cmd/snap-repair: track and use a lower bound for the time for TLS checks #3781

Merged
merged 6 commits into from Aug 31, 2017

Conversation

Projects
None yet
5 participants
Contributor

pedronis commented Aug 22, 2017

This tracks and uses a lower bound for time for TLS checks, as was discussed here:

https://forum.snapcraft.io/t/repair-capability-emergency-fixes/311/33

codecov-io commented Aug 22, 2017

Codecov Report

Merging #3781 into master will decrease coverage by <.01%.
The diff coverage is 84%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3781      +/-   ##
==========================================
- Coverage   75.73%   75.73%   -0.01%     
==========================================
  Files         409      409              
  Lines       35345    35388      +43     
==========================================
+ Hits        26770    26800      +30     
- Misses       6680     6691      +11     
- Partials     1895     1897       +2
Impacted Files Coverage Δ
httputil/logger.go 81.48% <44.44%> (-7.65%) ⬇️
cmd/snap-repair/runner.go 84.93% <92.68%> (+0.45%) ⬆️
cmd/snap/cmd_aliases.go 93.33% <0%> (-1.67%) ⬇️
interfaces/sorting.go 98.71% <0%> (-1.29%) ⬇️
overlord/snapstate/snapstate.go 80.42% <0%> (-0.26%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b013aa7...cb1f358. Read the comment docs.

@pedronis pedronis requested a review from niemeyer Aug 24, 2017

mvo5 approved these changes Aug 25, 2017

This looks very nice, some nitpicks and suggestions for your consideration inline.

@@ -180,6 +183,14 @@ func (run *Runner) Fetch(brandID, repairID string, revision int) (repair *assert
return nil, nil, err
}
+ moveTimeLowerBound := true
@mvo5

mvo5 Aug 25, 2017

Collaborator

(nitpick/idea): if we had a run.maybeMoveTimeLowerBound(resp *http.Response) we could just do a unconditional defer run.maybeMoveTimeLowerBound(resp) here and do the check for the return code inside maybeMoveTimeLowerBound() thus being slightly more DRY.

@pedronis

pedronis Aug 25, 2017

Contributor

but the set of return codes that we consider normal is not fixed

@mvo5

mvo5 Aug 28, 2017

Collaborator

Indeed, ignore my previous comment.

cmd/snap-repair/runner_test.go
@@ -139,6 +157,15 @@ func mustParseURL(s string) *url.URL {
return u
}
+func (s *runnerSuite) mockNow(c *C, runner *repair.Runner) (restore func()) {
@mvo5

mvo5 Aug 25, 2017

Collaborator

Maybe we can call this something more descriptive, i.e. in what way now is mocked. Maybe: mockTimeNowBroken, mockTimeNowReturnsEpoch, simulateBrokenClock or similar? This will make the subsequent tests that use it easier to read.

cmd/snap-repair/runner_test.go
repair, aux, err := runner.Fetch("canonical", "2", -1)
c.Assert(err, IsNil)
c.Check(repair, NotNil)
c.Check(aux, HasLen, 0)
c.Check(repair.BrandID(), Equals, "canonical")
c.Check(repair.RepairID(), Equals, "2")
c.Check(repair.Body(), DeepEquals, []byte("script\n"))
+
+ c.Check(runner.TLSTime().Before(t0), Equals, false)
@mvo5

mvo5 Aug 25, 2017

Collaborator

Maybe we could make this a tiny bit more descriptive by adding a small helper, something has a name like: s.checkTLSTimeGotUpdate() (or similar) which would do the t0 := time.Now() internally. With the other suggested name change it would be something like:

r := s.simulateTimeNowBroken()
...
c.checkTimeNoLongerBroken()

(feel free to pick better names of course :)

+var (
+ defaultTransport *http.Transport = http.DefaultTransport.(*http.Transport)
+)
+
// NewHTTPCLient returns a new http.Client with a LoggedTransport, a
// Timeout and preservation of range requests across redirects
func NewHTTPClient(opts *ClientOpts) *http.Client {
@mvo5

mvo5 Aug 25, 2017

Collaborator

Still a bit mind-boggling that NewHTTPClient() is in logger.go - but nothing to do with this branch :)

some more clarity through helpers about testing mitigating bad curren…
…t time, set a test time t0 on the suite for reference
Collaborator

mvo5 commented Aug 25, 2017

Thanks a lot for the update, looks even nicer now.

zyga approved these changes Aug 30, 2017

LGTM, one question about storing the lower bound in the state (perhaps I'm missing something and it is already done).

cmd/snap-repair/runner.go
@@ -318,12 +340,36 @@ func (run *Runner) readState() error {
return dec.Decode(&run.state)
}
+func (run *Runner) moveTimeLowerBound(t time.Time) {
+ if t.After(run.state.TimeLowerBound) {
+ run.state.TimeLowerBound = t.UTC()
@zyga

zyga Aug 30, 2017

Contributor

Nice :-)

Should we store such lower bound in the state persistently, so that we prevent general time rewind attacks (of whatever kind?)

pedronis and others added some commits Aug 30, 2017

@mvo5 mvo5 merged commit 73bbe43 into snapcore:master Aug 31, 2017

1 of 7 checks passed

artful-amd64 autopkgtest running
Details
xenial-amd64 autopkgtest running
Details
xenial-i386 autopkgtest running
Details
xenial-ppc64el autopkgtest running
Details
yakkety-amd64 autopkgtest running
Details
zesty-amd64 autopkgtest running
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@pedronis pedronis deleted the pedronis:repair-tls-time-lower-bound branch Aug 31, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment