New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fedramp issues #10092
fix: fedramp issues #10092
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aliehsaeedii Thanks for the PR!
Here my comments!
if (cipherSuites.isEmpty()) { | ||
final String errorMsg = "No cipher suites " | ||
+ "('" | ||
+ KsqlRestConfig.SSL_CIPHER_SUITES_CONFIG | ||
+ "') is specified."; | ||
log.error(errorMsg); | ||
throw new SecurityException(errorMsg); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you remove this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you remove this?
Based on info form CP team, ssl.cipher.suites
must be an optional parameter.
public static final ConfigDef.ValidString SSL_STORE_TYPE_VALIDATOR = | ||
ConfigDef.ValidString.in( | ||
SSL_STORE_TYPE_JKS, | ||
SSL_STORE_TYPE_PKCS12 | ||
SSL_STORE_TYPE_PKCS12, | ||
SSL_STORE_TYPE_BCFKS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't there a unit test you need to adapt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't there a unit test you need to adapt?
For the other two we don't have any.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
I think you need to adapt SSL_KEYSTORE_TYPE_DOC
and SSL_TRUSTSTORE_TYPE_DOC
, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These logs are not needed, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These logs are not needed, right?
Right. Strange that they have been added!
private static KeyStoreOptions buildBcfksOptions(final String password) { | ||
return new KeyStoreOptions() | ||
.setType("BCFKS") | ||
.setProvider("/opt/confluent/confluent-7.4.0/share/java/kafka/bc-fips-1.0.2.3.jar") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if this JAR appears in a different location and/or different version? Can this location be configurable? or why is it hard-coded?
|
||
final String password = getTrustStorePassword(props); | ||
|
||
if (!Strings.isNullOrEmpty(password)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you need the location obtained like getPfxTrustStoreOptions
? I see the location is hard-coded in buildBcvfksOptions
.
@@ -115,21 +115,24 @@ public class KsqlRestConfig extends AbstractConfig { | |||
|
|||
public static final String SSL_KEYSTORE_TYPE_CONFIG = "ssl.keystore.type"; | |||
protected static final String SSL_KEYSTORE_TYPE_DOC = | |||
"The type of keystore file. Must be either 'JKS' or 'PKCS12'."; | |||
"The type of keystore file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The type of keystore file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'."; | |
"The type of keystore file. Must be either 'JKS', 'PKCS12' or 'BCFKS'."; |
|
||
protected static final String SSL_TRUSTSTORE_LOCATION_DEFAULT = ""; | ||
protected static final String SSL_TRUSTSTORE_PASSWORD_DEFAULT = ""; | ||
|
||
public static final String SSL_TRUSTSTORE_TYPE_CONFIG = "ssl.truststore.type"; | ||
protected static final String SSL_TRUSTSTORE_TYPE_DOC = | ||
"The type of trust store file. Must be either 'JKS' or 'PKCS12'."; | ||
"The type of trust store file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The type of trust store file. Must be either 'JKS' or 'PKCS12' or 'BCFKS'."; | |
"The type of trust store file. Must be either 'JKS', 'PKCS12' or 'BCFKS'."; |
ksqldb-rest-app/src/main/java/io/confluent/ksql/api/util/ApiServerUtils.java
Show resolved
Hide resolved
@@ -59,6 +60,13 @@ private static JksOptions buildJksOptions(final Buffer buffer, final String pass | |||
return new JksOptions().setValue(buffer).setPassword(Strings.nullToEmpty(password)); | |||
} | |||
|
|||
private static KeyStoreOptions buildBcfksOptions(final String password) { | |||
return new KeyStoreOptions() | |||
.setType("BCFKS") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to follow the code in this file, could you add a constant, like the SSL_STORE_TYPE_JKS
for this too?
@@ -0,0 +1,1355 @@ | |||
Thread: 496 - ksql-workers-0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This and the other *.log
files were accidentally committed, right?
public static Optional<KeyStoreOptions> getBcfksTrustStoreOptions( | ||
final String location, | ||
final String password, | ||
final String keyPassword) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the keyPassword
needed for truststores? My understanding is that truststores only stores certificates while keystores stores keys. So, truststores don't require a key password, right?
final String providers = getSecurityProviders(props); | ||
final String location = getTrustStoreLocation(props); | ||
final String password = getTrustStorePassword(props); | ||
final String keyPassword = getKeyPassword(props); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Truststores don't require a key password, do they?
KSE-1768
This PR intends to fix the following issues:
ssl.cipher.suites
as optional configSample fips compliant config:
Description
What behavior do you want to change, why, how does your patch achieve the changes?
Testing done
Describe the testing strategy. Unit and integration tests are expected for any behavior changes.
Reviewer checklist