zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-01 12:37:52 +02:00
Code Issues Projects Releases Packages Wiki Activity
google-nomulus/java/google/registry/request/auth/AppEngineInternalAuthenticationMechanism.java
mountford c7a62e9b98 Add XSRF protection to legacy authentication mechanism 
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=148689952
2017-03-07 13:18:04 -05:00

71 lines
2.9 KiB
Java
Raw Blame History

// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.request.auth;
import static google.registry.request.auth.AuthLevel.APP;
import static google.registry.request.auth.AuthLevel.NONE;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
/**
* Authentication mechanism which uses the X-AppEngine-QueueName header set by App Engine for
* internal requests.
*
* <p>
* Task queue push task requests set this header value to the actual queue name. Cron requests set
* this header value to __cron, since that's actually the name of the hidden queue used for cron
* requests. Cron also sets the header X-AppEngine-Cron, which we could check, but it's simpler just
* to check the one.
*
* <p>
* App Engine allows app admins to set these headers for testing purposes. This means that this auth
* method is somewhat unreliable - any app admin can access any internal endpoint and pretend to be
* the app itself by setting these headers, which would circumvent any finer-grained authorization
* if we added it in the future (assuming we did not apply it to the app itself). And App Engine's
* concept of an "admin" includes all project owners, editors and viewers. So anyone with access to
* the project will be able to access anything the app itself can access.
*
* <p>
* For now, it's probably okay to allow this behavior, especially since it could indeed be
* convenient for testing. If we wanted to revisit this decision in the future, we have a couple
* options for locking this down:
*
* <ul>
* <li>1. Always include the result of UserService.getCurrentUser() as the active user</li>
* <li>2. Validate that the requests came from special AppEngine internal IPs</li>
* </ul>
*
* <p>See <a href=
* "https://cloud.google.com/appengine/docs/java/taskqueue/push/creating-handlers#reading_request_headers">task
* handler request header documentation</a>
*/
public class AppEngineInternalAuthenticationMechanism implements AuthenticationMechanism {
// As defined in the App Engine request header documentation.
private static final String QUEUE_NAME_HEADER = "X-AppEngine-QueueName";
@Inject
public AppEngineInternalAuthenticationMechanism() {}
@Override
public AuthResult authenticate(HttpServletRequest request) {
if (request.getHeader(QUEUE_NAME_HEADER) == null) {
return AuthResult.create(NONE);
} else {
return AuthResult.create(APP);
}
}
}
Reference in a new issue View git blame Copy permalink