Block /api/s/ after installation

[michbarsinai]

This is the api point where all the "admin" stuff goes. Currently no blocking is done there.
Options:

1. Allow from localhost only
2. add a "block" call, that once called blocks that api endpoint. Unblocking done by altering a record in the database (possibly using the settings table).
3. Others?

[michbarsinai]

This should also include the blocking of DatasetFieldServiceApi#loadDatasetFields

[bencomp]

I'm a bit surprised that even for some API GET calls you need an API key, but for serious admin stuff there is nothing (except for a "future IP whitelist"). How about a super super secret key and only access via HTTPS and only from localhost?

With Apache as a (reverse) proxy in front of Glassfish, you could filter requests to this path, but it sounds like a job for the firewall. (I haven't fully thought this one through, but you want a balance between security and managability, i.e. making it secure in one place, but truly secure. In other words, the mechanism to make it secure must be transparent, but the key must be unbreakable.)

[michbarsinai]

There is nothing yet. There will be a key (most of them already have it), and there will be an option to shut it down. Java EE has a web filter mechanism that should be useful here.
I think localhost only is a good solution, except it might not work in some cloud settings (probably not a big problem yet). Any ideas of making it more secure are very much welcome.

[michbarsinai]

Just make sure we can make it a config issue.
Add index-all call.

[michbarsinai]

See explanation at post-install-api-block.sh for full description of the new API blocking options.

[pdurbin]

I just ran post-install-api-block.sh on https://apitest.dataverse.org and now when I try a search with

$ curl https://apitest.dataverse.org/api/search?q=*

I'm getting this:

{ status:"error", message:"Endpoint available from localhost only. Please contact the dataverse administrator"}

That... doesn't seem right. "search" is not in the list of BlockedApiEndpoints:

$ cat scripts/api/post-install-api-block.sh
#!/bin/bash

# Run this script post-installation, to block all the settings that 
# should not be available to the general public in a production Dataverse installation.
# Relevant settings:
#  - :BlockedApiPolicy - one of drop, localhost-only, unblock-key
#  - :BlockedApiKey - when using the unblock-key policy, pass this key in the unblock-key query param to allow the call to a blocked endpoint
#  - :BlockedApiEndpoints - comma separated list of blocked api endpoints.

curl -X PUT -d localhost-only http://localhost:8080/api/s/settings/:BlockedApiPolicy
curl -X PUT -d groups,s,index,datasetfield http://localhost:8080/api/s/settings/:BlockedApiEndpoints

I'm getting the same at https://dataverse-demo.iq.harvard.edu/api/search?q=*

@michbarsinai can you please adjust the script so the Search API is not disabled?

[pdurbin]

@michbarsinai suggested looking at this part of the code (around line 144 of doFilter):

murphy:dataverse pdurbin$ git diff
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/ApiBlockingFilter.java b/src/main/java/edu/harvard/iq/dataverse/api/ApiBlo
index 1d000c7..6c99bac 100644
--- a/src/main/java/edu/harvard/iq/dataverse/api/ApiBlockingFilter.java
+++ b/src/main/java/edu/harvard/iq/dataverse/api/ApiBlockingFilter.java
@@ -141,7 +141,7 @@ public class ApiBlockingFilter implements javax.servlet.Filter {
         HttpServletRequest hsr = (HttpServletRequest) sr;
         String apiEndpoint = canonize(hsr.getRequestURI().substring(hsr.getServletPath().length()));

-        for ( String prefix : blockedApiEndpoints ) {
+        for ( String prefix : blockedApiEndpoints ) { // look here
             if ( apiEndpoint.startsWith(prefix) ) {
                 getBlockPolicy().doBlock(sr, sr1, fc);
                 return;