Page MenuHomePhabricator

Add the ability to sign and verify jobs
Closed, ResolvedPublic

Description

In the new kaka-based JobQueue implementation we accept a serialized job through the RunSingleJob.php script. In order to protect that endpoint, we need to make MediaWiki sign the job using some secret key, embed the signature into the serialized job, pass it through the pipeline and verify the signature prior to job execution. This will ensure that only the jobs created by MediaWiki are executed.

Event Timeline

Not sure if this is relevant, but I'm working on a generic key & cert generation tool over in T166167. Could be useful for generating and distributing keys for this.

(This is kinda like Eric's cassandra-ca-manager, but generic.)

Signed JSON blobs are kind of what JWTs are designed for. There are good libraries for signing and validation. We are already using JWTs for paging tokens in RESTBase.

As discussed at today's meeting, end to end crypto might not necessarily be the first thing we might want to use. Basic shared secrets (Basic HTTP auth, secret token in a header) would already go a long way towards protecting this end point, and add less complexity than full end-to-end crypto.

Change 383828 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/event-schemas@master] Job event: Add cryptograthic signature field to meta

https://gerrit.wikimedia.org/r/383828

Change 383829 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/extensions/EventBus@master] Generate a crypto signature for the job events.

https://gerrit.wikimedia.org/r/383829

Change 383828 merged by jenkins-bot:
[mediawiki/event-schemas@master] Job event: Add cryptograthic signature field to meta

https://gerrit.wikimedia.org/r/383828

Change 385382 had a related patch set uploaded (by Mobrovac; owner: Mobrovac):
[operations/puppet@production] CP-JobQueue: Use the Special:RunSingleJob page to execute jobs

https://gerrit.wikimedia.org/r/385382

Change 383829 merged by jenkins-bot:
[mediawiki/extensions/EventBus@master] Generate a crypto signature for the job events.

https://gerrit.wikimedia.org/r/383829

The signing/verification has been implemented. Resolving.

Change 385382 abandoned by Mobrovac:
CP-JobQueue: Use the Special:RunSingleJob page to execute jobs

https://gerrit.wikimedia.org/r/385382