<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 10:01:47 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLHOOK-173] Service to trigger 3rd party endpoints from SaaS instances</title>
                <link>https://jira.magnolia-cms.com/browse/MGNLHOOK-173</link>
                <project id="17487" key="MGNLHOOK">Magnolia Webhooks</project>
                    <description>&lt;p&gt;As part of the &lt;b&gt;DevX Webhooks Initiative&lt;/b&gt;, we need to make HTTP requests to third party endpoints from a SaaS instance.&lt;br/&gt;
SRE team detected that, allowing customers to configure &lt;b&gt;any&lt;/b&gt; target endpoint could potentially lead to security problems, being a security breach in Magnolia SaaS infrastructure. So Magnolia itself can not perform those HTTP request to a 3rd party service.&lt;br/&gt;
&#160;&lt;br/&gt;
So we need to make those HTTP requests from a different service (new).&lt;/p&gt;</description>
                <environment></environment>
        <key id="115778">MGNLHOOK-173</key>
            <summary>Service to trigger 3rd party endpoints from SaaS instances</summary>
                <type id="14" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10895&amp;avatarType=issuetype">Story</type>
                                            <priority id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/neutral.gif">Neutral</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="11">Done</resolution>
                                        <assignee username="jbenito">Javier Benito</assignee>
                                    <reporter username="jbenito">Javier Benito</reporter>
                        <labels>
                    </labels>
                <created>Fri, 15 Jul 2022 17:46:18 +0200</created>
                <updated>Fri, 26 Aug 2022 14:38:43 +0200</updated>
                            <resolved>Tue, 26 Jul 2022 09:41:44 +0200</resolved>
                                                    <fixVersion>1.0.0</fixVersion>
                                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                                                            <comments>
                            <comment id="315420" author="rmartinr" created="Mon, 18 Jul 2022 18:07:07 +0200"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=czimmermann&quot; class=&quot;user-hover&quot; rel=&quot;czimmermann&quot;&gt;czimmermann&lt;/a&gt;! Below I try to summarize the security issues/concerns that we see related to this new webhooks feature if we implement it directly on magnolia instances side:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;From the first pentest carried out by Compass we got from them the warning described in SRE-3300, so trying to fix/avoid this security risk, we were trying to control through some network rules applied to magnolia instances the outbound traffic/targets that are allowed to be requested from the Magnolia instances, since trying to control the inbound connectivity seems more challenging, as far as the Magnolia instances need to be publicly accessible: author instance for sure and public instance very likely for some operation that can not be performed going through the delivery Fastly CDN service. Even though the approach (outbound or inbound restrictions) is not decided yet, adding this webhooks service directly to Magnolia webapp would directly discard the outbound restriction approach/option, making it very difficult to isolate Magnolia instances at the network level if they need to be accessed publicly and also need to access any target because of the new webhooks feature.&lt;/li&gt;
	&lt;li&gt;Having the capability to call other services directly from Magnolia instances, which are deployed in the SaaS k8s cluster/platform, would allow to call any other internal/private service (not publicly accessible) directly from Magnolia, such as the endpoint &lt;tt&gt;/private&lt;/tt&gt; of the Subscription service or the Config Ingestion service (not publicly accessible), so we would need to isolate all these private services in some way to disallow any request coming from Magnolia instances to any private service, which looks challenging since there are some other requests from Magnolia instances to those private services that are legit and expected. However having the feature in an dedicated and multi-tenant service, it is much easier to apply this kind of isolation, since we could for example add directly some egress/outbound network rule to it to avoid that the service can request any service whose IP is a private one belonging to the VPC in which the k8s cluster/platform is deployed.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;You can get a better understanding of the network communications between the different services deployed in the SaaS platform reviewing the SaaS architecture diagram:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://git.magnolia-cms.com/projects/CLOUD/repos/magnolia-cloud/browse&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://git.magnolia-cms.com/projects/CLOUD/repos/magnolia-cloud/browse&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;CC: &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=chanh.hua&quot; class=&quot;user-hover&quot; rel=&quot;chanh.hua&quot;&gt;chanh.hua&lt;/a&gt;, &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=luong.nguyen&quot; class=&quot;user-hover&quot; rel=&quot;luong.nguyen&quot;&gt;luong.nguyen&lt;/a&gt; (if you want to add some additional thought, feel free to do it)&lt;/p&gt;</comment>
                            <comment id="315788" author="czimmermann" created="Wed, 20 Jul 2022 12:22:19 +0200"  >&lt;p&gt;&lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=rmartinr&quot; class=&quot;user-hover&quot; rel=&quot;rmartinr&quot;&gt;rmartinr&lt;/a&gt;&#160;Thanks for the detailed explanation! Makes sense.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>relation</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                            <subtask id="116095">MGNLHOOK-187</subtask>
                            <subtask id="116096">MGNLHOOK-188</subtask>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 18 Jul 2022 08:42:58 +0200</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10246" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>MGNLHOOK-10</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>jbenito</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 29 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>czimmermann</customfieldvalue>
            <customfieldvalue>jbenito</customfieldvalue>
            <customfieldvalue>rmartinr</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzztx1:1ye8900l</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10245" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1675">DevX 15</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10242" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12430" key="com.atlassian.teams:rm-teams-custom-field-team">
                        <customfieldname>Team</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[26]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>22</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_13933" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Urgency (resolution)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15724"><![CDATA[Normal]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                </customfields>
    </item>
</channel>
</rss>