Don't blindly trust header values without being instructed to do so

Johannes Meyer · Johannes Meyer · commit 476057f07f78 · 2016-05-14T11:37:28.000+02:00
We were vulnerable to various spoofing attacks prior to this change..
diff --git a/README.md b/README.md
@@ -27,10 +27,11 @@ See [here](doc/03-Configuration.md#configuration) for how to configure ElasticAr
 
 ## Authentication
 
-By default ElasticArmor considers any request with basic authentication credentials as being authenticated. This
-allows another reverse proxy being placed in front of ElasticArmor that is performing the actual authentication.
-But it is also possible to have ElasticArmor performing the authentication by configuring one or more
-authentication mechanisms.
+While ElasticArmor can *run* without any configuration, it does not authenticate clients without further ado. If
+you have another reverse proxy placed in front of ElasticArmor that is performing the actual authentication, you
+need to define it as [trusted proxy](doc/03-Configuration.md#configuration-proxy-trusted-proxies) in order to make
+ElasticArmor blindly trust a request's credentials. If you want ElasticArmor to perform the authentication, it
+is possible to configure one or more mechanisms to accomplish this.
 
 See [here](doc/04-Authentication.md#authentication) for how to configure authentication.
 
diff --git a/doc/01-About.md b/doc/01-About.md
@@ -27,10 +27,11 @@ See [here](03-Configuration.md#configuration) for how to configure ElasticArmor.
 
 ## <a id="about-authentication"></a> Authentication
 
-By default ElasticArmor considers any request with basic authentication credentials as being authenticated. This
-allows another reverse proxy being placed in front of ElasticArmor that is performing the actual authentication.
-But it is also possible to have ElasticArmor performing the authentication by configuring one or more
-authentication mechanisms.
+While ElasticArmor can *run* without any configuration, it does not authenticate clients without further ado. If
+you have another reverse proxy placed in front of ElasticArmor that is performing the actual authentication, you
+need to define it as [trusted proxy](03-Configuration.md#configuration-proxy-trusted-proxies) in order to make
+ElasticArmor blindly trust a request's credentials. If you want ElasticArmor to perform the authentication, it
+is possible to configure one or more mechanisms to accomplish this.
 
 See [here](04-Authentication.md#authentication) for how to configure authentication.
 
diff --git a/doc/03-Configuration.md b/doc/03-Configuration.md
@@ -55,6 +55,38 @@ You can set a list of host[:port] combinations separated by comma on the option
     ...
     allow_from="localhost, name.example.com, 10.20.30.40:1234"
 
+### <a id="configuration-proxy-trusted-proxies"></a> Trusted Proxies
+
+Proxies configured as being trusted allow ElasticArmor to utilize a request's HTTP headers for authorization.
+
+You can set a list of host[:port] combinations separated by comma on the option *trusted_proxies*:
+
+    [proxy]
+    ...
+    trusted_proxies="localhost, name.example.com, 10.20.30.40:1234"
+
+The HTTP headers utilized by ElasticArmor for authorization are as follows:
+
+#### <a id="configuration-proxy-trusted-proxies-authorization"></a> Authorization
+
+In case ElasticArmor does not authenticate clients on its own, the *Authorization* header is only used for
+identification purposes. This means that requests containing authentication credentials received from a
+trusted proxy are considered as being successfully authenticated.
+
+> **Note:**
+>
+> In case ElasticArmor authenticates clients on its own, they still need to authenticate with the configured
+> mechanisms regardless from whom the request has been received.
+
+#### <a id="configuration-proxy-trusted-proxies-x-forwarded-for"></a> X-Forwarded-For
+
+The XFF header is used to replace a request's origin address and port with the very first entry supplied with
+this header.
+
+> **Note:**
+>
+> If you have anonymous access configured, the extracted entry is subject to authorization instead.
+
 ### <a id="configuration-proxy-fallback-nodes"></a> Fallback Nodes
 
 It is possible to define multiple Elasticsearch nodes, each separated by comma:
diff --git a/lib/elasticarmor/auth/__init__.py b/lib/elasticarmor/auth/__init__.py
@@ -26,6 +26,7 @@ def __init__(self, settings):
         self.role_backend = settings.role_backend
         self.auth_backends = settings.auth_backends
         self.group_backends = settings.group_backends
+        self.trusted_proxies = settings.trusted_proxies
 
     def authenticate(self, client, populate=True):
         """Authenticate the given client and return whether it succeeded or not."""
@@ -60,7 +61,8 @@ def authenticate(self, client, populate=True):
                         self.log.error('Failed to authenticate client "%s" using backend "%s". %s.',
                                        client, backend.name, format_ldap_error(error))
             else:
-                client.authenticated = True
+                trusted_ports = self.trusted_proxies.get(client.peer_address, [])
+                client.authenticated = trusted_ports is None or client.peer_port in trusted_ports
 
         if client.authenticated and populate:
             self.populate(client)
@@ -171,8 +173,12 @@ def __init__(self, address, port=None):
         self.address = address
         self.port = port
 
+        self.peer_address = None
+        self.peer_port = None
+
         self.name = None
         self.authenticated = False
+        self.default_role = None
         self.username = None
         self.password = None
         self.groups = None
diff --git a/lib/elasticarmor/proxy.py b/lib/elasticarmor/proxy.py
@@ -259,13 +259,16 @@ def client(self):
         if self._client is not None:
             return self._client
 
-        client_address = client_port = None
+        client_address, client_port = self.client_address
         if self._context is not None:
-            client_address, client_port = self._context.forwarded_for
-        if client_address is None:
-            client_address, client_port = self.client_address
+            trusted_ports = self.server.auth.trusted_proxies.get(client_address, [])
+            if trusted_ports is None or client_port in trusted_ports:
+                forwarded_address, forwarded_port = self._context.forwarded_for
+                if forwarded_address is not None:
+                    client_address, client_port = forwarded_address, forwarded_port
 
         self._client = Client(client_address, client_port)
+        self._client.peer_address, self._client.peer_port = self.client_address
 
         try:
             header_value = self.headers['Authorization']
diff --git a/lib/elasticarmor/settings.py b/lib/elasticarmor/settings.py
@@ -246,14 +246,21 @@ def certificate(self):
 
     @property
     def allow_from(self):
-        allow_from = {}
+        try:
+            return self._create_network_map(self.config.get('proxy', 'allow_from'))
+        except (ConfigParser.NoSectionError, ConfigParser.NoOptionError):
+            return {}
 
+    @property
+    def trusted_proxies(self):
         try:
-            value = self.config.get('proxy', 'allow_from')
+            return self._create_network_map(self.config.get('proxy', 'trusted_proxies'))
         except (ConfigParser.NoSectionError, ConfigParser.NoOptionError):
-            return allow_from
+            return {}
 
-        for host_and_port in value.split(','):
+    def _create_network_map(self, hosts):
+        network_map = {}
+        for host_and_port in hosts.split(','):
             try:
                 host, port = host_and_port.split(':')
             except ValueError:
@@ -268,18 +275,18 @@ def allow_from(self):
                 self.log.warning('Failed to resolve hostname "%s". An error occurred: %s', host, error)
             else:
                 for ip in ip_list:
-                    if ip not in allow_from:
+                    if ip not in network_map:
                         if port:
-                            allow_from[ip] = [port]
+                            network_map[ip] = [port]
                         else:
-                            allow_from[ip] = None
-                    elif allow_from[ip] is not None:
+                            network_map[ip] = None
+                    elif network_map[ip] is not None:
                         if port:
-                            allow_from[ip].append(port)
+                            network_map[ip].append(port)
                         else:
-                            allow_from[ip] = None
+                            network_map[ip] = None
 
-        return allow_from
+        return network_map
 
     @property
     @propertycache
