如何使用基于VSTS服务器的任务验证消息发布到服务总线的发布者? [英] How to verify the publisher of a message to a service bus using VSTS server-based task?
问题描述
我想使用发布到Azure Service Bus VSTS服务器任务,并在收件人端验证VSTS 用户,项目和帐户所发布消息的来源.根据 task.json 相关信息已发布到服务总线上,但是出于我的目的,这是不安全的,因为我想保护自己免受客户端欺骗信息的侵害.多个不同的VSTS用户,项目和帐户将使用该任务.一旦任务的客户具有要发布到服务总线的凭据,她就可以欺骗数据.
I want to use Publish To Azure Service Bus VSTS server task and verify on the recipient side the VSTS user, project and account from which the published message originated. According to task.json related information is being posted onto the service bus, but for my purposes this is not secure, as I want to protect myself against client spoofing the information. Multiple different VSTS users, projects and accounts will be using the task. Once a client of the task has credentials to post to the service bus, she can spoof the data.
VSTS是否提供消息发布者的防篡改身份配置?该消息具有身份验证令牌,但它似乎有不同的用途:它用于对VSTS进行身份验证,并且其中没有身份声明.
Does VSTS provide a tamper-proof identity provisioning of the message publisher? The message has auth token, but it appears to serve different purpose: it is used to authenticate to VSTS and has no identity claims in it.
推荐答案
正如Aseem Bansal指出的那样,The Publish To Azure Service Bus VSTS服务器任务具有一个新功能:Signing properties.可以提供一个Certificate Variable,它是发件人(VSTS扩展名)和配方(来自服务总线的服务使用消息)之间的共享秘密.此类变量的值应保持为
As pointed out by Aseem Bansal, The Publish To Azure Service Bus VSTS server task has a new feature: Signing properties. One can provide a Certificate Variable which is a shared secret between the sender (VSTS extension) and recipent (the service consuming messages from the Service Bus). Value of such variable should be kept as secret variable. This solves the issue, as any spoofing attempts can be blocked by checking against the presence of shared secret in the Service Bus message (the recipient has to keep a mapping which senders should know which secrets). The scope of who knows the secret can be controlled by who can view the VSTS build/release definition secret variables and submit builds/releases from given definition. I believe VSTS has fairly fine-grained control over it, to the level of specific users.
这篇关于如何使用基于VSTS服务器的任务验证消息发布到服务总线的发布者?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
