问题
I want to use Publish To Azure Service Bus VSTS server task and verify on the recipient side the VSTS user, project and account from which the published message originated. According to task.json related information is being posted onto the service bus, but for my purposes this is not secure, as I want to protect myself against client spoofing the information. Multiple different VSTS users, projects and accounts will be using the task. Once a client of the task has credentials to post to the service bus, she can spoof the data.
Does VSTS provide a tamper-proof identity provisioning of the message publisher? The message has auth token, but it appears to serve different purpose: it is used to authenticate to VSTS and has no identity claims in it.
回答1:
You can include necessary information in Message body, otherwise, you need to custom release task.
{"requestUserId":"$(Release.RequestedForId)","requestUser":"$(Release.RequestedFor)"}
回答2:
As pointed out by Aseem Bansal, The Publish To Azure Service Bus VSTS server task has a new feature: Signing properties. One can provide a Certificate Variable which is a shared secret between the sender (VSTS extension) and recipent (the service consuming messages from the Service Bus). Value of such variable should be kept as secret variable. This solves the issue, as any spoofing attempts can be blocked by checking against the presence of shared secret in the Service Bus message (the recipient has to keep a mapping which senders should know which secrets). The scope of who knows the secret can be controlled by who can view the VSTS build/release definition secret variables and submit builds/releases from given definition. I believe VSTS has fairly fine-grained control over it, to the level of specific users.
来源:https://stackoverflow.com/questions/50976537/how-to-verify-the-publisher-of-a-message-to-a-service-bus-using-vsts-server-base