As a Security Server Administrator I want that the security of 'Retrieving WSDL of a Service' Meta Service method is improved so that unauthorized service calls cannot be executed

[hanhaka]

Affected components: Meta services Affected documentation: Security Server user manual, Service Metadata Protocol and System Parameters User Guide Estimated delivery: Q4/2017 External reference: https://jira.csc.fi/browse/PVAYLADEV-1026

Problem Currently any client calling HTTP GET WSDL with SSL turned on, can execute a X-Road SOAP request using the identity of the owner of the calling Security Server. Also, at the moment the implementation does not validate if the client has a certificate or if the certificate is registered to known client or to the owner of the Security Server: the request is always made using the identity of the owner of calling Security Server. (However, note that executing GetWsdl X-ROAD SOAP request should not raise any major security issues but it is against the X-Road security policy).

In addition, when connecting to the local X-Road proxy to send the WSDL request as a regular X-Road message with POST, the WSDL metaservice should use the connection type that the proxy requires.

To improve the security following implementation changes should be made:

1. (A bug fix) When connecting to the local X-Road proxy to send the WSDL request as a regular X-Road message, the GET WSDL metaservice should use the connection type the member-level X-Road proxy requires (HTTPS, HTTPS NO AUTH, HTTP). The metaservice/wsdl processor will use the Internal TLS certificate for the security server when using a HTTPS connection to the local X-Road proxy (the certificate can always be offered though the proxy might not always require it)

2. (A new feature) The WSDL GET request processing should be enabled/disabled via a new system property added to proxy.ini, tentatively called allow-get-wsdl-request (default=false). The default is to only allow POST WSDL requests for new package installations.

3. (A new feature) To allow old installations to use the GET WSDL service indefinitely, the package upgrade process is tweaked so that during upgrade on an existing installation from an older version of X-Road that does not have the aforementioned system property in proxy.ini and does not have the system property in local.ini either will have the property allow-get-wsdl-request=true added to their local.ini during installation.

Acceptance criteria

• Above requirements are implemented
• New system parameter/property (allow-get-wsdl-request) is created
• Security Server user manual (ug-ss_x-road_6_security_server_user_guide.md), Service Metadata Protocol (pr-meta_x-road_service_metadata_protocol) and System Parameters User Guide (ug-syspar_x-road_v6_system_parameters.md) documents are updated

[hanhaka]

Fixed in 6.17.0, see: https://github.com/ria-ee/X-Road/pull/75