[ARVADOS] updated: e3e6c4604c2f4717f9177455f107e96794460e94

git at public.curoverse.com git at public.curoverse.com
Tue Jan 19 17:36:59 EST 2016


Summary of changes:
 doc/_config.yml                                    |  2 +-
 doc/install/install-keep-web.html.textile.liquid   | 33 ++++++++++++++--------
 ...nstall-manual-prerequisites.html.textile.liquid | 10 +++++--
 3 files changed, 30 insertions(+), 15 deletions(-)

  discards  7aced94c664f1168f53c914630d41410e64d9f31 (commit)
  discards  57155061189f477aa8c99797a56fda39dc67153e (commit)
       via  e3e6c4604c2f4717f9177455f107e96794460e94 (commit)
       via  cfe592f00c6ced698a65b64317d200f1761c9456 (commit)
       via  4acafbc59b3c328f5413a6ac045579f431b3ddc1 (commit)
       via  b512c81509ce2264916482f01d0a968228d9c94e (commit)
       via  27d75e041d069feaa4b15418b84aaa3373640a50 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (7aced94c664f1168f53c914630d41410e64d9f31)
            \
             N -- N -- N (e3e6c4604c2f4717f9177455f107e96794460e94)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit e3e6c4604c2f4717f9177455f107e96794460e94
Author: Tom Clegg <tom at curoverse.com>
Date:   Tue Jan 19 17:36:18 2016 -0500

    8177: Offer -trust-all-content option for no-wildcard installs.
    
    Add alert about XSS on intranet sites.

diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 2b3d312..df24c99 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -109,6 +109,10 @@ server {
 }
 </pre></notextile>
 
+{% include 'notebox_begin' %}
+If you restrict access to your Arvados services based on network topology -- for example, your proxy server is not reachable from the public internet -- additional proxy configuration might be needed to thwart cross-site scripting attacks that would circumvent your restrictions. Read the "'Intranet mode' section of the Keep-web documentation":https://godoc.org/github.com/curoverse/arvados/services/keep-web#hdr-Intranet_mode now.
+{% include 'notebox_end' %}
+
 h3. Configure DNS
 
 Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
@@ -117,7 +121,9 @@ Configure your DNS servers so the following names resolve to your Nginx proxy's
 * @*--collections.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for @*.uuid_prefix.your.domain@ and your DNS server allows this without interfering with other DNS names.
 * @*.collections.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for these names.
 
-If neither of the above wildcard options is feasible, only unauthenticated requests (public data and collection sharing links) will be served as web content at @collections.uuid_prefix.your.domain at . The @download@ name will be used to serve authenticated content, but only as file downloads.
+If neither of the above wildcard options is feasible, you have two choices:
+# Serve web content at @collections.uuid_prefix.your.domain@, but only for unauthenticated requests (public data and collection sharing links). Authenticated requests will always result in file downloads, using the @download@ name. For example, the Workbench "preview" button and the "view entire log file" link will invoke file downloads instead of displaying content in the browser window.
+# In the special case where you know you are immune to XSS exploits, you can enable the "trust all content" mode in Keep-web (with the @-trust-all-content@ command line flag) and Workbench (with the @trust_all_content@ item in @application.yml@). With both of these enabled, inline web content can be served from a single @collections@ host name; no wildcard DNS or certificate is needed. Do not do this without understanding the security implications described on "Keep-web's godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web.
 
 h3. Tell Workbench about the Keep-web service
 

commit cfe592f00c6ced698a65b64317d200f1761c9456
Author: Tom Clegg <tom at curoverse.com>
Date:   Mon Jan 18 16:17:17 2016 -0500

    8177: Expand trust_all_content comments.
    
    Skip whole check_uri block when trust_all_content.
    
    Fix test name.

diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index 63af828..7a00242 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -339,7 +339,7 @@ class CollectionsController < ApplicationController
       # Prefer the attachment-only-host when we want an attachment
       # (and when there is no preview link configured)
       tmpl = Rails.configuration.keep_web_download_url
-    else
+    elsif not Rails.configuration.trust_all_content
       check_uri = URI.parse(tmpl % fmt)
       if opts[:query_token] and
           not check_uri.host.start_with?(munged_id + "--") and
@@ -347,9 +347,7 @@ class CollectionsController < ApplicationController
         # We're about to pass a token in the query string, but
         # keep-web can't accept that safely at a single-origin URL
         # template (unless it's -attachment-only-host).
-        unless (Rails.configuration.trust_all_content and tmpl)
-          tmpl = Rails.configuration.keep_web_download_url
-        end
+        tmpl = Rails.configuration.keep_web_download_url
         if not tmpl
           raise ArgumentError, "Download precluded by site configuration"
         end
diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index 7e8c3aa..239ffcd 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -258,9 +258,17 @@ common:
   # keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
   keep_web_download_url: false
 
-  # In "trust all content" mode, Workbench will redirect users to
-  # keep-web even when that exposes XSS vulnerabilities.
+  # In "trust all content" mode, Workbench will redirect download
+  # requests to keep-web, even in the cases when keep-web would have
+  # to expose XSS vulnerabilities in order to handle the redirect.
   #
-  # When enabling this setting, the corresponding setting on the
-  # keep-web server must also be enabled.
+  # When enabling this setting, the -trust-all-content flag on the
+  # keep-web server must also be enabled.  For more detail, see
+  # https://godoc.org/github.com/curoverse/arvados/services/keep-web
+  #
+  # This setting has no effect in the recommended configuration, where
+  # the host part of keep_web_url begins with %{uuid_or_pdh}: in this
+  # case XSS protection is provided by browsers' same-origin policy.
+  #
+  # The default setting (false) is appropriate for a multi-user site.
   trust_all_content: false
diff --git a/apps/workbench/test/controllers/collections_controller_test.rb b/apps/workbench/test/controllers/collections_controller_test.rb
index 0cd747e..45aab3c 100644
--- a/apps/workbench/test/controllers/collections_controller_test.rb
+++ b/apps/workbench/test/controllers/collections_controller_test.rb
@@ -578,7 +578,7 @@ class CollectionsControllerTest < ActionController::TestCase
       assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
     end
 
-    test "Redirect to keep_web_download_url via #{id_type} when trust_all_content enabled" do
+    test "Redirect to keep_web_url via #{id_type} when trust_all_content enabled" do
       Rails.configuration.trust_all_content = true
       setup_for_keep_web('https://collections.example/c=%{uuid_or_pdh}',
                          'https://download.example/c=%{uuid_or_pdh}')
diff --git a/services/keep-web/doc.go b/services/keep-web/doc.go
index 5a66d86..9ca732f 100644
--- a/services/keep-web/doc.go
+++ b/services/keep-web/doc.go
@@ -217,7 +217,7 @@
 //
 // In "trust all content" mode, Keep-web will accept credentials (API
 // tokens) and serve any collection X at
-// "https://collections.example.com/collections/X/path/file.ext".
+// "https://collections.example.com/c=X/path/file.ext".
 // This is UNSAFE except in the special case where everyone who is
 // able write ANY data to Keep, and every JavaScript and HTML file
 // written to Keep, is also trusted to read ALL of the data in Keep.
@@ -233,6 +233,8 @@
 //   keep-web -listen :9999 -attachment-only-host domain.example:9999 -trust-all-content
 //
 // Depending on your site configuration, you might also want to enable
-// "trust all content" setting on Workbench, in which case Workbench will
-// redirect users to keep-web even when that exposes XSS vulnerabilities.
+// "trust all content" setting on Workbench. Normally, Workbench
+// avoids redirecting requests to keep-web if they depend on
+// -trust-all-content being set.
+//
 package main

commit 4acafbc59b3c328f5413a6ac045579f431b3ddc1
Author: radhika <radhika at curoverse.com>
Date:   Mon Jan 18 00:04:48 2016 -0500

    8177: add trust_all_content config to Workbench.

diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index f8b359c..63af828 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -347,7 +347,9 @@ class CollectionsController < ApplicationController
         # We're about to pass a token in the query string, but
         # keep-web can't accept that safely at a single-origin URL
         # template (unless it's -attachment-only-host).
-        tmpl = Rails.configuration.keep_web_download_url
+        unless (Rails.configuration.trust_all_content and tmpl)
+          tmpl = Rails.configuration.keep_web_download_url
+        end
         if not tmpl
           raise ArgumentError, "Download precluded by site configuration"
         end
diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index 63c2975..7e8c3aa 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -257,3 +257,10 @@ common:
   # Example:
   # keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
   keep_web_download_url: false
+
+  # In "trust all content" mode, Workbench will redirect users to
+  # keep-web even when that exposes XSS vulnerabilities.
+  #
+  # When enabling this setting, the corresponding setting on the
+  # keep-web server must also be enabled.
+  trust_all_content: false
diff --git a/apps/workbench/test/controllers/collections_controller_test.rb b/apps/workbench/test/controllers/collections_controller_test.rb
index 978a513..0cd747e 100644
--- a/apps/workbench/test/controllers/collections_controller_test.rb
+++ b/apps/workbench/test/controllers/collections_controller_test.rb
@@ -577,6 +577,17 @@ class CollectionsControllerTest < ActionController::TestCase
       assert_response :redirect
       assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
     end
+
+    test "Redirect to keep_web_download_url via #{id_type} when trust_all_content enabled" do
+      Rails.configuration.trust_all_content = true
+      setup_for_keep_web('https://collections.example/c=%{uuid_or_pdh}',
+                         'https://download.example/c=%{uuid_or_pdh}')
+      tok = api_fixture('api_client_authorizations')['active']['api_token']
+      id = api_fixture('collections')['w_a_z_file'][id_type]
+      get :show_file, {uuid: id, file: "w a z"}, session_for(:active)
+      assert_response :redirect
+      assert_equal "https://collections.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
+    end
   end
 
   [false, true].each do |anon|
@@ -617,12 +628,15 @@ class CollectionsControllerTest < ActionController::TestCase
     assert_response 422
   end
 
-  test "Redirect preview to keep_web_download_url when preview is disabled" do
-    setup_for_keep_web false, 'https://download.example/c=%{uuid_or_pdh}'
-    tok = api_fixture('api_client_authorizations')['active']['api_token']
-    id = api_fixture('collections')['w_a_z_file']['uuid']
-    get :show_file, {uuid: id, file: "w a z"}, session_for(:active)
-    assert_response :redirect
-    assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
+  [false, true].each do |trust_all_content|
+    test "Redirect preview to keep_web_download_url when preview is disabled and trust_all_content is #{trust_all_content}" do
+      Rails.configuration.trust_all_content = trust_all_content
+      setup_for_keep_web false, 'https://download.example/c=%{uuid_or_pdh}'
+      tok = api_fixture('api_client_authorizations')['active']['api_token']
+      id = api_fixture('collections')['w_a_z_file']['uuid']
+      get :show_file, {uuid: id, file: "w a z"}, session_for(:active)
+      assert_response :redirect
+      assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
+    end
   end
 end
diff --git a/services/keep-web/doc.go b/services/keep-web/doc.go
index 4207d7b..5a66d86 100644
--- a/services/keep-web/doc.go
+++ b/services/keep-web/doc.go
@@ -232,4 +232,7 @@
 //
 //   keep-web -listen :9999 -attachment-only-host domain.example:9999 -trust-all-content
 //
+// Depending on your site configuration, you might also want to enable
+// "trust all content" setting on Workbench, in which case Workbench will
+// redirect users to keep-web even when that exposes XSS vulnerabilities.
 package main

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list