Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HPCC-20114 Don't allow service binding to https with no certificate #11546

Merged
merged 1 commit into from Aug 24, 2018

Conversation

Projects
None yet
5 participants
@kenrowland
Copy link
Contributor

commented Aug 6, 2018

Add requiredIf to HTTPS relevant attributes marking them required if
https is the selected binding protocol for an ESP service.
Mark HTTPS deprecated certificate attributes.
Fix omitted merge changes.

Signed-off-by: Ken Rowland kenneth.rowland@lexisnexisrisk.com

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Testing:

@hpcc-jirabot

This comment has been minimized.

Copy link

commented Aug 6, 2018

@kenrowland

This comment has been minimized.

Copy link
Contributor Author

commented Aug 6, 2018

@rpastrana Please review. The esp.xsd changes are to capture necessary updates. The xsd will go out for a full review.

@@ -95,7 +95,7 @@
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ldapServer" type="xs:string" use="optional" hpcc:displayName="LDAP Server" hpcc:requiredIf=".[@method=('ldap','ldaps')]"
<xs:attribute name="ldapServer" type="xs:string" use="optional" hpcc:displayName="LDAP Server" hpcc:requiredIf="../EspBinding[@method=('ldap','ldaps')]"

This comment has been minimized.

Copy link
@rpastrana

rpastrana Aug 13, 2018

Member

"Authentication/@ldapServer" and "Authentication/@method" seem to be at the same level, and we might not need to go up and down to EspBinding.

This comment has been minimized.

Copy link
@kenrowland

kenrowland Aug 13, 2018

Author Contributor

Well, it was correct in the previous revision. Not sure why I changed it. Corrected now.

<xs:attribute name="certificateFileName" type="xs:string" use="optional" default="certificate.cer" hpcc:displayName="Certificate Filename" hpcc:tooltip="Name of destination file in which the certificate will be written"/>
<xs:attribute name="cipherList" type="xs:string" use="optional" default="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5"
hpcc:displayName="Cipher List" hpcc:tooltip="Sets the ordered list of available ciphers for use by openssl. See openssl documentation on ciphers for information on use and formatting."/>
<xs:attribute name="passphrase" type="xs:string" use="optional" hpcc:modifiers="mask,verify,ignoreNoChange,encrypt" hpcc:displayName="Passphrase" hpcc:tooltip="The passphrase used to generate the private key" />
<xs:attribute name="privateKeyFileName" type="xs:string" use="optional" default="privatekey.cer" hpcc:displayName="Private Key Filename" hpcc:tooltip="Name of destination file in which the private key will be written" />
<xs:attribute name="privateKeyFileName" type="xs:string" use="optional" default="privatekey.cer" hpcc:displayName="Private Key Filename" hpcc:requiredIf="../EspBinding[@protocol='https']"

This comment has been minimized.

Copy link
@rpastrana

rpastrana Aug 13, 2018

Member

let's add a comment explaining why these are here and hidden

This comment has been minimized.

Copy link
@kenrowland

kenrowland Aug 13, 2018

Author Contributor

Comment added

@rpastrana
Copy link
Member

left a comment

@kenrowland a couple of comments

@kenrowland
Copy link
Contributor Author

left a comment

@rpastrana Comments addressed.

@@ -95,7 +95,7 @@
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ldapServer" type="xs:string" use="optional" hpcc:displayName="LDAP Server" hpcc:requiredIf=".[@method=('ldap','ldaps')]"
<xs:attribute name="ldapServer" type="xs:string" use="optional" hpcc:displayName="LDAP Server" hpcc:requiredIf="../EspBinding[@method=('ldap','ldaps')]"

This comment has been minimized.

Copy link
@kenrowland

kenrowland Aug 13, 2018

Author Contributor

Well, it was correct in the previous revision. Not sure why I changed it. Corrected now.

<xs:attribute name="certificateFileName" type="xs:string" use="optional" default="certificate.cer" hpcc:displayName="Certificate Filename" hpcc:tooltip="Name of destination file in which the certificate will be written"/>
<xs:attribute name="cipherList" type="xs:string" use="optional" default="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5"
hpcc:displayName="Cipher List" hpcc:tooltip="Sets the ordered list of available ciphers for use by openssl. See openssl documentation on ciphers for information on use and formatting."/>
<xs:attribute name="passphrase" type="xs:string" use="optional" hpcc:modifiers="mask,verify,ignoreNoChange,encrypt" hpcc:displayName="Passphrase" hpcc:tooltip="The passphrase used to generate the private key" />
<xs:attribute name="privateKeyFileName" type="xs:string" use="optional" default="privatekey.cer" hpcc:displayName="Private Key Filename" hpcc:tooltip="Name of destination file in which the private key will be written" />
<xs:attribute name="privateKeyFileName" type="xs:string" use="optional" default="privatekey.cer" hpcc:displayName="Private Key Filename" hpcc:requiredIf="../EspBinding[@protocol='https']"

This comment has been minimized.

Copy link
@kenrowland

kenrowland Aug 13, 2018

Author Contributor

Comment added

@kenrowland

This comment has been minimized.

Copy link
Contributor Author

commented Aug 15, 2018

@rpastrana Please approve if latest changes are acceptable

@rpastrana
Copy link
Member

left a comment

HPCC-20114 Don't allow service binding to https with no certificate
Add requiredIf to HTTPS relevant attributes marking them required if
https is the selected binding protocol for an ESP service.
Mark HTTPS deprecated certificate attributes.
Fix omitted merge changes.

Signed-off-by: Ken Rowland <kenneth.rowland@lexisnexisrisk.com>

@kenrowland kenrowland force-pushed the kenrowland:HPCC-20114 branch from b34fcef to 143998a Aug 15, 2018

@HPCCSmoketest

This comment has been minimized.

Copy link
Contributor

commented Aug 15, 2018

Automated Smoketest:
OS: centos 7.4.1708 (Linux 3.10.0-327.28.3.el7.x86_64)
Sha: 143998a
Build: success
Install hpccsystems-platform-community_7.0.0-rc1.el7.x86_64.rpm
HPCC Start: OK

Unit tests result:

Test total passed failed errors timeout
unittest 89 89 0 0 0
wutoolTest(Dali) 19 19 0 0 0
wutoolTest(Cassandra) 19 19 0 0 0

Regression test result:

phase total pass fail
setup (hthor) 11 11 0
setup (thor) 11 11 0
setup (roxie) 11 11 0
test (hthor) 805 805 0
test (thor) 729 729 0
test (roxie) 878 878 0

HPCC Stop: OK
HPCC Uninstall: OK
Time stats:

Prep time Build time Package time Install time Start time Test time Stop time Summary
12 sec (00:00:12) 174 sec (00:02:54) 61 sec (00:01:01) 7 sec (00:00:07) 28 sec (00:00:28) 1341 sec (00:22:21) 18 sec (00:00:18) 1641 sec (00:27:21)
@kenrowland

This comment has been minimized.

Copy link
Contributor Author

commented Aug 15, 2018

@richardkchapman please merge

@richardkchapman richardkchapman merged commit ed63ccf into hpcc-systems:master Aug 24, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.