Security
There are many strategies for securing a Swarm installation. This section provides guidance on security features Swarm controls, and recommendations for several areas for the system hosting Swarm.
Require login
Important
Prior to Swarm's 2016.1 release, require_login
defaulted to false. For 2016.1 and later releases,
the default is true.
By default, Swarm prevents anonymous users from viewing any Helix Versioning Engine resources; users must login to see commits, reviews, etc.
Swarm can be configured to allow anonymous users to access any readable
resources (creating or editing resources by anonymous users is not
permitted). Add the following configuration block to the SWARM_ROOT/data/config.phpp4 entry:
<?php
// this block should be a peer of 'p4'
'security' => array(
'require_login' => false, // defaults to true
),
There is one exception: the /queue/worker endpoint is
available to any user.
Note
service and operator users are not permitted to login. For more information on these user types, see the Helix Versioning Engine Administrator Guide: Fundamentals.
Prevent login
When your Helix Versioning Engine has users that should not be able to log
in to Swarm, for example service users involved with
Perforce replicas, the prevent_login configuration
item can be used to prevent successful authentication.
Add or update the following configuration block to the SWARM_ROOT/data/config.phpp4 entry:
<?php
// this block should be a peer of 'p4'
'security' => array(
'prevent_login' => array(
'service_user1',
'service_user2',
),
),
prevent_login defaults to
array(), which means no users in your Helix Versioning
Engine are prevented from logging into Swarm.
Tip
For more information, see: Helix Versioning Engine Administrator Guide: Multi-Site Deployment: Service users.
Sessions
Swarm manages logged-in sessions using cookies in the browser, and PHP
session storage on the server. Swarm uses reasonable defaults for the
cookie and session lifetimes (measured in seconds); when the lifetime is
exceeded users need to login again. To specify session lifetimes, add the
following configuration block to the SWARM_ROOT/data/config.phpp4 entry:
<?php
// this block should be a peer of 'p4'
'session' => array(
'cookie_lifetime' => 0, // 0=expire when browser closed
'gc_maxlifetime' => 60*60*24*30, // 30 days
'remembered_cookie_lifetime' => 60*60*24*30, // 30 days
),
-
cookie_lifetime -
Optional. Limits the lifetime of session cookies, when the Remember Me checkbox on the login dialog is unchecked. The default is
0, which causes the session cookie to expire when the user's browser is closed. -
gc_maxlifetime -
Optional. If a session is inactive for the specified number of seconds, it is deleted and the user is logged out. The default is
60*60*24*30seconds (30 days). Note, by default the user's Perforce ticket expires after 12 hours, which also causes them to be logged out. -
remembered_cookie_lifetime -
Optional. Limits the lifetime of session cookies when the Remember Me checkbox on the login dialog is checked. The default is
60*60*24*30seconds (30 days).
X-Frame-Options header
By default, Swarm emits a X-Frame-Options HTTP header
set to SAMEORIGIN. This prevents embedding of the Swarm
interface into other web pages, which avoids
click-jacking attacks.
If your deployment of Swarm needs to be integrated into another web
interface, you can adjust the X-Frame-Options header by
adjusting the x_frame_options item within the
security configuration block, found in the SWARM_ROOT/data/config.php
<?php
// this block should be a peer of 'p4'
'security' => array(
'x_frame_options' => value,
),
),
Where value can be one of:
-
'SAMEORIGIN'- Swarm can only be displayed in a frame hosted on the same domain. -
'DENY'- Swarm cannot be displayed in a frame. -
'ALLOW-FROM- Swarm can only be displayed in a frame hosted on the specifiedURI'URI. -
false- TheX-Frame-Optionsheader is not emitted, so Swarm can be embedded without restriction.
Tip
For more information on the X-Frame-Options header,
see
this
Mozilla Developer Network article.
For more information on click-jacking attacks, see this Wikipedia article.
Disable commit
Swarm provides the ability to commit reviews within the Swarm interface. You may want to disable this capability to prevent reviews from being committed by someone other than the review's author. When disabled, the (and if the review is already approved) option is removed from the list of states available to a code review.
To disable commits, set disable_commit to
true within the reviews item in
the SWARM_ROOT/data/config.php
<?php
// this block should be a peer of 'p4'
'reviews' => array(
'disable_commit' => true,
),
),
Restricted Changes
The Helix Versioning Engine provides two changelist types:
public (the default), and
restricted. Swarm honors restricted changelists by
preventing access to the changelist, and any associated comments or
activity related to the changelist.
If a user has list-level privileges to at least one file in the changelist, Swarm allows the user to see the changelist and any of the files they have permission to see.
To prevent unintended disclosures, email notifications for restricted
changes are disabled by default. To enable email notifications for
restricted changes, set email_restricted_changes to
true within the security item in
the SWARM_ROOT/data/config.php
<?php
// this block should be a peer of 'p4'
'security' => array(
'email_restricted_changes' => true,
),
),
Note
When email_restricted_changes is set to
true, email notifications for restricted changes are
sent to all interested parties with no permissions screening. These
notifications might disclose sensitive information.
Swarm can only report on changes that the configured
admin-level user has access to. When using
restricted changes, we advise that you grant the Swarm
admin-level user access to the restricted files and
set
require_login
= true to avoid leaking information to unauthenticated users.
Limit adding projects to administrators
Important
For Swarm 2016.1, the configuration item
add_project_admin_only was moved from the
security block to the
projects
block, and the item was renamed to
add_admin_only. The functionality of this
configuration item remains unchanged.
If you do not update your SWARM_ROOT/data/config.php
If you add the new configuration item add_admin_only
to the projects block, it takes precedence over any
remaining add_project_admin_only setting in the
security block.
Limit adding projects to members of specific groups
Important
For Swarm 2016.1, the configuration item
add_project_groups was moved from the
security block to the
projects
block, and the item was renamed to
add_groups_only. The functionality of this
configuration item remains unchanged.
If you do not update your SWARM_ROOT/data/config.php
If you add the new configuration item add_groups_only
to the projects block, it takes precedence over any
remaining add_project_groups setting in the
security block.
IP address-based protections emulation
A Helix Versioning Engine can be configured via protections to restrict access to a depot in a variety of ways, including by IP address. As Swarm is a web application acting as a client to the Helix Versioning Engine, often with admin-level privileges, Swarm needs to emulate IP address-based restrictions. It does so by checking the user's IP address and applying any necessary restrictions during operations such as browsing files, viewing file content, viewing and adding comments on files.
Swarm also emulates proxy-based protections, in addition to regular IP-based protections emulation. However, Swarm does not detect whether it is connecting to a Perforce proxy or not; it merely attempts to emulate protections table entries that use proxy syntax.
IP address-based protections emulation is enabled by default. Swarm performs somewhat faster without this emulation; if you do not require them for your Swarm installation these can be disabled by setting the configuration:
<?php
// this block should be a peer of 'p4'
'security' => array(
'emulate_ip_protections' => false,
),
Known limitations
-
Notification e-mails for reviews or commits include the list of affected files. Swarm cannot reliably know the IP address used to retrieve that e-mail, and makes no attempt to filter the files and their depot paths nor any details included in the description. However, when a user follows a link from the notification e-mail to a restricted resource, that access is denied.
-
Swarm filters comments from activity streams, but any comments created prior to upgrading to the 2013.3 release cannot be filtered and may leak sensitive information.
-
Swarm displays a comment count in code review queues, code reviews, jobs, and activity streams, but the count does not account for any comments that may be hidden from the user due to association with files the user is restricted from viewing.
-
Should Swarm users connect to Swarm via a proxy or VPN, the protections will generally use the IP address of the proxy/VPN.
-
When the user's IP address and Swarm's IP address both have restrictions applied, the user experiences the most constraining of the two IP address-based restrictions; Swarm cannot bypass restrictions applied to itself.
-
Swarm performs a variety of operations with admin-level privileges, on behalf of a user. Even if the Helix Versioning Engine has IP-based, or userid-based protections, installed to prevent access to some or most of its versioned data, Swarm typically does have access to this data. Therefore, Swarm cannot guarantee that no information leakage will occur, particularly when custom modules are in use, or Swarm source has been customized.
Tip
For more information, see Helix Versioning Engine Administrator Guide: Fundamentals: Authorizing Access.
Disable system info
Swarm provides a System Information page, available to users with admin or super privileges, which displays information about the Helix Versioning Engine that Swarm is configured to use, as well as PHP information and the Swarm log file.
While this information can be invaluable when communicating with Perforce
support engineers, you may wish to prevent disclosure of any system
information. The System Information page can be
disabled for all users by adding the following configuration block to the
SWARM_ROOT/data/config.phpp4
entry:
<?php
// this block should be a peer of 'p4'
'security' => array(
'disable_system_info' => true, // defaults to false
),
Once disabled, the System Information link disappears
from the About Swarm dialog, and
403 errors are generated for any attempts to browse to
the System Information page.
HTTP client options
Swarm permits configuration of options that are passed through to the underlying Zend Framework 2's HTTP client. These options can be used to specify SSL certificate locations, request timeouts, and more, and can be specified globally or per host.
Here is an example configuration:
<?php
// this block should be a peer of 'p4'
'http_client_options' => array(
'timeout' => 5,
// path to the SSL certificate directory
'sslcapath' => '',
// the path to a PEM-encoded SSL certificate
'sslcert' => '',
// the passphrase for the SSL certificate file
'sslpassphrase' => '',
// optional, per-host overrides;
// host as key, array of options as value
'hosts' => array(
'jira.example.com' => array(
'sslcapath' => '/path/to/certs',
'sslcert' => 'jira.pem',
'sslpassphrase' => 'keep my JIRA secure',
'timeout' => 15,
),
),
),
See the Zend Framework 2's Socket Adapter documentation for more information.
Warning
While it is possible to use a self-signed SSL certificate, adding the configuration to do so disables certificate validity checks, making connections to the configured host less secure. We strongly recommend against using this configuration option.
However, if you need to configure continuous integration, deployment, or
JIRA connections and those connections must use a self-signed SSL
certificate, set the sslallowselfsigned item to
true for the specific host that needs it, as in the
following example:
<?php
// this block should be a peer of 'p4'
'http_client_options' => array(
'hosts' => array(
'jira.example.com' => array(
'sslallowselfsigned' => true,
),
),
),
Strict HTTPS
To improve the security when users work with Swarm, particularly if they
need to do so outside of your network, Swarm provides a mechanism that
tries to force web browsers to use HTTPS. When enabled,
Swarm's behavior changes in the following ways:
-
HTTPrequests to Swarm include a meta-refresh to theHTTPSversion. If a load balancer handles encryption before requests reach Swarm, the meta-refresh should be disabled. See below. -
A strict transport security header is included for all requests, which pins the browser to using
HTTPSfor your Swarm installation for 30 days. -
All qualified URLs that Swarm produces use
HTTPSfor the scheme. -
Cookies are flagged as
HTTPS-only.
Here is an example of how to enable strict HTTPS:
<?php
// this block should be a peer of 'p4'
'security' => array(
'https_strict' => true,
'https_strict_redirect' => true, // optional; set false to avoid meta-refresh
'https_port' => null, // optional; specify if HTTPS is
// configured on a non-standard port
),
When the https_strict_redirect item is set to
false, Swarm does not add a meta-refresh for
HTTP clients. This prevents an endless redirect when a
load balancer in front of Swarm applies HTTPS to the
client-to-load balancer connection, but not the load balancer-to-Swarm
connection.
Apache security
There are several Apache configuration changes that can improve security for Swarm:
-
Disable identification
By default, each Apache response to a web request includes a list of tokens identifying Apache and its version, along with any installed modules and their versions. Also, Apache can add a signature line to each response it generates that includes similar information. By itself, this identification information is not a security risk, but it helps would-be attackers select attacks that could be successful.
To disable Apache identification, add the following two lines to your Apache configuration:
ServerSignature Off ServerTokens ProductOnly
-
Disable TRACE requests
TRACErequests cause Apache to respond with all of the information it has received, which is useful in a debugging environment.TRACEcan be tricked into divulging cookie information, which could compromise the credentials being used to login to Swarm.To disable
TRACErequests, add the following line to your Apache configuration:TraceEnable off
-
Update SSL configuration
Swarm works correctly with an SSL-enabled Apache. Several attacks on common SSL configurations have been published recently. We recommend that you update your Apache configuration with the following lines:
<IfModule mod_ssl.c> SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH SSLCompression Off </IfModule>
PHP security
There are several PHP configuration changes that can improve security for Swarm:
-
Disable identification
By default, PHP provides information to Apache that identifies that it is participating in a web request, including its version.
To disable PHP identification, edit your system's php.ini file and change the line setting
expose_phpto:expose_php = Off
-
Remove scripts containing
phpinfo()During module development or other debugging, you may need to call
phpinfo(), which displays PHP's active configuration, compilation details, included modules and their configuration. Typically, you would add a script to Swarm's public directory containing:<?php phpinfo() ?>
Any such scripts should be removed from a production instance of Swarm.