Allow Curl access on heimdall - Githubissues

mitre / heimdall-mongo

A Mongo-based version of Heimdall (Deprecated)

Other

11 stars 1 forks source link

Allow Curl access on heimdall #25

Closed dromazmj closed 6 years ago

dromazmj commented 6 years ago

We want to be able to run curl commands from other systems to upload an evaluation.

aaronlippold commented 6 years ago

below are some of the links and other data we found in our hacking, the gists show how you can configure devise to use the rest api auth.

For example: https://medium.com/@goncalvesjoao/rails-devise-jwt-and-the-forgotten-warden-67cfcf8a0b73

and: https://github.com/lynndylanhurley/devise_token_auth

19:15:26 From Aaron Lippold : https://github.com/djhaynes/inspec-profile-disa_stig-el7/tree/dev 20:17:33 From Aaron Lippold : https://github.com/dev-sec/linux-patch-baseline/blob/master/libraries/linux_updates.rb#L207 20:53:41 From Aaron Lippold : https://developer.fedoraproject.org/tech/languages/ruby/ror-installation.html 21:06:06 From Aaron Lippold : https://developer.fedoraproject.org/tech/languages/ruby/ror-installation.html 21:11:17 From Aaron Lippold : http://www.baeldung.com/jenkins-pipelines 21:20:28 From Aaron Lippold : https://bundler.io/v1.12/git.html 21:25:45 From Aaron Lippold : yum groups install "Development Tools" 21:45:30 From Aaron Lippold : yum install libxml2 libxml2-devel 22:30:34 From Aaron Lippold : https://blog.bigbinary.com/2016/04/06/rails-5-default-protect-from-forgery-prepend-false.html 22:53:29 From Aaron Lippold : https://stackoverflow.com/questions/8943861/how-can-i-upload-a-file-to-my-ruby-on-rails-app-using-curl-cli 22:56:06 From Aaron Lippold : http://www.maximporges.com/2011/03/02/using-curl-with-a-web-site-secured-by-rails-authenticity-token/ 23:07:23 From Aaron Lippold : https://www.codementor.io/omedale/simple-approach-to-rails-5-api-authentication-with-json-web-token-cpqbgrdo6 23:11:28 From Aaron Lippold : https://gist.github.com/vishalzambre/712f031f3206474af76c 23:19:22 From Aaron Lippold : rails s --binding=0.0.0.0 23:24:48 From Aaron Lippold : https://stackoverflow.com/questions/29417328/how-to-disable-cannot-render-console-from-on-rails 23:32:15 From Aaron Lippold : 33 down vote Another way to turn off CSRF that won't render a null session is to add:

skip_before_action :verify_authenticity_token in your Rails Controller. This will ensure you still have access to session info.

Again, make sure you only do this in API controllers or in other places where CSRF protection doesn't quite apply. 23:32:51 From Aaron Lippold : https://stackoverflow.com/questions/35181340/rails-cant-verify-csrf-token-authenticity-when-making-a-post-request 00:49:33 From Aaron Lippold : https://askubuntu.com/questions/159007/how-do-i-run-specific-sudo-commands-without-a-password 00:51:58 From Aaron Lippold : user host = (root) NOPASSWD: /sbin/reboot 01:01:36 From Aaron Lippold : https://gist.github.com/hayderimran7/9246dd195f785cf4783d

aaronlippold commented 6 years ago

Also: https://www.linkedin.com/pulse/building-restful-api-rails-application-imran-khan/