::warning("Missing authentication_secret in configuration");
+			return false;
+		}
+
+		$actualSignature = base64_encode(hash_hmac('sha256', "$version,$timestamp,$url", $secret, true));
+		KalturaLog::debug("Actual Signature [$actualSignature] - Expected Signature [$expectedSignature]" );
+		if ( $actualSignature !== $expectedSignature)
+		{
+			KalturaLog::warning("Could not authenticate X-Kaltura-Auth");
+			return false;
+		}
+
+		return true;
+	}
+}
diff --git a/alpha/apps/kaltura/modules/extwidget/actions/serveFlavorAction.class.php b/alpha/apps/kaltura/modules/extwidget/actions/serveFlavorAction.class.php
@@ -26,7 +26,7 @@ protected static function jsonEncode($obj)
 		}
 		return json_encode($obj, $options);
 	}
-	
+
 	public function getFileSyncFullPath(FileSync $fileSync, $local = true)
 	{
 		if(!$local)
@@ -482,7 +482,7 @@ public function execute()
 
 		$syncKey = $flavorAsset->getSyncKey(flavorAsset::FILE_SYNC_FLAVOR_ASSET_SUB_TYPE_ASSET, $version);
 
-		if ($this->pathOnly && kIpAddressUtils::isInternalIp($_SERVER['REMOTE_ADDR']))
+		if ($this->pathOnly && (kIpAddressUtils::isInternalIp($_SERVER['REMOTE_ADDR'])) || kNetworkUtils::isAuthenticatedURI())
 		{
 			$path = '';
 			$parent_file_sync = null;

diff --git a/configurations/local.template.ini b/configurations/local.template.ini
@@ -17,6 +17,7 @@ push_server_secret = @TOKEN@
 push_server_secret_iv = @TOKEN_IV@
 push_server_exchange = @EXCHANGE_NAME@
 live_packager_secure_token = @LIVE_PACKAGER_TOKEN@
+authentication_secret = @AUTHENTICATION_SECRET@
 
 ; Define a packager url for thumbs and volume_map (https://kaltura.atlassian.net/browse/PLAT-10835).
 ; The value set in the below directive will be concatenated to that set in packager_url