Page MenuHomePhabricator

Add the ability to sign and verify jobs
Closed, ResolvedPublic

Description

In the new kaka-based JobQueue implementation we accept a serialized job through the RunSingleJob.php script. In order to protect that endpoint, we need to make MediaWiki sign the job using some secret key, embed the signature into the serialized job, pass it through the pipeline and verify the signature prior to job execution. This will ensure that only the jobs created by MediaWiki are executed.

Event Timeline

Pchelolo created this task.Aug 30 2017, 6:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 30 2017, 6:30 PM

Not sure if this is relevant, but I'm working on a generic key & cert generation tool over in T166167. Could be useful for generating and distributing keys for this.

(This is kinda like Eric's cassandra-ca-manager, but generic.)

GWicke added a comment.EditedAug 30 2017, 7:19 PM

Signed JSON blobs are kind of what JWTs are designed for. There are good libraries for signing and validation. We are already using JWTs for paging tokens in RESTBase.

As discussed at today's meeting, end to end crypto might not necessarily be the first thing we might want to use. Basic shared secrets (Basic HTTP auth, secret token in a header) would already go a long way towards protecting this end point, and add less complexity than full end-to-end crypto.

Nuria moved this task from Incoming to Radar on the Analytics board.Aug 31 2017, 4:02 PM

Change 383828 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/event-schemas@master] Job event: Add cryptograthic signature field to meta

https://gerrit.wikimedia.org/r/383828

Change 383829 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/extensions/EventBus@master] Generate a crypto signature for the job events.

https://gerrit.wikimedia.org/r/383829

Change 383828 merged by jenkins-bot:
[mediawiki/event-schemas@master] Job event: Add cryptograthic signature field to meta

https://gerrit.wikimedia.org/r/383828

Change 385382 had a related patch set uploaded (by Mobrovac; owner: Mobrovac):
[operations/puppet@production] CP-JobQueue: Use the Special:RunSingleJob page to execute jobs

https://gerrit.wikimedia.org/r/385382

Change 383829 merged by jenkins-bot:
[mediawiki/extensions/EventBus@master] Generate a crypto signature for the job events.

https://gerrit.wikimedia.org/r/383829

Pchelolo closed this task as Resolved.Dec 7 2017, 11:23 PM
Pchelolo edited projects, added Services (done); removed Patch-For-Review, Services (doing).

The signing/verification has been implemented. Resolving.