Get rid of TimedJSONWebSignatureSerializer #24519
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
potiuk
force-pushed
the
get-rid-of-signature-serializer
branch
from
b60d291 to
3c914fa
Compare
potiuk
requested review from
ashb,
uranusjr,
mik-laj,
jedcunningham and
josh-fell
|
This is first change from (likely) a series of changes that will bring us closer to migrating to FAB 4+. |
potiuk
force-pushed
the
get-rid-of-signature-serializer
branch
from
3c914fa to
1d3c70d
Compare
1 task
mik-laj
reviewed
Jun 18, 2022
|
All fixed @mik-laj |
potiuk
force-pushed
the
get-rid-of-signature-serializer
branch
3 times, most recently
from
7af500f to
55bf6e2
Compare
|
I also added |
mik-laj
reviewed
Jun 18, 2022
potiuk
force-pushed
the
get-rid-of-signature-serializer
branch
from
55bf6e2 to
20158f0
Compare
The TimedJSONWebSignatureSerializer has been deprecated from the itsdangerous library and they recommended to use dedicated libraries for it. pallets/itsdangerous#129 Since we are going to move to FAB 4+ with apache#22397 where newer version of itsdangerous is used, we need to switch to another library. We are already using PyJWT so the choice is obvious. Additionally to switching, the following improvements were done: * the use of JWT claims has been fixed to follow JWT standard. We were using "iat" header wrongly. The specification of JWT only expects the header to be there and be valid UTC timestamp, but the claim does not impact maturity of the signature - the signature is valid if iat is in the future. Instead "nbf" - "not before" claim should be used to verify if the request is not coming from the future. We now require all claims to be present in the request. * rather than using salt/signing_context we switched to standard JWT "audience" claim (same end result) * we have now much better diagnostics on the server side of the reason why request is forbidden - explicit error messages are printed in server logs and details of the exception. This is secure, we do not spill the information about the reason to the client, it's only available in server logs, so there is no risk attacker could use it. * the JWTSigner is "use-agnostic". We should be able to use the same class for any other signatures (Internal API from AIP-44) with just different audience * Short, 5 seconds default clock skew is allowed, to account for systems that have "almost" synchronized time * more tests addded with proper time freezing testing both expiry and immaturity of the request This change is not a breaking one because the JWT authentication details are not "public API" - but in case someone reverse engineered our claims and implemented their own log file retrieval, we should add a change in our changelog - therefore newsfragment is added.
potiuk
force-pushed
the
get-rid-of-signature-serializer
branch
from
20158f0 to
6d2653c
Compare
|
Right. Fixed and reviewed all. |
|
BTW. Interesting dicussion here https://bugs.python.org/issue46200 |
|
All should be cool @mik-laj :) |
mik-laj
approved these changes
Jun 18, 2022
github-actions
bot
added
the
full tests needed
|
The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest main at your convenience, or amend the last commit of the PR, and push it with --force-with-lease. |
Merged
potiuk
added a commit
to potiuk/airflow
that referenced
this pull request
Jun 29, 2022
The TimedJSONWebSignatureSerializer has been deprecated from the itsdangerous library and they recommended to use dedicated libraries for it. pallets/itsdangerous#129 Since we are going to move to FAB 4+ with apache#22397 where newer version of itsdangerous is used, we need to switch to another library. We are already using PyJWT so the choice is obvious. Additionally to switching, the following improvements were done: * the use of JWT claims has been fixed to follow JWT standard. We were using "iat" header wrongly. The specification of JWT only expects the header to be there and be valid UTC timestamp, but the claim does not impact maturity of the signature - the signature is valid if iat is in the future. Instead "nbf" - "not before" claim should be used to verify if the request is not coming from the future. We now require all claims to be present in the request. * rather than using salt/signing_context we switched to standard JWT "audience" claim (same end result) * we have now much better diagnostics on the server side of the reason why request is forbidden - explicit error messages are printed in server logs and details of the exception. This is secure, we do not spill the information about the reason to the client, it's only available in server logs, so there is no risk attacker could use it. * the JWTSigner is "use-agnostic". We should be able to use the same class for any other signatures (Internal API from AIP-44) with just different audience * Short, 5 seconds default clock skew is allowed, to account for systems that have "almost" synchronized time * more tests addded with proper time freezing testing both expiry and immaturity of the request This change is not a breaking one because the JWT authentication details are not "public API" - but in case someone reverse engineered our claims and implemented their own log file retrieval, we should add a change in our changelog - therefore newsfragment is added. (cherry picked from commit 1f8e4c9)
ephraimbuddy
added
the
type:misc/internal
This was referenced Jul 2, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The TimedJSONWebSignatureSerializer has been deprecated from the
itsdangerous library and they recommended to use dedicated
libraries for it.
pallets/itsdangerous#129
Since we are going to move to FAB 4+ with #22397 where newer version of
itsdangerous is used, we need to switch to another library.
We are already using PyJWT so the choice is obvious.
Additionally to switching, the following improvements were done:
the use of JWT claims has been fixed to follow JWT standard.
We were using "iat" header wrongly. The specification of JWT only
expects the header to be there and be valid UTC timestamp, but the
claim does not impact maturity of the signature - the signature
is valid if iat is in the future.
Instead "nbf" - "not before" claim should be used to verify if the
request is not coming from the future. We now require all claims
to be present in the request.
rather than using salt/signing_context we switched to standard
JWT "audience" claim (same end result)
we have now much better diagnostics on the server side of the
reason why request is forbidden - explicit error messages
are printed in server logs and details of the exception. This
is secure, we do not spill the information about the reason
to the client, it's only available in server logs, so there is
no risk attacker could use it.
the JWTSigner is "use-agnostic". We should be able to use the
same class for any other signatures (Internal API from AIP-44)
with just different audience and algorithm
Short, 5 seconds default clock skew is allowed, to account for
systems that have "almost" synchronized time
more tests addded with proper time freezing testing both
expiry and immaturity of the request
This change is not a breaking one because the JWT authentication
details are not "public API" - but in case someone reverse engineered
our claims and implemented their own log file retrieval, we
should add a change in our changelog - therefore newsfragment
is added.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragement file, named
{pr_number}.significant.rst, in newsfragments.