Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core/config: remove support for base64 encoded certificates #4718

Merged
merged 6 commits into from Nov 8, 2023
Merged

core/config: remove support for base64 encoded certificates #4718

merged 6 commits into from Nov 8, 2023

Conversation

calebdoxsey
Copy link
Contributor

Summary

Remove support for base64 encoded certificates in the certificates field (confusingly named CertificateFiles in the optinos). This is a breaking change.

Related issues

Fixes https://github.com/pomerium/internal/issues/1580

Checklist

  • reference any related issues
  • updated docs
  • updated unit tests
  • updated UPGRADING.md
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@calebdoxsey calebdoxsey added the breaking Backward incompatible change in behaviour, api or config label Nov 7, 2023
@calebdoxsey calebdoxsey requested a review from a team as a code owner November 7, 2023 21:42
@coveralls
Copy link

coveralls commented Nov 7, 2023
edited

Coverage Status

coverage: 63.683% (+0.005%) from 63.678%
when pulling fcc8fe3 on cdoxsey/certificates
into 77f9893 on main.

wasaga
wasaga approved these changes Nov 8, 2023
View reviewed changes
Copy link
Contributor

@wasaga wasaga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for follow-up discussion: https://github.com/pomerium/internal/issues/1582

config/options.go
cfp.KeyFile = base64.StdEncoding.EncodeToString(c.KeyBytes)

cert, err := cryptutil.ParsePEMCertificateFromBase64(cfp.CertFile)
cert, err := cryptutil.ParsePEMCertificate(c.GetCertBytes())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about dropping validation in this function, and making it just concatenate the data and that's all.

this function is called from ApplySettings which is not returning any error

pomerium/config/options.go

Line 1411 in ffca3b3

o.applyExternalCerts(ctx, certsIndex, settings.GetCertificates())

which, in turn, is called from config_source:

pomerium/internal/databroker/config_source.go

Lines 174 to 178 in ffca3b3

for i := 0; i < len(ids) && ctx.Err() == nil; i++ {
cfgpb := src.dbConfigs[ids[i]]
cfg.Options.ApplySettings(ctx, certsIndex, cfgpb.Settings)
}
}

which merges data from external clients, which are supposed to perform config validation on their side?

plus there's additional cert parsing and erroring in Options.GetCertificates and Options.GetX509Certificates

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So to clarify, we would like to rollback the requirements from https://github.com/pomerium/internal/issues/449 ?

We no longer want to enforce the call to certsIndex.OverlapsWithExistingCertificate(cert) to prevent console / ingress controller certificates from overriding core certificates?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right. let's keep it then.

I can add skipping this check in case validation is disabled (certsIndex == nil) in a follow up pr

pomerium/internal/databroker/config_source.go

Lines 167 to 169 in 205aa8c

if src.enableValidation {
certsIndex = cryptutil.NewCertificatesIndex()
for _, cert := range cfg.Options.GetX509Certificates() {

config/config_source_test.go Outdated
"github.com/stretchr/testify/assert"
)

func TestFileWatcherSource(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why remove this test?

@wasaga wasaga mentioned this pull request Nov 8, 2023
Closed
6 tasks
@calebdoxsey calebdoxsey merged commit 62a9299 into main Nov 8, 2023
9 checks passed
@calebdoxsey calebdoxsey deleted the cdoxsey/certificates branch November 8, 2023 20:08
@backport-actions-token backport-actions-token bot mentioned this pull request Nov 8, 2023
Merged
backport-actions-token bot pushed a commit that referenced this pull request Nov 8, 2023
@calebdoxsey @github-actions
core/config: remove support for base64 encoded certificates (#4718)
9598c99 
* core/config: update file watcher source to handle base64 encoded certificates

* fix data race

* core/config: only allow files in certificates

* remove test

* re-add test
wasaga pushed a commit that referenced this pull request Nov 8, 2023
@backport-actions-token @calebdoxsey
core/config: remove support for base64 encoded certificates (#4725)
da9b14d 
core/config: remove support for base64 encoded certificates (#4718)

* core/config: update file watcher source to handle base64 encoded certificates

* fix data race

* core/config: only allow files in certificates

* remove test

* re-add test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wasaga wasaga wasaga approved these changes

Assignees
No one assigned
Labels
backport 0-24-0 breaking Backward incompatible change in behaviour, api or config
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@calebdoxsey @coveralls @wasaga