Closed Bug 961253 Opened 10 years ago Closed 10 years ago

Restrict the set of issuers trusted by tokenserver

Categories

(Cloud Services Graveyard :: Server: Token, defect)

Product:
Cloud Services Graveyard
Component:
Server: Token
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: rfkelly, Assigned: rfkelly)

References

Details

(Whiteboard: [qa+])

Attachments

(1 file)

tokenserver-allowed-issuers.diff
2.42 KB, patch
telliott
: review+
Details | Diff | Splinter Review 
The initial plan for FxA+sync is to have tokenserver accept *only* assertions issued by the authoritative FxA auth server.  We should add a configuration option "trusted_issuers" that can be used to restrict this.  Probably need to push support for that down into PyBrowserID, but we could hack it in the tokenserver directly in the first instance.
Whiteboard: [qa+]
This is part of the new verifier API, so preliminary support will be through Bug 965135.  /cc @ckarlof to confirm that the only trustedIssuer for production should be "api.accounts.firefox.com
Depends on: 965135
OS: Windows 7 → All
Hardware: x86_64 → All
(In reply to Ryan Kelly [:rfkelly] from comment #1)
> /cc @ckarlof to confirm that the only trustedIssuer for
> production should be "api.accounts.firefox.com

I think you thought you were in github here. :) Use a need info flag in the future for this please. And yes, the only production issuer will be api.accounts.firefox.com.
This patch adds an "allowed_issuers" option to the verifier.  It can be set to a list in order to restrict the set of issuers from which we'll accept assertions.

Note that the semantics here are different from the trusted_issuers option; that specifieds which issuers are trusted to assert identities on any domain, while allowed_issuers controls which issuers you will accept assertions from, for their own domain or otherwise.

We will have to add "api.accounts.firefox.com" to both trusted_issuers and allowed_issuers to get the semantics we want.  I don't think we can let one fill in defaults for the other without created wierd semantics in the general case.
Attachment #8369275 - Flags: review?(telliott)
Comment on attachment 8369275 [details] [diff] [review]
tokenserver-allowed-issuers.diff

Review of attachment 8369275 [details] [diff] [review]:
-----------------------------------------------------------------

::: tokenserver/verifiers.py
@@ +46,4 @@
>          if isinstance(trusted_issuers, basestring):
>              trusted_issuers = trusted_issuers.split()
>          self.trusted_issuers = trusted_issuers
> +        if isinstance(allowed_issuers, basestring): 

There's a space at the end of this line that is colored strangely in the review markup. I suspect it's nothing, but just in case it's a weird nondisplaying character, I'm highlighting it.
Attachment #8369275 - Flags: review?(telliott) → review+
Fixed stray trailing space and committed: https://github.com/mozilla-services/tokenserver/commit/9216aa99eb50a6fcf9805916f319650547c8e7d2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Verified in code.
Status: RESOLVED → VERIFIED
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: