Weaver: Workflow Execution Management Service (EMS); Application, Deployment and Execution Service (ADES); OGC API - Processes; WPS; CWL Application Package
When an authentication is required to submit a workflow execution, or required for any of the underlying processes involved in the workflow, relevant authorization headers, cookies, etc. must be provided. Given that nested processes could be hosted on various infrastructures and remote locations, ensuring that the appropriate authentications are only passed to the relevant server is primordial.
How to Reproduce
Define a test that requires a process chain in a workflow, for which distinct host servers are targeted by the steps.
Define an authorization requirement for executing the processes, making sure that the same authorization method cannot be used between the process (each has their own access). The workflow itself should also have its own authorization.
Submit the request to execute the workflow, ensuring it succeeds.
Validate (using mocks/wrapper of received execution requests), that only the applicable auth parameters were passed to the respective processes. Any mismatch by host would be a failure.
Known Solutions
Use urllib3's ProxyManager to filter applicable Proxy-Authenticate for the relevant host targeted by the request.
Describe the security issue
When an authentication is required to submit a workflow execution, or required for any of the underlying processes involved in the workflow, relevant authorization headers, cookies, etc. must be provided. Given that nested processes could be hosted on various infrastructures and remote locations, ensuring that the appropriate authentications are only passed to the relevant server is primordial.
How to Reproduce
Known Solutions
Use
urllib3'sProxyManagerto filter applicableProxy-Authenticatefor the relevant host targeted by the request.Additional References
Proxy-AuthenticateandWWW-Authenticatehandling when performing redirects)Context