Per-endpoint configurable certificate_authority #13567
Conversation
cben
force-pushed
the
endpoint-ca
branch
2 times, most recently
from
2a0970e
to
7a10d75
Compare
| # Returns a list, to support concatenated PEM certs. | ||
| def parse_certificate_authority | ||
| return [] if certificate_authority.blank? | ||
| certificate_authority.split(/(?=-----BEGIN)/).reject(&:blank?).collect do |pem_fragment| |
There was a problem hiding this comment.
Do you have a test for concatenated PEM certs? It seems the test only have 1 cert
There was a problem hiding this comment.
Yes, at the end of endpoint_spec.rb: https://github.com/ManageIQ/manageiq/pull/13567/files#diff-763829b60a325924ed156fcba4a726e4R123
(in API test I didn't bother)
|
Aside from my one comment on the testing of multiple certs, LGTM 👍 |
- as top-level json attribute - in `connection_configurations`
|
Checked commits cben/manageiq@4459137~...de73b1c with ruby 2.2.6, rubocop 0.46.0, and haml-lint 0.19.0 |
|
Interesting, this now fails a migration spec from #13324: |
A refrence to factory girl can fail due to validations on columns that are added in app/model after this migration. Seen in ManageIQ#13567
|
@Fryguy my only comment here is that I would expect that a CA per provider would be enough (actually you generally have one CA per company... so even per-provider would be already overkill). If this approach is simpler, more flexible and requires only some magic in the UI to copy the same certificate in all the endpoints for the vast majority of the cases... then I'm OK with it. LGTM 👍 |
|
There will now be 3 related fields: (security_protocol, verify_ssl, certificate_authority).
Toggling for Travis. |
A refrence to factory girl can fail due to validations on columns that are added in app/model after this migration. Seen in ManageIQ#13567
A refrence to factory girl can fail due to validations on columns that are added in app/model after this migration. Seen in ManageIQ/manageiq#13567 (transferred from ManageIQ/manageiq@a66497d)
Purpose
To securely connect to providers using self-signed TLS certificates, it should be possible to configure ManageIQ to trust specific CA(s).
Currently this generally requires adding them to the system CA bundle on the MIQ machine; Openstack looks at settings
ssl.ssl_ca_fileandssl.ssl_ca_pathbut you still have to place the file(s) on the machine first.This PR adds a way to to store the CA in the DB + a bit of support logic + REST API.
It remains up to specific providers to use it (exact use will vary by network lib but something like passing
:ssl_cert_store => endpoint.ssl_cert_store).I'm assuming here that whenever you specify a custom CA, you no longer want to trust the system bundle, so this case is also covered.
Rationale: Global / Per Provider / Per EMS / Per Endpoint ?
A global pool of trusted CAs would I think be less secure (I trust Alice to administrate provider A and Bob to administrate provider B, but I don't want Bob to be able to impersonate A) and pragmatically inconvenient to manage — hard to know which certs can be removed when.
Per Endpoint may be best since different endpoints could have different host, port and maybe certs. YAGNI?
Per Provider or EMS can be OK too, especially if we allow multiple certs.
=> I've chosen per-Endpoint because it logically belongs with
verify_sslandsecurity_protocolcolumns thatEndpointalready has.Rationale: text column holding PEM cert(s)
A few endpoints might end up storing the same cert, but seemed to me much simpler than doing a new table with 1:many association...
I'm storing certs in PEM format — essentially the ASN-1 binary encoded in base64. Opaque, but it's what essentially all network libs take.
The parsing logic supports multiple concatenated PEM certs. There is no strong need, but it's a common thing people do with trust roots, so I figured it's easier to make it work than forbid...
REST API
Same as other endpoint attributes (see #13454):
endpoints(when non-nil).connection_configurations.@miq-bot add-label enhancement, providers, sql migration, api
cc @simon3z @blomquisg @Fryguy