Fix vulnerability in UserJWT authentication with Openbao

Jayakrishnan Mallisseryrequested to merge
jay-add-tests-for-secrets-manager-jwt-cases into master

Why this MR ?

  • To solve this issue
  • And to solve this issue
  • We have a vulnerability with our authentication setup with Openbao using UserJWT
  • We are able to login at the user_auth_mount ( using the new cel method) of a project using a pipeline_jwt of a job belonging to the same project.
  • This should NOT be permitted. Using a pipeline_jwt, login should ONLY be permitted at pipeline_auth_mount and NOT at user_auth_mount
  • See this Slack thread
  • See this comment

We have 3 types of JWT ID Tokens used by Gitlab Rails to authenticate with OpenBao to perform various actions in OpenBao.

  • UserJwt - For actions that are done by a specific user like creating a secret, updating a secret, and deleting a secret.
  • SecretsManagerJwt - For Application specific actions like provisioning Secrets Manger for a project.
  • pipeline_jwt- same as Ci::JwtV2 - For a CI Pipeline job to read a secret.

From a security perspective, it is really important to add automated tests to ensure that Secrets Manager is free of vulnerabilities related to authentication mechanisms using these tokens.

Scenarios to test (Copied from this comment)

JWT Type JWT Scope Auth Mount Expectations Test case added?
Global n/a Global Works Yes
Global n/a User Rejected Yes
Global n/a Pipeline Rejected Yes
User any Global Rejected Yes
User Matching User Works Yes
User Different project in same namespace User Rejected Yes
User Different namespace User Rejected Yes
User any Pipeline Rejected Yes
Pipeline any Global Rejected Yes
Pipeline any User Rejected Yes
Pipeline Matching Pipeline Works Yes
Pipeline Different project in same namespace Pipeline Rejected Yes
Pipeline Different namespace Pipeline Rejected Yes

What does this MR do ?

  • Fix the vulnerability in UserJWT authentication by updating the user CEL program to include the subject claim

  • Add automated tests to ensure that Secrets Manager is free of vulnerabilities related to authentication mechanisms using these tokens.

  • Actions that can only be performed in OpenBao by a SecretManagerJWT like enabling Auth cannot be done by a pipeline_jwt or UserJWT.
  • An action that can be done by a UserJwt like creating a secret cannot be done a pipeline_jwt.
  • Reading the value of a Secret cannot be done by using a UserJwt.
  • An action that can be done by a UserJwt of a specific user cannot be done by a UserJwt based on a different user

References

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jayakrishnan Mallissery

Merge request reports