0

I want to use Publish To Azure Service Bus VSTS server task and verify on the recipient side the VSTS user, project and account from which the published message originated. According to task.json related information is being posted onto the service bus, but for my purposes this is not secure, as I want to protect myself against client spoofing the information. Multiple different VSTS users, projects and accounts will be using the task. Once a client of the task has credentials to post to the service bus, she can spoof the data.

Does VSTS provide a tamper-proof identity provisioning of the message publisher? The message has auth token, but it appears to serve different purpose: it is used to authenticate to VSTS and has no identity claims in it.

Konrad Jamrozik
  • 3,254
  • 5
  • 29
  • 59
  • No, there isn't. What's the data that you can used to verify? – starian chen-MSFT Jun 22 '18 at 08:03
  • The requirement is that members of multiple projects within Microsoft post to the same service bus, and our service, reading from the service bus, has to guarantee that a a member of one project cannot post on behalf of a different project. We would like to have at least VSTS-project-level granularity, possibly even user-level. In the linked `task.json` that would be the `ProjectId` key. The workaround solution we are considering is to write a VSTS extension that modifies the built-in task by adding an additional shared secret, which our service will check against to prevent spoofing. – Konrad Jamrozik Jun 22 '18 at 08:18
  • We have recently added an option to sign the message payload in the azure service bus task. Will that work for you? – Aseem Bansal Jun 25 '18 at 07:17

2 Answers2

0

You can include necessary information in Message body, otherwise, you need to custom release task.

{"requestUserId":"$(Release.RequestedForId)","requestUser":"$(Release.RequestedFor)"}
starian chen-MSFT
  • 33,174
  • 2
  • 29
  • 53
  • That's correct, but I am afraid somebody can impersonate the user ID, by sending forged message. I was hoping VSTS provides such information in a tamper-proof manner, e.g. encoded as a Claim in the OAuth token. However, this is not the case. – Konrad Jamrozik Jun 22 '18 at 16:26
  • There isn't such feature in Azure Service Bus task, you may custom task through VSTS extension. – starian chen-MSFT Jun 25 '18 at 05:19
  • Starian, I think there is such feature. See [my answer](https://stackoverflow.com/a/51035492/986533) – Konrad Jamrozik Jun 26 '18 at 05:34
0

As pointed out by Aseem Bansal, The Publish To Azure Service Bus VSTS server task has a new feature: Signing properties. One can provide a Certificate Variable which is a shared secret between the sender (VSTS extension) and recipent (the service consuming messages from the Service Bus). Value of such variable should be kept as secret variable. This solves the issue, as any spoofing attempts can be blocked by checking against the presence of shared secret in the Service Bus message (the recipient has to keep a mapping which senders should know which secrets). The scope of who knows the secret can be controlled by who can view the VSTS build/release definition secret variables and submit builds/releases from given definition. I believe VSTS has fairly fine-grained control over it, to the level of specific users.

Konrad Jamrozik
  • 3,254
  • 5
  • 29
  • 59