content app should issue 404 if content guard denied access

[mdellweg]

(One could argue that should be a 404 rather than a 403.)

For obscuration purposes I presume? (If you were spraying requests you could theoretically uncover which protected directories exist based on getting not-found or access-denied).

Originally posted by @dralley in https://github.com/pulp/pulpcore/issues/3061#issuecomment-1228812641

[mdellweg]

Should we only do this if HIDE_GUARDED_DISTRIBUTIONS=True?

[ipanova]

https://github.com/pulp/pulpcore/issues/3061#issuecomment-1241742479

For obscuration purposes I presume? (If you were spraying requests you could theoretically uncover which protected directories exist based on getting not-found or access-denied).

Correct.

I agree that this may be a valid concern, but i think that would be a separate issue. Should we have one filed?

I think we should distinguish between 404 and 403, in case user presents invalid client cert he should receive 403, imo.

[ggainey]

#3061 (comment)

For obscuration purposes I presume? (If you were spraying requests you could theoretically uncover which protected directories exist based on getting not-found or access-denied).

Correct.

I agree that this may be a valid concern, but i think that would be a separate issue. Should we have one filed?

I think we should distinguish between 404 and 403, in case user presents invalid client cert he should receive 403, imo.

Invalid-cert should always short-circuit to 403, concur. If you have a valid cert, but it doesn't allow access to the path you're requesting, I think that should also be a 403 - even if that path doesn't exist . If your cert doesn't give you access to a Thing, "you're not allowed there" is all the info you should get back. If your cert does allow access to a distribution-path that doesn't exist - then you should get a 404. "You're allowed there, but there's nobody home, sorry"

That's my 0.02 anyway

[ipanova]

I agree plus to add - if user comes without any cert then he should get 404 right away

[dralley]

Worth noting, when I make a request against the RH CDN without a certificate, I get 401, not 403.

[ggainey]

Worth noting, when I make a request against the RH CDN without a certificate, I get 401, not 403.

Correct according to my reading of the standard - "The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource. " So maybe 401 for invalid-cert as well? 403 for valid-cert-but-not-that-path, 404 for valid-cert-allowed-path-doesn't-exist?

[ipanova]

Given that HIDE_GUARDED_DISTRIBUTIONS=True is enabled, maybe we should have: 401 for non existent path 401 for no cert ( even if trying to access a path that does not exist) 403 for invalid cert 403 valid-cert-but-not-that-path 404 valid-cert-allowed-path-doesn't-exist

This way the information will not leak whether there is protected or not protected content.

[ggainey]

401 for non existent path

So, no-cert and invalid-cert "win", before we care about paths. valid-cert returns 403 if not-allowed, 404 if allowed-but-doesn't-exist. . How is "non-existent path" different from "path-doesn't-exist"? Does "non-existent" mean "you didn't give me a path at all"?

[ipanova]

No i meant a user is trying to access a path that does not exist meaning that it is not guarded effectively by anything. So then it feels like 401 for non existent path and 401 for no cert is same because it would fail in the check for cert which was not provided.

[ggainey]

OK, I think that works for me. no-cert returns 401 always, we don't check anything else. Bad-cert returns 403 always, we don't check anything else. Good-cert returns 403 for "you're not allowed iin that room", 404 for "that room doesn't exist", and otherwise you get what you asked for :)

[mdellweg]

Can we even check a cert before we identified the Cert-guard? What about other (non-cert based) content-guards? What happens if you hit a non protected distribution? That last one should still 200, right?

[ipanova]

What happens if you hit a non protected distribution? That last one should still 200, right?

yes. One will get 200 whether it is hidden or not https://github.com/pulp/pulpcore/pull/3768/files