MANTA-3356: prevent user and key enumeration through muskie

Details

Issue Type:Bug
Priority:4 - Normal
Status:Open
Created at:2017-07-21T02:07:05.000Z
Updated at:2022-09-22T18:31:19.383Z

People

Created by:Former user
Reported by:Former user

Related Links

Description

Currently it is possible to enumerate whether users exist in the system or not, and whether certain keys are allowed to authenticate to their accounts, through two mechanisms: by sending muskie either requests with the keyId set appropriately, or by sending muskie anonymous requests for /user/public. We should prevent both of these.

Comments

Comment by Former user
Created at 2017-07-21T19:48:18.000Z

Built as image fc2ca654-6d67-11e7-9948-5309364b2677

Testing done:


Comment by Former user
Created at 2017-07-24T22:55:08.000Z

Error code changes related specifically to the contents of the Authorization: Signature header:

Other error code changes:


Comment by Former user
Created at 2017-10-24T18:45:07.000Z

From my ~triton querying on the need for not exposing enumeration of account "login" names:

alexw:
the problem is that if you can figure out what users exist efficiently you can attack them much more easily
there's also the general privacy issue of being able to easily tell whether someone is a customer or not


Comment by Former user
Created at 2020-06-17T20:12:38.929Z

When doing the Gerrit CR migration to PRs, this was one of the first ones and the created PR accidentally is owned by me (github.com/trentm) rather than by the intended @joyent-automation account. To get it off my PR list and because I deem the prio of this ticket low now, I'm closing the PR. Please feel free to use it/revive it if this ticket gets attention again.