The plugin authenticates requests made to the REST API by verifying the signature associated with the message. For each REST API call the signature is expected to match the following message: <sys_https_host> || param1 || param2 || ... || paramX <sys_https_host> is added to the verified message since a same sign keypair might be used for multiple Tuleap instances. We want to ensure the message has been received to the expected Tuleap instance to avoid the possibility to replay a message received on a Tuleap instance to another. The secret key is supposed to be stored outside of the Tuleap instance in a secure store and not known by the operators. In order to test, you can generate a keypair with this code snippet: $keypair = sodium_crypto_sign_keypair(); $secret_key = sodium_crypto_sign_secretkey($keypair); $public_key = sodium_crypto_sign_publickey($keypair); var_dump(base64_encode($public_key), base64_encode($secret_key)); You can generate a signature for a set of parameters with this code snippet: $secret_key = base64_decode('<your_secret_key>'); $domain = 'tuleap-web.tuleap-aio-dev.docker'; $username = 'forge__dynamic_credential-identifier'; $password = 'password'; $expiration = '2018-03-08T14:32:26+01:00'; var_dump(base64_encode(sodium_crypto_sign_detached($domain . $username . $password . $expiration, $secret_key))); This is part of story #11239: generate dynamic credentials from HashiCorp Vault into a Tuleap instance Change-Id: Ica754bf903a5e7165378bfd4af29f3ead3b8b029

+230 −4

Author

Thomas Gerbet (tgerbet) 2018-03-08 13:09

Committer

Thomas Gerbet (tgerbet) 2018-03-08 13:10

Hash 8ebd589caa56cd3c11f9fa238efb1b0219d08a15

Parent f27e92618c4f9100f8f4e802abe1dc722db75db1

Reference git #tuleap/stable/8ebd589caa56cd3c11f9fa238efb1b0219d08a15