We are trying to reduce the attack surface of some public APIs by checking a static header variable called "apikey".
We tried using the new functionalities under "Secure Web Settings -> API Access Control -> Policies". But unfortunately it seems that using a policy a group membership is mandatory. As the API is public this doesn't cover our needs. Nonetheless it was interesting to see which changes were made to the WebSEAL config file, http transformations, ACL, POP and objectspace.
As I understood it it should be possible to do such a check by adding the following two extended attributes to the POP:
eas-trigger = trigger_attr_eas
requires = apikey='xxxxx'
In the [azn-decision-info] stanza we added an entry "apikey = header:apikey"
And just to be sure we also added in the [user-attribute-definitions] stanza the values "apikey.category = Subject" and "apikey.datatype = string".
In the pdweb.wan.azn log we can see that this attribute is added somewhere:
2020-02-04-13:06:41.897+00:00I----- thread(21) trace.pdweb.wan.azn:9 /build/isam/src/i4w/pdwebrte/webcore/amw_azn.c:117: [148.110.128.146] Attr Name:apikey , Value: xxxxx
In the pdweb.azn.attr log the attribute is also present, but not as a credential attribute:
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:4 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:418: azn_svc_decision_access_allowed_ext protected_resource[/WebSEAL_API/webseal/@host/GET/@host/configs]
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:216: attributeList [app_context]:apikey=[[xxxxx]] AZN_EAS_POP_ATTRS_ATTRIBUTE=[[eas-trigger::::trigger_attr_eas][requires::::apikey='xxxxx']] AZN_EAS_POP_LOCATION_ATTRIBUTE=[[/WebSEAL_API/webseal/@host/GET/@host/configs]]
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:219: The total number of [app_context] attributes is 3.
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:216: attributeList [cred_attributes]:AUTHENTICATION_LEVEL=[[0]] AZN_CRED_AUTHNMECH_INFO=[[LDAP Registry]] AZN_CRED_AUTHZN_ID=[[cn=ttt]] AZN_CRED_AUTH_EPOCH_TIME=[[1580825260]] AZN_CRED_AUTH_METHOD=[[password]] AZN_CRED_BROWSER_INFO=[[tt]] AZN_CRED_GROUPS=[ttt] AZN_CRED_GROUP_REGISTRY_IDS=[ttt] AZN_CRED_GROUP_UUIDS=[ttt] AZN_CRED_IP_FAMILY=[[AF_INET]] AZN_CRED_MECH_ID=[[IV_LDAP_V3.0]] AZN_CRED_NETWORK_ADDRESS_BIN=[[tt]] AZN_CRED_NETWORK_ADDRESS_STR=[[tt]] AZN_CRED_PRINCIPAL_DOMAIN=[[Default]] AZN_CRED_PRINCIPAL_NAME=[[tt]] AZN_CRED_PRINCIPAL_UUID=[[tt]] AZN_CRED_QOP_INFO=[[SSK: TLSV13: 01]] AZN_CRED_REGISTRY_ID=[[cn=tt]] AZN_CRED_USER_INFO=[[]] AZN_CRED_VERSION=[[0x00000907]] SMS_SESSION_REALM=[[ISAM-Distributed-Session-Cache]] tagvalue_login_user_name=[[tt]] tagvalue_max_concurrent_web_sessions=[[unset]] tagvalue_session_index=[[tt]] tagvalue_user_session_id=[[tt]
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:219: The total number of [cred_attributes] attributes is 25.
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:308: Checking authorization with [apikey='xxxxx']
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:346: Checking the credential attribute list for apikey == xxxxx
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:356: Attribute is not present. Continuing to check the rest of the rule.
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:374: Finished checking the authorization. This rule has failed
2020-02-04-14:15:13.944+00:00I----- thread(11) trace.pdweb.azn.attr:1 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:476: azn_svc_decision_access_allowed_ext decision [not permitted]
---------------------------------------------------------------------------------------------------------------
To be able to better identify the value of the apikey which came from the request we changed it to yyyyy and that value indeed appears in this log, but not as a credential attribute:
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:4 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:418: azn_svc_decision_access_allowed_ext protected_resource[/WebSEAL_API/webseal/@host/GET/@host/configs]
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:216: attributeList [app_context]:apikey=[[yyyyy]] AZN_EAS_POP_ATTRS_ATTRIBUTE=[[eas-trigger::::trigger_attr_eas][requires::::apikey='xxxxx']] AZN_EAS_POP_LOCATION_ATTRIBUTE=[[/WebSEAL_API/webseal/@host/GET/@host/configs]]
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:219: The total number of [app_context] attributes is 3.
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:216: attributeList [cred_attributes]:AUTHENTICATION_LEVEL=[[0]] AZN_CRED_AUTHNMECH_INFO=[[LDAP Registry]] AZN_CRED_AUTHZN_ID=[[tt]] AZN_CRED_AUTH_EPOCH_TIME=[[1580825260]] AZN_CRED_AUTH_METHOD=[[password]] AZN_CRED_BROWSER_INFO=[[tt]] AZN_CRED_GROUPS=[tt] AZN_CRED_GROUP_REGISTRY_IDS=[tt] AZN_CRED_GROUP_UUIDS=[tt] AZN_CRED_IP_FAMILY=[[AF_INET]] AZN_CRED_MECH_ID=[[IV_LDAP_V3.0]] AZN_CRED_NETWORK_ADDRESS_BIN=[[tt]] AZN_CRED_NETWORK_ADDRESS_STR=[[tt]] AZN_CRED_PRINCIPAL_DOMAIN=[[Default]] AZN_CRED_PRINCIPAL_NAME=[[tt]] AZN_CRED_PRINCIPAL_UUID=[[tt]] AZN_CRED_QOP_INFO=[[SSK: TLSV13: 01]] AZN_CRED_REGISTRY_ID=[[tt]] AZN_CRED_USER_INFO=[[]] AZN_CRED_VERSION=[[0x00000907]] SMS_SESSION_REALM=[[ISAM-Distributed-Session-Cache]] tagvalue_login_user_name=[[tt]] tagvalue_max_concurrent_web_sessions=[[unset]] tagvalue_session_index=[[tt]] tagvalue_user_session_id=[[tt]]
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:7 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:219: The total number of [cred_attributes] attributes is 25.
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:308: Checking authorization with [apikey='xxxxx']
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:346: Checking the credential attribute list for apikey == xxxxx
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:356: Attribute is not present. Continuing to check the rest of the rule.
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:6 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:374: Finished checking the authorization. This rule has failed
2020-02-04-14:10:00.498+00:00I----- thread(5) trace.pdweb.azn.attr:1 /build/isam/src/i4w/pdwebrte/azn/attr-eas/amw_attr_eas.cpp:476: azn_svc_decision_access_allowed_ext decision [not permitted]
---------------------------------------------------
So what is the correct way to check this attribute using an POP? Or is this only possible with Advanced Access Control?
Thanks in advance and kind regards,
Laurent
------------------------------
Laurent Asselborn
------------------------------