haproxy obfuscated internal IP in routing cookie

[pecameron]

The cookie currently returns the openshift internal pod IP address.
This is a security issue as an attacker can develop a map of the pods
in the cluster just by observing the returned cookie.

This change returns a hash of the internal address and internal service
name to obfuscate the internal information. The service name is configured
when the service is created and is not visible to outside users. This
in combination with the internal ip:port is hashed and presented in the
cookie.

addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1318796

[knobunc]

Why is this inconsistent with the call a few lines above. I'd lose hash above.

[eparis]

Assuming this is necessary (it's weird to me you are walking this table twice, but I haven't actually looked at it) I think the idiomatic go way to update the values stored in items in a slice would be:

for i := range svc.EndpointTable {
    endpoint := &svc.EndpointTable[i]
    hash := $WHATEVER
    endpoint.IDHash = fmt.Sprintf(....hash)
}

Notice endpoint is a pointer to the value.

Now if I were going to write it your way, because I didn't really understand or want to use pointers but did want to make use of the return values of range it should look like:

for i, endpoint := range svc.EndpointTable {
    hash := $WHATEVER
    svc.EndpointTable[i].IDhash = fmt.Sprintf("%x", hash)
}

[knobunc]

I think you missed @eparis' comment about the go idioms.

It's ugly that we have to do the same thing in two places though. Perhaps make a private function that computes a hash value from an Endpoints structure?

[pecameron]

Didn't miss it, misunderstood it. I will make a private function as you
suggest.
On 04/04/2016 01:54 PM, Ben Bennett wrote:

In pkg/router/template/router.go
#8334 (comment):

if len(alias.PreferPort) == 0 {

•   for i := range svc.EndpointTable {
  

•       endpoint := svc.EndpointTable[i]
  

I think you missed @eparis https://github.com/eparis' comment about
the go idioms.

It's ugly that we have to do the same thing in two places though.
Perhaps make a private function that computes a hash value from an
Endpoints structure?

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/8334/files/d5a28c792427c49fed6676cc043d4a13b621d62c#r58417984

[ramr]

Better to do this when we add an endpoint - see: https://github.com/pecameron/origin/blob/bz1318796/pkg/router/template/router.go#L507 rather than in here endpointsForAlias.

Reason is endpointsForAlias is called every time we handle the template (router config) and there would be multiple calls in the lifetime of a router (as endpoints/routes get added/removed/modified). It's not performant to calculate the IDHash for all the endpoints on every single call to endpointsForAlias.
Just do it once when we add the endpoint.

That way, you can also inline the function as it will be only used in a single place.

[knobunc]

This looks much better. LGTM.

[ramr]

Code LGTM - If you could also add to the AddEndpoints test here: https://github.com/ramr/origin/blob/master/pkg/router/template/router_test.go#L68
just check that the actualEp.IdHash is set and matches expectations.

[ramr]

As discussed over email - testing that the IdHash is valid looks fine but as re: the test failures for:

--- FAIL: TestAddEndpointDuplicates (0.00s)  
    router_test.go:123: add same endpoints expected to return false but got true  
W0405 15:21:34.318716   26055 router.go:696] a edge terminated route with host edgetermfalse does   not have the required certificates. The route will still be created but no certificates will be written  
W0405 15:21:34.319183   26055 router.go:696] a reencrypt terminated route with host  reencrypttermfalse does not have the required certificates.  The route will still be created but no   certificates will be written  
FAIL  

There is a check above the added code to ensure that if we add the same endpoints, we don't reload the router (return false from here basically since the config is unchanged). But since we now set the IdHash below this check, the 2 objects will never match up. So better to just move setting the IdHash to plugin.go#createRouterEndpoints.

[pecameron]

Above failure seems to be a flake:

I0406 16:14:51.933815 23883 client.go:320] Found registry v2 API at https://registry-1.docker.io/v2/
--- FAIL: TestRegistryClientImageV2-2 (0.12s)
dockerregistryclient_test.go:206: tag "latest" has not been set on repository "openshift/origin"
FAIL

[knobunc]

[test]

[pecameron]

[FLAKE:8466] problem is not in networking.

[eparis]

[test]

[eparis]

[merge] because looks like the last failure is #8480

[pecameron]

[TEST]

[eparis]

looks like you messed up the rebase quite badly...

[pecameron]

eparis, help! I sent you email

[eparis]

approved and [merge] failed test looks unrelated.

[openshift-bot]

Evaluated for origin test up to 36c680b

[eparis]

[merge] again because the failure is unrelated crap.

[pecameron]

@eparis Still failing. Could you try the merge again?

[eparis]

[merge] with extreme prejudice

[eparis]

This is [merge] try number 5
@danmcp I'm guessing there is nothing we can do about the aws m4.large failures?

[danmcp]

@eparis We have done some stuff. Most of the tests are no longer using them (they didn't really need them anyway). We can also switch zones if it continues to be a problem. I need to (or someone does) to do a little research to pick the best one to move to if we are going to switch.

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5637/) (Image: devenv-rhel7_3997)

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3106/)

[eparis]

[merge] you silly PR. merge!

[openshift-bot]

Evaluated for origin merge up to 36c680b