Page MenuHomePhabricator
Create Task
Maniphest T5590

Change diffusion.allow-http-auth into an application policy and improve security features
Open, NormalPublic
Actions

Description

Currently, we have a diffusion.allow-http-auth configuration setting, which controls global access to repositories over HTTP.

@hach-que has a use case where an external build server does not support SSH, so it must use HTTP, but normal users should not be allowed to use HTTP for security purposes. This seems like a generally reasonable thing, and I think it's generally desirable to reduce configuration.

We should also:

  • add (per-ip, to prevent DOS?) rate limiting to password failures (and SSH key failures?);
  • record these events in the user action log.

We have security infrastructure which makes these things easy, now.

Event Timeline

epriestley created this task.Jul 10 2014, 1:43 PM
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Diffusion, Security.
epriestley added subscribers: epriestley, hach-que.
jesseendahl added a subscriber: jesseendahl.Feb 19 2015, 8:02 PM

In addition to the things mentioned above, it'd be great if some form of per-user auth was supported via HTTPS. Perhaps this could be done by utilizing the existing user specific arc certificate, or generating a similar secondary certificate for the sole purpose of cloning repos.

epriestley added a comment.Feb 19 2015, 8:03 PM

Maybe I'm misunderstanding, but per-user auth is already supported via HTTPS (Settings > VCS Password). Each user gets a username/password. Or do you mean something else?

jesseendahl added a comment.Feb 19 2015, 8:53 PM

My mistake, I thought VCS password was referring to setting a password for the "vcs user," and then sharing that password with anyone who wanted to clone repos over HTTPS. I'm glad that's not how it works =)

That said, there are really two pieces to this: 1) per user auth, 2) strength of the auth.

In the current state, #1 is covered but #2 is poor. I wouldn't be comfortable enabling this with HTTP basic auth, but I would if the auth used some kind of user-specific cert.

If I do switch "diffusion.allow-http-auth" to "Allow HTTP Basic Auth," that would immediately break cloning for anyone currently doing unauthenticated clones, correct? I'm guessing I don't see Settings > VCS Password because it's currently disabled?

Just so you know where I'm coming from: the use case here is to allow read-only repo access to dev VMs belonging to individual engineers. This would allow them to e.g. setup local continuous integration testing which requires pulling repos, without placing their actual SSH key on the box. So on that note, I've considered is creating service accounts for each of them with separate SSH key pairs, and giving those service accounts read only access. This should work for now on a one-off basis, but wouldn't work if we wanted to automate this for every dev VM/every engineer.

Ideally there'd be a way to provision read-only access using a separate credential (either client side cert, API token, or SSH key-pair) on a per-user basis. If we wanted to automate, then the ability to do this in batches (and via Conduit) would need to be supported. E.g. say "generate SSH key-pairs that allow read only repo access for all users belong to this project."

Instead of using SSH for this, another way I could imagine is extending Conduit to allow cloning repos. But then we get into the issue of restricting Conduit methods, since we'd really only want this user to be able to clone repos and nothing else. Curious to hear your thoughts on all this =)

eadler added a subscriber: eadler.Apr 28 2015, 3:55 AM
joshuaspence added a subscriber: joshuaspence.Feb 20 2018, 10:01 PM
Herald added subscribers: cburroughs, andypuettmann, revi. · View Herald TranscriptFeb 20 2018, 10:01 PM
Phabricator · Built by Phacility