[ts-http-runtime] Allow insecure bearer token policy #30206
Conversation
maorleger
requested review from
bterlson,
xirzec,
jeremymeng,
mpodwysocki,
joheredi and
a team
as code owners
|
|
||
| if (typeof process?.emitWarning === "function" && !emitInsecureConnectionWarning.warned) { | ||
| emitInsecureConnectionWarning.warned = true; | ||
| process.emitWarning(warning); |
There was a problem hiding this comment.
Kinda nice I thought
[vitest] (node:1358484) Warning: Sending bearer token over insecure transport. Assume any token issued is compromised.
[vitest] (Use `node --trace-warnings ...` to show where the warning was created)
There was a problem hiding this comment.
nice! I'd rather spam everytime this is being used instead of just once though :D
There was a problem hiding this comment.
hehe yeah I was originally thinking the same but looks like as a best practice we're expected to only emit warning once https://nodejs.org/api/process.html#avoiding-duplicate-warnings
Figured if that was important enough to put in the docs it's probably the right approach? But I want to make some noise so I figure what we can land on is:
- Emit the warning once per node's docs
- log the warning every since time
So at least if you have logging configured to warn you can see it every time. Not sure if we prefer a differnet approach? I am happy to change it!
|
API change check APIView has identified API level changes in this PR and created following API reviews. |
|
|
||
| if (typeof process?.emitWarning === "function" && !emitInsecureConnectionWarning.warned) { | ||
| emitInsecureConnectionWarning.warned = true; | ||
| process.emitWarning(warning); |
There was a problem hiding this comment.
nice! I'd rather spam everytime this is being used instead of just once though :D
| ): boolean { | ||
| if (options.allowInsecureConnection && request.allowInsecureConnection) { | ||
| const url = new URL(request.url); | ||
| if (url.hostname === "localhost" || url.hostname === "127.0.0.1") { |
There was a problem hiding this comment.
Initially for Event Hub emulator we limited to localhost too, but it turns out there are non-localhost scenarios too: other hosts on the same local subnet, containers behind a reverse proxy where HTTPS is no longer used. etc. Not sure if any applies to bearer token issurers though.
There was a problem hiding this comment.
I chose to ignore that for now, thinking that we can add IPv6 support if we encounter a need. I think most local development still uses IPv4 and/or localhost but maybe I'm just stuck in the past 😄
| @@ -45,6 +45,7 @@ export function addCredentialPipelinePolicy( | |||
| const tokenPolicy = bearerTokenAuthenticationPolicy({ | |||
| credential, | |||
| scopes: clientOptions?.credentials?.scopes ?? `${endpoint}/.default`, | |||
| allowInsecureConnection: clientOptions?.allowInsecureConnection ?? false, | |||
There was a problem hiding this comment.
Could be missing context here, but I am a tad concerned about plumbing through the option from the client options like this. This change will result in a behavioral difference between the Azure and unbranded Core packages that is difficult to reconcile -- when we get around to making the Azure packages depend on the unbranded package we will need to have a way to set allowInsecureConnection without having this affect the bearerTokenAuthenticationPolicy, in order to preserve the existing behavior. I have two ideas to resolve this issue, not sure if you have a preference or any other thoughts here:
- Add another property on the client options,
allowInsecureBearerTokenAuthor similar, to allow this behavior, and this additional property gets plumbed through instead, so that the behavior ofallowInsecureConnectionis unchanged. Azure Core can just not expose the new property. - Don't plumb the property through; if folks want to set
allowInsecureConnectionon thebearerTokenAuthPolicythey can remove the policy and re-add their own. This is obviously more complicated UX but perhaps that's not the worst thing honestly given we don't really want people doing this unless they truly have to?
There was a problem hiding this comment.
Thanks Timo! You're quite right on all accounts here. I know the concern for (2) was that replacing the policy will not be desired for Chat Protocol, it will be a significant complication to sample code. Doesn't mean we can't start with that and see if there's still pain.
(1) does sound enticing, @bterlson what do you think? Any preferences here since you're likely closest to the folks asking for this?
There was a problem hiding this comment.
2 is off the table. I'm not opposed to 1, but I would prefer to get clarity on whether we can't just have this for Azure's policy as well. I think we are assuming that we can't for reasons, but can we verify?
There was a problem hiding this comment.
Yes, my comment is assuming that we want to keep the status quo for Azure -- as I said, I am lacking context... The concern appears related to being able to intercept an active AAD token due to this (1, 2). I am no security expert but the reasoning seems logical to me -- that's not to say we can't revisit it. @joheredi may have more context since he authored the original PR to enable this which was reverted?
Clearly I am missing a lot of background around the motivation for this feature and why we need it now -- it sounds like we have a customer looking to use the unbranded package and this is a requirement for them? Is there a way for me to learn more about this? Just so I can understand what problem we are trying to solve here.
There was a problem hiding this comment.
Are we making this change for Azure as well then?
There was a problem hiding this comment.
Good Q Timo, let me get more clarity on that and get back to you
|
Closing per offline conversation - once the right sec folks sign off we can reopen this PR 👍 |
|
API change check APIView has identified API level changes in this PR and created following API reviews. |
| request: PipelineRequest, | ||
| options: BearerTokenAuthenticationPolicyOptions, | ||
| ): boolean { | ||
| if (options.allowInsecureConnection && request.allowInsecureConnection) { |
There was a problem hiding this comment.
I think I prefer using an environment variable for this since it eliminates changing the client options between Azure and unbranded core and also is less likely to be accidentally checked in
|
Hi @maorleger. Thank you for your interest in helping to improve the Azure SDK experience and for your contribution. We've noticed that there hasn't been recent engagement on this pull request. If this is still an active work stream, please let us know by pushing some changes or leaving a comment. Otherwise, we'll close this out in 7 days. |
github-actions
bot
added
the
no-recent-activity
Issues associated with this PR
N/A
Describe the problem that is addressed by this PR
For third-party services, there is a desire to allow local bearer authentication over HTTP. While this is not a pattern that Azure would ever use or recommend, it should be allowed at the discretion of a third-party SDK maintainer.
This PR extends the policy inside ts-http-runtime to add an additional option for disabling the transport check.
What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen?
It's possible to only consult the existing allowInsecureConnection on the pipeline request, but because we have a strong desire to consolidate our Azure-branded core on top of this package, I thought it best to make this switch opt-in at the policy level so we don't accidentally end up enabling it for Azure SDKs.
Are there test cases added in this PR?
Yes
Provide a list of related PRs
Builds off of #30193
#17749