Download public key from S3 with AWS credential

[waisingyiu]

Context

We are looking to address the FSBP high severity security issue about the S3 bucket "pan-domain-auth-settings" not blocking public access.

From S3 access log, we spotted that there were successful, unauthenticated requests to read some objects in this bucket from our applications.

We found that the public settings files there (which were S3 objects with a suffix "settings.public" were configured to allow public access and this client library, pan-domain-node, read these objects via direct HTTP requests without any AWS credential.

Therefore, we have to change the way we access these public setting file before we can turn on "Block all public access" option on the bucket.

What does this change?

This pull request changes the library to read the public key file via AWS SDK S3 client instead of making direct HTTP requests. To achieve this, it makes the following changes:

1. Add an optional argument, 'localDev', to the main class 'PanDomainAuthentication` to indicate whether the applicant is running locally or in AWS.
2. Load the AWS credential based on the localDev argument.
3. Create S3 client object and use it to download the public key from S3 bucket.
4. Pull in the AWS SDK bundle for S3 and credential providers.
5. Update some dependencies so that they can work with the AWS SDK.

How to test

I modified the app image-url-signing-service to pull in the local version of this library and started the app locally.

• get redirected to login.gutools page for authentication when I open a page on the local image URL signing service.
• get back to the image-url-signing-service page successfully after authentication.

[changeset-bot]

🦋 Changeset detected

Latest commit: cc5ce32

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@guardian/pan-domain-node	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[SHession]

These changes make sense, have they been tested using npm-link on any of the consuming apps?

Looks like a most consumer may be a few version behind so it may be some work to get the up-to-date: https://www.npmjs.com/package/@guardian/pan-domain-node?activeTab=versions

[SHession]

Can we update the README with some detail about this change? What local credentials and level of access will people need for this to work?

[waisingyiu]

Good point, I'll update the README.

At the moment, we grant the GetObject permission on the bucket to any IAM under a (fairly broad) list of AWS accounts (such as composer, cms-fronts, mobile etc). So the execution environment requires credential of any IAM users under these account. I'll add this to the README.

[SHession]

Presumably any environment running this in AWS will need to be configured with read access to S3 bucket. In some cases will require cross-account permissions to be set up. This would be worth mentioning in the documentation.

[waisingyiu]

These changes make sense, have they been tested using npm-link on any of the consuming apps?

Looks like a most consumer may be a few version behind so it may be some work to get the up-to-date: https://www.npmjs.com/package/@guardian/pan-domain-node?activeTab=versions

yes, I tested the changes locally with these consuming apps: ten_four-quiz-builder and image URL signing. They were on version 0.4 and so, yes, I need to make changes for bumping their pan-domain-node to 1.0.

[SHession]

These changes make sense, have they been tested using npm-link on any of the consuming apps?
Looks like a most consumer may be a few version behind so it may be some work to get the up-to-date: https://www.npmjs.com/package/@guardian/pan-domain-node?activeTab=versions

yes, I tested the changes locally with these consuming apps: ten_four-quiz-builder and image URL signing. They were on version 0.4 and so, yes, I need to make changes for bumping their pan-domain-node to 1.0.

This is great! I was planning to do some testing myself, but looks like you're way ahead of me.

[SHession]

It might be worth clarifying your description a bit. Technically we are using a bucket in the Workflow account. However, this package is publicly available and could be utilised by others who are using Panda in a non-guardian environment. Therefore we can't assume that consumers of this library are going to be using the Guardian bucket.

To avoid this assumption, we could remove references to the specific account and bucket and just mention bucket / object access is required. We could also link to the Panda documentation if that would be useful: https://github.com/guardian/pan-domain-authentication.

[waisingyiu]

A very good point. I've updated the readme to make it more general.

I've also added an argument to PanDomainAuthentication for the AWS profile name, which is used when the application is running locally. Previously I assumed that it was Workflow.

[SHession]

I hadn't thought about this but it makes sense to change this too!

I was wondering if we should have a single argument to control both. For example localDev being an optional string, which when provided overrides the nodeProviderChain. I'm not quite sure on this, but two arguments which are co-dependent also feels a little clunky.

Maybe the argument should be an optional credentials type for greater flexibility?

[waisingyiu]

A good idea! I've made the change in the last commit.

[SHession]

Looks great! Can we update the README to reflect this too

[waisingyiu]

Sure, I've updated the README.

[SHession]

Looks great!