Rails存储第三方凭据..任何人都知道最佳实践？ [英] Rails storing third party credentials.. Anyone know best practice?

问题描述

我读了一堆其他相关的问题，没有什么真的好像回答了我的问题。

我的应用程序将与几个不同的第三方站点集成。 （ebay，paypal，google，amazon ...）它是一个产品管理系统，它推送产品遍布整个地方...

当然，因为它与所有这些网站，它需要用户名，密码，令牌..等等..现在我不认为这是真的很好的主意，这些东西是原始的，但我仍然需要能够让他们生，所以我可以嵌入他们在我发送的XML或HTTP头。有没有人有关于如何存储信息的建议？

是否有轨道GEM？

解决方案

存储在服务器环境变量中，是根据十二因素应用程序方法。如何存储它们取决于您正在使用的内容以及您如何设置。这促进了将信任从源代码控制，数据库和服务器环境本地化。要访问环境变量，您可以使用 ENV ，例如：

  ENV ['something'] 
  

关于限制和安全性的担忧：

对于在env vars中存储数千个或更多密码/凭据的用户，以下是一些可以帮助您确定是否使用它们的可行性和安全性： p>

1. 如果正在运行Web应用程序或服务的操作系统用户仅具有对Rails应用程序根目录和子目录的只读访问权限，因此具有读取对知识/秘密文件的众所周知（相对或绝对）路径的访问权限，并且开发者意外地将使用请求参数的服务作为路径名的一部分写入读入返回给客户端的变量的文件那么应用程序的用户可能会远程转储所有的信用。如果您将这些信誉放置在操作系统用户无法访问的地方，该用户以不容易猜到的路径名运行应用程序，则可以降低成功使用该漏洞的风险来转储这些凭据。




2. 您还应该尽可能地使服务器环境之外使用这些凭据变得更加困难。这样，如果他们通过应用程序/服务漏洞转储所有凭据，但是不能在该环境之外使用这些凭据，那么它们的价值就会少得多。




3. 在env变量中可以存储多少的限制可能比您想象的要高。例如，在加载了RVM的macOS中，通过bash函数等浪费了大量的环境空间等等，我能够获得4278 53个字符长度的信任（例如bcrypt-ed）：

test.sh

  ＃！/ bin / bash 
 set -ev 
 for`seq 1 4278`; 
 do 
 export CRED $ i ='................................... ........'
 done 
 ruby​​ -e'将＃{ENV.size} env vars放在Ruby中首先cred =＃{ENV [CRED1]}'
  

输出：

  $ time ./test.sh 
 for i in`seq 1 4278`; 
 do 
 export CRED $ i ='................................... ........'
 done 
 seq 1 4278 
 ruby​​ -e'将＃{ENV.size} env vars放在Ruby中首先cred =＃{ENV [ CRED1]}'
 4319 env vars in Ruby。第一个信誉= ........................................... 
 
 real 0m0.342s 
用户0m0.297s 
 sys 0m0.019s 
  

当我超过这个时，我得到了 ruby​​：参数列表太长。

4. 如果您的应用程序中有可能会吐出任何环境变量值的服务，您显然不想在env vars中存储凭证，因为它不太安全，但根据我的经验，我从来没有遇到一个发展情况，其中ENV被意图除了之类的Java管理控制台可能会吐出所有系统属性和env vars。




5. 如果您将凭据存储在数据库中，则由于SQL注入漏洞，您将面临更大的风险通常更常见。这是一个原因，通常只有密码的哈希存储在数据库中，而不是其他服务的加密凭证。




6. 如果攻击者登录到服务器本身，访问运行Web应用程序/服务的用户的环境，或者可以查找和读取包含凭据的文件，您没有运气。

I've read a pile of other related questions... nothing really seems to answer the question I have.

My application will integrate with several different third party sites. (ebay, paypal, google, amazon...) It is a product management system and it pushes products all over the place...

Of course since it interacts with all these sites, it needs usernames, passwords, tokens.. ect.. Now I don't think it's really a good idea to store these things raw, but I still need to be able to get them raw, so I can embed them in the XML I send, or the HTTP header.

Does anyone have a suggestion on how to store the info? Is there a rails GEM?

解决方案

Storing in server environment variables is the best practice for storing credentials to the DB, third-party credentials, etc. according to Twelve-Factor App methodology. How to store them depends on what you are using and how you have it setup. This promotes keeping creds out of source control, out of the database, and local to the server environment. To access an environment variable, you can use ENV, e.g.:

ENV['something']

Concerns about limitations and security:

For those storing thousands or more passwords/credentials in env vars, here are some things to help you decide whether or not to use them, in terms of feasibility and security:

1. If the OS user that is running the web application or service has read-only access to the Rails application root directory and subdirectories only and therefore has read access to a well-known (relative or absolute) path of a credentials/secrets file, and a developer accidentally writes a service that uses a request param as part of the pathname to a file read into a variable returned to the client, then a user of the application could potentially remotely dump all of your creds. If you put those creds into a place much less accessible by the OS user running the application in a pathname which is not easily guessable, you will reduce the risk of that exploit being used successfully to dump those creds.

2. You should also do what you can to make it harder to use those credentials outside of the server environment. This way, if they dumped all the credentials via an app/service exploit but cannot use those credentials outside of that environment, then they would have much less value.

3. The limit of how much can be stored in env variables is likely higher than you might suppose. For example, in macOS with RVM loaded which wastes a ton of environment space with bash functions, etc., I was able to get 4278 53 char length creds (e.g. bcrypt-ed):

test.sh

#!/bin/bash
set -ev
for i in `seq 1 4278`;
do
    export CRED$i='...........................................'
done
ruby -e 'puts "#{ENV.size} env vars in Ruby. First cred=#{ENV["CRED1"]}"'

output:

$ time ./test.sh
for i in `seq 1 4278`;
do
    export CRED$i='...........................................'
done
seq 1 4278
ruby -e 'puts "#{ENV.size} env vars in Ruby. First cred=#{ENV["CRED1"]}"'
4319 env vars in Ruby. First cred=...........................................

real    0m0.342s
user    0m0.297s
sys 0m0.019s

When I exceeded that, I got ruby: Argument list too long.

4. If you were to have a service in your app that could spit out any environment variable value, then you'd obviously NOT want to store creds in env vars as it would be less secure, but in my experience I've never encountered a development situation where ENV was exposed intentionally except for something like a Java administrative console that might spit out all system properties and env vars.

5. If you store creds in the DB, you're at more of a risk since SQL injection exploits are typically much more common. This is one reason usually only hashes of passwords are stored in the DB and not encrypted creds to other services.

6. If an attacker logs into the server itself and has access to the environment of the user running the web app/service or can find and read files containing the creds, you are out of luck.

这篇关于Rails存储第三方凭据..任何人都知道最佳实践？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！