|
Re: Spring OAuth2 - tokenInfoUri
Bryan Perino
Here is the YML file configuration for Spring OAuth as well as the code that makes the POST call:
YML: https://gist.github.com/bryantp/fbf2f5a46aa883588b6f5230cae5248f Code: https://gist.github.com/bryantp/70bf538626661a623f5099b704872938 Returns a 404
|
|
|
|
CVE-2016-4468 UAA SQL Injection
Chip Childers <cchilders@...>
CVE-2016-4468 UAA SQL Injection Severity
High Vendor Cloud Foundry Foundation Versions Affected - Cloud Foundry release v237 and earlier versions - UAA release v3.4.0 and earlier versions - UAA release V12 and earlier versions Description There is the potential for a SQL injection attack in UAA for authenticated users. Mitigation OSS users are strongly encouraged to follow one of the mitigations below: - Upgrade to Cloud Foundry v238 [1] or later - For standalone UAA users - For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA Release to v3.3.0.2 [3] or v3.4.1 [4] - For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.4 [2] - For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.2 [5] if upgrading to v3.4.1 [4] or v11.2 [6] if upgrading to v3.3.0.2 [3] Credit Graham Viski, Digital Transformation Office, Australian Government References [1] https://github.com/cloudfoundry/cf-release/releases/tag/v238 [2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.4 [3] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.2 [4] https://github.com/cloudfoundry/uaa/releases/tag/3.4.1 [5] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=12.2 [6] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=11.2 History 2016-06-30: Initial vulnerability report published
|
|
|
|
Re: Spring OAuth2 - tokenInfoUri
Bryan Perino
|
|
|
|
Re: How to make values in VCAP_SERVICES json private or secret or hidden
Stuart Charlton
Hi Nikhil,
Generally the way to prevent individuals from reading VCAP_SERVICES is to give them a non-SpaceDeveloper role in that space, like SpaceAuditor. A SpaceDeveloper is the only role that can read or set those values, and generally you'd want them to be able to manage them. So, say a developer pushed code to QA, they'd have SpaceDeveloper access to a QA space, and could read/write VCAP_SERVICES. Pushing to production you'd have a different person with SpaceDeveloper access to a Prod space. Or, more commonly, you'd prod access to a secured CI/CD tool like Jenkins or Concourse that governed SpaceDeveloper access to Prod. Cheers Stu On Wed, Jun 29, 2016 at 3:28 PM, Nikhil Katre <nikhil.katre(a)appdynamics.com> wrote: Hi, -- Stuart Charlton Pivotal Software | Platform Architecture Mobile: 403-671-9778 | Email: scharlton(a)pivotal.io
|
|
|
|
Re: Spring OAuth2 - tokenInfoUri
Daniel Mikusa
On Thu, Jun 30, 2016 at 1:43 AM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote: Hello All, Do you have logs from UAA? The UAA logs will sometimes tell you more about the response you received. Dan
|
|
|
|
Spring OAuth2 - tokenInfoUri
Bryan Perino
Hello All,
I am using Spring Cloud Security with OAuth2 and am having an issue related to it not passing the scopes around. I believe that I need to define an endpoint to retrieve information about a given token (Including its scopes). However, I am getting an error stating that it is unauthorized.: I have defined this endpoint for the token info: http://localhost:8080/uaa/check_token Here is the error: https://gist.github.com/bryantp/eb81d46b7beac9ee5011e5eca33a7a5c I noticed that it is making a request to the endpoint, and the verbiage is correct. I am not sure what it could be sending wrong. This is related to this issue I found for Spring Boot and has to deal with Authorization on a per-method basis. https://github.com/spring-projects/spring-boot/issues/5096 Thanks for any help.
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
The request to /oauth/authorize takes in a scope parameter where you can
specify which scopes you want in your access token. That is what adding the scope in application.yml did. If you don't specify any scope parameter to that request you get all the scopes that both the client and user have in common. So in your case, http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2 and http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&state=QUHpO2 <http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2> will end up with the same result. The reason why uaa.admin does not show up on the authorization page in both cases is because the UAA ignores scopes with a prefix of `uaa.` when asking the user to authorize the scopes. On Wed, Jun 29, 2016 at 3:04 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: Thanks! I am not sure if it makes a difference, but I can also specify the
|
|
|
|
CF CLI v6.20.0 Released Today
Koper, Dies <diesk@...>
The CF CLI team just cut 6.20.0. Binaries and link to release notes are available at:
https://github.com/cloudfoundry/cli#downloads Route Services and Routes with Paths Route services can now be bound to routes with paths. Binding Security Groups to All Spaces of an Org Security groups can now be bound to all spaces of an org in one command call. Fixed Regressions * Plug-in failures Some plug-ins failed since cf CLI 6.17.0 due to an unintended change to the response of the CliCommandWithoutTerminalOutput function (#866<https://github.com/cloudfoundry/cli/issues/866>) * .* in .cfignore While cf CLI 6.13.0 correctly interprets pattern .* in .cfignore to mean ignore all files starting with a period, cf CLI 6.14.0 and greater ignores all files and fails to push the app. This has been corrected. (#870<https://github.com/cloudfoundry/cli/issues/870>) * cf copy-source with non-existing target app produces confusing error message While cf CLI 6.17.1 correctly fails with a message that the target app could not be found, cf CLI 6.18.1 fails saying the target space could not be found. This is addressed, and the command's help has been improved to clarify that the target app has to exist. (#849<https://github.com/cloudfoundry/cli/issues/849>) * Negative WaitGroup Counter Panic The cf CLI could panic when pushing an app when the noaa library the CLI uses to retrieve logs does a retry. (#850<https://github.com/cloudfoundry/cli/issues/850>) Updated Commands * bind-route-service and unbind-route-service now accept a route path * bind-security-group now allows the space name to be omitted, binding the security group to all spaces of the org New & Updated Community Plugins * Copy Env v1.0.0: https://github.com/jthomas/copyenv * Usage Report v1.3.1: https://github.com/krujos/usagereport-plugin * Antifreeze v0.3.0: https://github.com/odlp/antifreeze Enjoy! Regards, Dies Koper Cloud Foundry CLI PM
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
Thanks! I am not sure if it makes a difference, but I can also specify the scope in the client config:
https://gist.github.com/bryantp/4b3dadb17c620d301109859fd92c4539#file-application-yml-L16 The request URL then becomes: http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2 Full HAR file: https://dl.dropboxusercontent.com/u/4177525/request-with-scopes.har However, I still only get the OpenID auth/scope on the UAA auth page.
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
So it looks like if the scope name starts with `uaa.` we ignore it at the
time of app authorization. I will create a story in our backlog to investigate why that is the case. As a workaround if you want the scope to end up in the access token you can autoapprove that scope in the client configuration in uaa.yml. Example: https://github.com/cloudfoundry/uaa-release/blob/develop/jobs/uaa/spec#L256 On Wed, Jun 29, 2016 at 2:00 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: There are 3 requests to /oauth/authorize. I have saved all 3 as HAR files.
|
|
|
|
How to make values in VCAP_SERVICES json private or secret or hidden
Nikhil Katre <nikhil.katre@...>
Hi,
I have a service that is supported on Cloud Foundry through Java Buildpack. I am trying to make the values of my service in VCAP_SERVICES json hidden or private, so that its invisible using the command cf env. Does anyone know how to achieve this in Cloud Foundry or PCF platform ?
|
|
|
|
CF Summit EU 2016 code for Contributors
Chip Childers <cchilders@...>
Hi all,
Registration is open for the upcoming CF Summit Europe, and we have a limited number of free passes for contributors to the project. This code can be used by anyone that is a contributor to a Cloud Foundry or BOSH project. We consider contributions to be project leads, dedicated committers or even if you have sent in a pull request to one of the projects. *However, we ask that individuals consider their organization's ability to fund the ticket first, before using this code. * We run the summits on a very tight budget, and the number of free passes that we can offer for this specific event are limited. Also - please only register if you do intend to come to the event. Use of the code is on the honor system... https://www.cloudfoundry.org/community/summits/program/about/?summitId=11993 Code: CFEU16CONT Feel free to reach out to me or to events(a)cloudfoundry.org if you have any questions. See you there! -chip
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
There are 3 requests to /oauth/authorize. I have saved all 3 as HAR files.
https://dl.dropboxusercontent.com/u/4177525/har-files.zip
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
Can you send me the full request to /oauth/authorize when you get to the
authorization page? You should be able to find it in the Network tab. On Wed, Jun 29, 2016 at 10:29 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: I don't have to modify the client registration YAMl do I? Here is it for
|
|
|
|
Re: How to listen to space deletion events?
Nicholas Calugar
Hi Piotr,
toggle quoted messageShow quoted text
Delete space will fail if there are associated resources. Nick
On Wed, Jun 29, 2016 at 8:21 AM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote:
Hi Nicholas, --
Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc.
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
I don't have to modify the client registration YAMl do I? Here is it for brevity:
https://gist.github.com/bryantp/359249dfe2a40860c3a6f5489f9924bd
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
I am not using a DB currently, everything is in memory. I usually just restart UAA to make the changes take effect.
|
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
I suspect that the client did not get updated with the uaa.admin scope. Can you check the database to see if the client has that scope? It would be in the oauth_client_details table. If it hasn't been updated, you can add override: true in the client configuration in uaa.yml and restart the UAA.
toggle quoted messageShow quoted text
On Jun 28, 2016, at 8:34 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote:
|
|
|
|
Re: How to listen to space deletion events?
Piotr Przybylski <piotrp@...>
Hi Nicholas,
toggle quoted messageShow quoted text
what happens to applications if the recursive flag is not passed ? Will delete fail if there are apps in the space ? or will delete succeed ? in the latter case, what is the state of these applications ? Piotr Piotr Przybylski | IBM Bluemix From: Nicholas Calugar <ncalugar(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: 06/28/2016 06:07 PM Subject: [cf-dev] Re: Re: Re: Re: Re: Re: How to listen to space deletion events? Hi Piotr, Yes, that is correct, deleting recursively will delete service instances and apps. Thanks, Nick
On Tue, Jun 28, 2016 at 2:45 PM, Piotr Przybylski <piotrp(a)us.ibm.com>
wrote: Hi Nicholas, is that behavior influenced by the 'recursive' flag on the Space DELETE request? Also, does the CC stop and delete applications in the deleted space ? How is that influenced by the 'recursive' flag ? Thank you, Piotr Piotr Przybylski, IBM Bluemix Inactive hide details for Nicholas Calugar ---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In the case of a spacNicholas Calugar ---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In the case of a space with a service instance, if From: Nicholas Calugar <ncalugar(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Date: 06/28/2016 11:51 AM Subject: [cf-dev] Re: Re: Re: Re: How to listen to space deletion events? Hi Padma, Apologies for the delay. In the case of a space with a service instance, if the space is deleted, the Cloud Controller sends a deprovision request to the service broker. The broker is responsible for properly handling the deprovision, what other cleanup do you have in mind? -Nick On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <padmashree.b(a)sap.com> wrote: Hi, Any suggestion on this? Thanks, Padma -- Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. -- Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc.
|
|
|
|
Concerns on the "unique_id" in the service metadata
Ponraj E
Hi Colleagues,
I have some concerns on the unique_id in the service metadata. 1. In the api docs http://apidocs.cloudfoundry.org/237/services/retrieve_a_particular_service.html it says unique_id -A "guid" that identifies the service with the broker. And if one visits the catalog-metadata link here: http://docs.cloudfoundry.org/services/catalog-metadata.html -see Example Cloud Controller Response Body-here the unique_id values seem to take string containing characters and numbers (not only guid). So there is a little bit of confusion as to what the unique_id value type is. The documentation of the apidocs can be updated for better clarity. 2. Secondly, in the space summary retrieval :http://apidocs.cloudfoundry.org/237/spaces/get_space_summary.html ,the unique_id is not part of the service details metadata that's been returned. Any particular reason why? Thanks for the help. Regards, Ponraj
|
|
|
