Rubrik : Using Token-based authentication for REST-API Calls

Background

With the raise of API-driven systems, the need of extra security appeared. When doing a simple API call using simple credentials like username and password you might face some security leaks like stolen credentials. When using a token, you have an expiration time so worst case if the token got stolen it will disappear in the cyberspace once his expiry is reached !

Token Token Token!!!

 Rubrik API stack allows the usage of token. The API to use is under /api/internal/session. From there you have access to token creation/deletion.

Function in my framework to create a new token :

function rkGenToken($clusterConnect,$duration)
{
$API="/api/internal/session";

 $config_params="
{
   \"initParams\":
   {
     \"apiToken\":
     {
       \"expiration\": ".$duration.",
       \"tag\": \"API Generated Token\"
     }
   }
}
";

 $curl = curl_init();
   
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS,$config_params);
curl_setopt($curl, CURLOPT_USERPWD, $clusterConnect["username"].":".$clusterConnect["password"]);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json','Content-Length: ' . strlen($config_params),'Accept: application/json'));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_URL, "https://".$clusterConnect["ip"].$API);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

 $result = curl_exec($curl);
curl_close($curl);

 return json_decode($result);
}

This is of course still using standard credentials mechanism but this is almost the last time!

Removing the token : 

function rkDelToken($clusterConnect,$tokenID,$userId)
{
$API="/api/internal/session/bulk_delete";

$config_params="
{
  \"tokenIds\": [
\"".$tokenID."\"
  ],
  \"userId\": \"".$userId."\"
}
";

$curl = curl_init();
   
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS,$config_params);
curl_setopt($curl, CURLOPT_USERPWD, $clusterConnect["username"].":".$clusterConnect["password"]);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json','Content-Length: ' . strlen($config_params),'Accept: application/json'));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_URL, "https://".$clusterConnect["ip"].$API);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($curl);
$info=curl_getinfo($curl,CURLINFO_HTTP_CODE);

curl_close($curl);

if($info=="204") return TRUE;
else return FALSE;
}

Now that you can manipulate tokens easily, you can use it. I have modified one of my functions that get the cluster info to make good use of token : 

function rkGetClusterDetails_t($clusterConnect,$token)
{
$API="/api/v1/cluster/me";

$curl = curl_init();
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json',$token));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_URL, "https://".$clusterConnect["ip"].$API);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
curl_close($curl);
return $result;
}

In order to generate the token needed for the function, I'm using the rkGenToken function :

$tmp=rkGenToken($clusterConnect,"60");

$token=$tmp->session->token;
$authorization = "Authorization: Bearer ".$token;

So, I can call the rkGetClusterDetails_t function this way :

rkGetClusterDetails_t($clusterConnect,$authorization);
Note : the $duration for the token is expressed in minutes.

 Every tokens are stored into the Rubrik cluster and you can see evidence on the UI.



What you see above is not the token itself, this is the ID of the token, there is no way to see the token itself you only see it when generated. There is also a note of the last usage (date/time) and from what IP it has been used. 

A token is similar to this :

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmNzU4NWIwNC1iMDJiLTRhMjMtYjk4Ny00N2Q4MDZlYWIzOTMiLCJpc3MiOiJjYjJiYjgxZC00Y2JlLTQzYjEtYTY5MC00ODQxMGUyY2FlMDMiLCJqdGkiOiJkMzY0MWY4MC00YzU3LTQwYmUtOWZmNC1jYjk2ZGUxNGE5NDcifQ.ibJB0cGjcaNTTYxiGJusD2N9tFaDx8-7MMZM7Wery6A

I did not had the time to do some benchmarks yet, but that should bring some speed improvements in the various REST-API calls. At least, this is adding security.

To be continued !

Comments

Post a Comment

Thank you for your message, it has been sent to the moderator for review...

What's hot ?

ShredOS : HDD degaussing with style

Image
Background Have you ever had the need to properly erase HDD or SSD before disposing them ? Or selling them ? You do not want to have someone else playing around with your data right ? What we usually do is using a bootable Linux Live CD and use dd style command to write random data on the disk right ? But what if you have 10 disks in your machine ? What if you need a report to proof the world that wiping is a success ? I came across this challenge recently.
Read more

Mac OS X : Display images in-line with terminal

Image
Backgound This time, this is a MacOS tip ! You have a list of files in the terminal window in front of you, some are pictures, some are texts. For text files, this is easy to quickly issue a "more" or "cat" so you immediately figure out what it is. For a picture, this is another story, you need an image viewer. Whatever the speed and simplicity of this editor, you need to load a 3rd party application and switch to it, this is not very handy. What if you could see this image directly from the terminal ? 
Read more