MANTA-3356: prevent user and key enumeration through muskie


Issue Type:Bug
Priority:4 - Normal
Created at:2017-07-21T02:07:05.000Z
Updated at:2022-09-22T18:31:19.383Z


Created by:Former user
Reported by:Former user

Related Links


Currently it is possible to enumerate whether users exist in the system or not, and whether certain keys are allowed to authenticate to their accounts, through two mechanisms: by sending muskie either requests with the keyId set appropriately, or by sending muskie anonymous requests for /user/public. We should prevent both of these.


Comment by Former user
Created at 2017-07-21T19:48:18.000Z

Built as image fc2ca654-6d67-11e7-9948-5309364b2677

Testing done:

Comment by Former user
Created at 2017-07-24T22:55:08.000Z

Error code changes related specifically to the contents of the Authorization: Signature header:

Other error code changes:

Comment by Former user
Created at 2017-10-24T18:45:07.000Z

From my ~triton querying on the need for not exposing enumeration of account "login" names:

the problem is that if you can figure out what users exist efficiently you can attack them much more easily
there's also the general privacy issue of being able to easily tell whether someone is a customer or not

Comment by Former user
Created at 2020-06-17T20:12:38.929Z

When doing the Gerrit CR migration to PRs, this was one of the first ones and the created PR accidentally is owned by me ( rather than by the intended @joyent-automation account. To get it off my PR list and because I deem the prio of this ticket low now, I'm closing the PR. Please feel free to use it/revive it if this ticket gets attention again.