In the new kaka-based JobQueue implementation we accept a serialized job through the RunSingleJob.php script. In order to protect that endpoint, we need to make MediaWiki sign the job using some secret key, embed the signature into the serialized job, pass it through the pipeline and verify the signature prior to job execution. This will ensure that only the jobs created by MediaWiki are executed.
|operations/puppet : production||CP-JobQueue: Use the Special:RunSingleJob page to execute jobs|
|mediawiki/extensions/EventBus : master||Generate a crypto signature for the job events.|
|mediawiki/event-schemas : master||Job event: Add cryptograthic signature field to meta|
|Resolved||Pchelolo||T157088 [EPIC] Develop a JobQueue backend based on EventBus|
|Resolved||Pchelolo||T174600 Add the ability to sign and verify jobs|
Signed JSON blobs are kind of what JWTs are designed for. There are good libraries for signing and validation. We are already using JWTs for paging tokens in RESTBase.
As discussed at today's meeting, end to end crypto might not necessarily be the first thing we might want to use. Basic shared secrets (Basic HTTP auth, secret token in a header) would already go a long way towards protecting this end point, and add less complexity than full end-to-end crypto.