Cross-tenant URL signing

Steps to reproduce

Both the URL Singing REST Endpoint and the External API - Security Endpoint can be used by authorized users to sign URLs.
Since signing keys do not belong to specific organizations (tenants), any authorized user can indirectly use any signing key.

With other words: An authorized user of organization A can sign URLs of organization B that allows organization A to access distribution artefacts of organization B.

Activity

Show:

Stephen Marquard

July 11, 2017, 7:36 PM

Copy link to comment

Is this still an issue?

Sven Stauber

July 11, 2017, 8:24 PM

Copy link to comment

Yes, it is. Actually I've fixed this a while ago... but never find the time to test it so that's why you haven't seen a PR yet. Will take a while until this happens, but it will happen.

Greg Logan

December 2, 2017, 8:39 AM

Copy link to comment

I remember use briefly talking about this issue in the dev meeting, and I see the branch in -security. Is this ready for review/a PR?

Sven Stauber

December 4, 2017, 7:16 PM

Copy link to comment

Yes, it is ready for review.