Update TUF to handle HTTPS proxies

[trishankatdatadog]

Fixes issue #:

Unfortunately, TUF fails to work via HTTPS proxies, whereas the requests library does.

The problem is this well-intentioned but outdated code.

As the comment hints, I had borrowed that VerifiedHTTPSConnection code from pip back then, because I knew that python2 back then was not verifying hostnames on SSL certs. Unfortunately, this code is now severely outdated.

Description of the changes being introduced by the pull request:

The tuf.download module now uses the requests library. I have manually tested that it handles HTTPS proxies.

Changes:

• Install requests and its dependencies by default.
• Change the networking code to use requests instead of custom, outdated networking code.
• Remove option to specify custom SSL certs via a TUF setting. Instead, we depend on clients exporting the REQUESTS_CA_BUNDLE environment variable to requests.
• Remove tuf.settings.SLOW_START_GRACE_PERIOD, as this no longer seems terribly useful, because requests allow for setting connect and / or read timeouts.
• We no longer explicitly check for supported schemes (e.g., http and https only). This was originally done to prevent potentially unsafe requests to files on disk, but requests does not handle opening local files anyway.

TODO:

• Unfortunately, a few slow retrieval attack tests are failing. I'm too tired right now to figure out what is going on.
• Use a separate requests.Session per repository mirror to avoid sharing state, and accidentally falling for unknown / unforeseen security issues.
• Add unit tests to see whether: (1) hostnames are verified on SSL certs, and (2) HTTPS proxies are handled transparently
• Add version number to the TUF user agent
• Add documentation about: (1) exporting the REQUESTS_CA_BUNDLE and / or HTTPS_PROXY variables in order to handle HTTPS proxies, and (2) ensuring that different sessions are used per hostname
• Add coverage tests, if necessary

Please verify and check that the pull request fulfills the following
requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[trishankatdatadog]

Cc @JustinCappos @SantiagoTorres @awwad

Need your eyes to carefully review, edit, and merge! 👀

[JustinCappos]

Jotted some quick thoughts down. Someone with more recent eyeballs in the code will likely find better things to comment on.

[JustinCappos]

Can we just change the requests line in this commit unless the rest are relevant? I don't mind you doing the alpha-reorder, but please let's split the commits so we can see why things are done.vv(Same for requirements.in too please)

I'm happy to make the edits, but want to double check that these files aren't order sensitive...

[JustinCappos]

I think we had this before because some adopters wanted to effectively turn this off and list max length allowed instead of the expected length for files. Why is this being changed? Is this change needed now?

[trishankatdatadog]

The reason why I changed itfrom<=to!= is because if there is a bug in the way the download function works, nothing actually prevents it from downloading more than it should. This happened to me, and I found the error message very misleading (e.g., 9 <= 5).

[awwad]

Behavior here has not changed. It should not be possible to get a length greater than expected due to the way the download code was written (and now as well, I think). If the code is changed and it becomes possible to end up with more, we can change the error message, but '<' currently communicates an expectation that has some value.

[JustinCappos]

Does this mean that there are no trusted certs by default? What does None do in this context?

[SantiagoTorres]

This used to be "use the default bundle that urllib resolves", instead we are going to use the environment variable that requests uses: REQUESTS_CA_BUNDLE that's here

[trishankatdatadog]

Correct. I figured we don't need two ways to configure the same thing right now.

[JustinCappos]

Seems like a very tight bound. Should this be higher?

[SantiagoTorres]

It is gone now. I think requests has a built-in start grace period.

[trishankatdatadog]

Correct, requests has a connect() timeout.

[JustinCappos]

Why did this change?

[trishankatdatadog]

Because network connections can be quite lossy in the real world. We found a customer who was timing out over HTTP, but that was more likely due to the stringest SLOW_START_GRACE_PERIOD of 0.1 seconds. This latter setting is gone now, because requests handles both connect() and read() timeouts.

[JustinCappos]

Key to fix before merging. Using a separate session for each hostname part of the URL should be easy. Perhaps make this a dict?

[trishankatdatadog]

Each hostname might be a bit overkill --- I was thinking a separate session per repository mirror, but better to be safe than sorry. Let me work on this.

[JustinCappos]

We probably should retain a comment explaining that this is where the http / https prefix from the settings.py file is checked (assuming that is the case) and that an ???Exception may be thrown as a result...

[trishankatdatadog]

I removed the check for whether a given URL matches http or https. Originally, we did this to avoid processing file:/// requests, but requests doesn't open files anyway, so we should be okay. I'm more in favour of simplicity. I can't imagine requests opening more dangerous protocols than http or https, but please correct me if wrong.

[JustinCappos]

What does this mean? Do you mean that TUF's communication protocol should have a version of its own so we might use different versions at different times? Do we want the version of TUF to be here instead?

[SantiagoTorres]

I think it's just overwriting the User-Agent to something that's not requests or python urrlibX. It'd be cleaner (and easier to analyze traffic) if we used something like TUF vX

[trishankatdatadog]

Correct. Sometimes you want to exactly which piece of software was downloading from your server. To be fair, it should be something like tuf-{tuf-version-number}-over-requests-{requests-version-number}.

[SantiagoTorres]

There are some very minor details. Otherwise it LGTM once the failing tests are addressed.

[SantiagoTorres]

I'd be happier if re-used that variable or assigned a constant for this 100

[trishankatdatadog]

@awwad, could you help me fix this? I think this might be related to the problems you've been seeing with bad hashes, and so on. Thanks in advance!

[SantiagoTorres]

I think it's just overwriting the User-Agent to something that's not requests or python urrlibX. It'd be cleaner (and easier to analyze traffic) if we used something like TUF vX

[SantiagoTorres]

This used to be "use the default bundle that urllib resolves", instead we are going to use the environment variable that requests uses: REQUESTS_CA_BUNDLE that's here

[SantiagoTorres]

It is gone now. I think requests has a built-in start grace period.

[SantiagoTorres]

Not related to this PR, but this finally clause with the response.close is then useless. I don't think finally works like this at all...

[awwad]

Resolved now (with the conflict). The strange try/except/finally was removed in #771.

[SantiagoTorres]

We definitely need something defined here, and add it to part of our release process...

[SantiagoTorres]

Again, not related to this PR, but moving to assertRaises as a context processor would make this code more readable...

[awwad]

Rebased.
Lots of tests fail here, and some comments explaining the changes would help. For example, the URL validation (such as it was) is pretty much all removed (I think all that's left is just a check that the URL is a string.). This might be fine if the requests call handles that, but that would be good to mention in the commit message or a comment.

Edit: most of the failures I was seeing had to do with the virtual box I was running it in. 😆 Saw 24 failures and balked. My bad.

[awwad]

I'll finish looking through it to make sure I haven't missed anything subtle and then fix the tests.

[trishankatdatadog]

@awwad AFAICT with tox at least, there were 2 test_slow_retrieval_attack tests failing for sure. There was 1 nondeterministic failure which made 1 map file test error out, which was weird. Thanks for fixing the tests, I'll address the rest of the comments!

[trishankatdatadog]

I have a PR for the sessions issue, but I can't push it now for some network reason, and I gotta run now. See you guys Monday!

[awwad]

This isn't going to work: read isn't defined. This is code from here and is a little more complicated than is ideal. It'll also match comment lines if they exist. Single-sourcing version number isn't necessary for this pull request, but if I was going to do it, I'd probably add a VERSION file and have tuf/__init__.py and setup.py each read that in. There could be problems with that, too. I'm going to punt on this and keep the version in two places and we can fix that less urgently. (Also, the user agent reporting a version seems less critical in any case than the rest of the PR.)

[awwad]

SlowRetrievalError is essentially part of the API (see ATTACKS.md), so I'll adjust this a bit to still raise that when we catch urllib3.exceptions.ReadTimeoutError().

[trishankatdatadog]

I am still having some strange network issues in my VM trying to push to / pull from GitHub. Let me send my updated PR as soon as I figure out what's going on.

[awwad]

Keep an eye out for any history differences? It wouldn't look like a network issue, but I did have to strip one of your commits (self-merge -- merging remote branch into local branch and then pushing) from the commit history.

Meanwhile, I'm looking at why bad hash errors are occurring in one of the tests where I don't expect them to occur. (Slow retrieval should cause an error that indicates that retrieval was slow/disrupted, not a bad hash.) The download code is a little kinky and probably could use some tidying up (in another PR, later, tbc).

[trishankatdatadog]

Okay, guys, I've added code to use a different session per hostname. Let me know what you think, and I'm happy to help with anything else!

P.S. There is not so much time pressure on this anymore, but the sooner we can fix this, the better :)

[awwad]

So, unlike the code without this PR merged, this branch downloads a target file all in the code that claims to make a connection. This makes the slow retrieval, endless data, etc. code moot (and also invalidates all the docstrings -- e.g. _download_fixed_amount_of_data is called on the response provided by requests, slowly reading out data from the request already retrieved from the server, and claims to be "where the download really happens").

Using stream=True in the requests.get() call might fix this. I'll tinker more.

(UPDATE: Hang on, I may have misunderstood something.....)

[trishankatdatadog]

We already use request.get(stream=True). Not sure what is going on to break the tests, I'm guessing some fragile assumptions were made...

[awwad]

Fixed some bad assumptions in the tests that resulted -- when the test failed -- in misleading errors (and clarified behavior with comments in the tests). Also raised ReadTimeoutError (from urllib) as an expected tuf.exceptions.SlowRetrievalError.

The test fails, however, because a slow retrieval attack is not prevented: streaming one byte per second for 400 (or, previously, 800) seconds is permitted to complete. I'll tinker and figure out how to prevent slow retrieval attacks with the requests calls.

[trishankatdatadog]

I wonder what's going on. Have you looked at the doc, Sebastien?

[awwad]

Yes. The current settings include a chunk size of 40k and a 5s timeout that is now interpreted by requests as a maximum gap between bytes (and also the timeout of the connect interval). This means that a transfer of 40k could take 50+ hours and still pass. We could tinker with those settings*, but what we really want is to interrupt the <=40k transfer if it's taking too long. I'm not sure if there's an option like that somewhere in requests.

* Barring a total-time-spent timeout for each chunk, I guess we could reduce the expected interval between bytes below one second (🙁), but we could also very substantially reduce the size of chunks and allow the existing means of measuring the rate of transfer to decide to raise SlowRetrievalError. I assume that'll lead to a slowdown. If we can't get a different behavior from requests, then max acceptable delay will be given by inter-byte timeout * chunk size. We can pick a sensible value (1 minute per chunk and a chunk size of 10kb?) and set tuf settings accordingly and add comments by the settings explaining their significance (and similar comments in the rate testing code).

[trishankatdatadog]

I think I sort of understand what's going on. Would you mind terribly much showing what you mean in the updated unit tests? Thanks in advance!

[awwad]

Not clear on the question, so in case you mean explaining the stack as it is tested, then:

updater.download_target() provides fpath len hashes to:
  -> updater._get_target_file() provides verifyfunc, fpath, len, safely=True to
    -> updater._get_file() provides mirrors and len to:
      -> tuf.download.safe_download provides len to:
        -> tuf.download._download_file(), which calls:      # the part we care about now
          -> tuf.download._download_fixed_amount_of_data()  # the part we care about now
        then tuf.download._check_downloaded_length
    then updater._get_file() continues by calling:
      -> verifyfunc (which is passed as verify_target_file, which calls updater._hard_check_file_length() and updater._check_hashes())

tuf.settings.SOCKET_TIMEOUT (5s) is used by tuf.download._download_file() to initialize a request object with a "timeout" that sets the aforementioned maximum time before the first byte and between further bytes. The request object is passed down to _download_fixed_amount_of_data(), which uses request.raw.read() with a chunk size of 40k (tuf.settings.CHUNK_SIZE) to read 40k at a time. Requests will time out if the first byte takes 5s to come, or any of the gaps between further bytes exceed 5s. After this first chunk is downloaded, _download_fixed_amount_of_data() checks to see if it's done. (It is; the test file provides 400b which is less than the chunk size of 40k, so it's done after one chunk.)
The call returns the data after 400+s and the test fails because no slow retrieval error was raised.

If there had been more than one chunk (if target file size > 40k), then _download_fixed_amount_of_data(), before continuing with another request.raw.read call for the second chunk, would check the amount of data requests provided and the time that passed during the call to requests against tuf.settings.MIN_AVERAGE_DOWNLOAD_SPEED. This check would fail in our case and an error would be raised, but only after the 400s for the first chunk. (If the file size were, say, 40k, this would have taken ~ 40,000 * delay between each byte).

Change Required:

The change that's called for (I'll make one or the other in a bit assuming I'm not off my rocker) is to either reduce chunk size and continue to use request.raw.read() or, instead of using request.raw.read(), call request.iter_content() with a much smaller chunk size (I think I prefer this option? Is there a reason raw.read() is preferable?), say 128b, resulting in the largest possible delay that can be caused by an attacker delivering at speeds less than that acceptable (tuf.settings.MIN_AVERAGE_DOWNLOAD_SPEED) being something like 11min (128 * tuf.settings.SOCKET_TIMEOUT) instead of 55 hours. That's probably still too long...? We can allow a 5s delay for the first byte and no more than 2s for further bytes, maybe (4.3min)? Smaller iter_content sizes are also possible. I'm not sure what the loss to efficiency would be, but I could test it, I guess.

TBC, ideally we could call request.iter_content(40k, max_duration=X seconds) or something, but I don't see that option anywhere after looking through some feature requests.

[awwad]

I feel like Vlad toyed with requests and elected not to use it? I don't really recall at this point -- maybe we used to use it and moved away.... This (no total timeout option for an individual read) would be a decent reason for that. Maybe there's a way to do this via urllib3? (don't see that yet, but haven't really looked properly).

UPDATE: don't see it in urllib3 after moderate search

[trishankatdatadog]

The problem with response.iter_content() is that it's a generator that uses a fixed-size chunk in every loop. That means you can't control downloading exactly the number of bytes you want, and avoid endless data attacks (admittedly small with a small chunk size, but still).

[trishankatdatadog]

I strongly recommend using requests as a backbone, because custom networking code is prone to problems that have been solved in production-tested libraries such as requests. requests also does a lot of things that urllib3 does not (such as by-default verification of SSL requests using certifi), and I would strongly recommend against writing our own networking stack, as this stuff is tricky, and easy to miss a lot of things that arise in the real world.

[trishankatdatadog]

Having said all this, the way we used to handle slow retrieval errors appears to be broken using requests, and so we need to think of satisfactory solutions. Your idea of using a small chunk size seems feasible, but it does result in a lot of network calls. Let's think a bit more, and see.

[aaaaalbert]

If there isn't a striking reason for not capitalizing HTTP, I would suggest you do throughout.

[aaaaalbert]

(I think I get the idea of capitalization ~ highlighting, but this looks terrible to me.)

[aaaaalbert]

Perhaps remove the elif/else and do self.old_env_values[key] = os.environ.get(key, None).

[aaaaalbert]

(BTW, what about os.execveing things and supplying a modified environment directly, instead of saving/restoring the current one?)

[awwad]

Your suggestion reduced 6 lines to 2. Thanks!
As for execve: seems like a messy option. I'm not sure I'd want to fully replace the environment variables (instead of tweaking them) and I'm not sure I want to close the existing process and transition to a new one (temp files?). Popen execve? Not sure. I think this is probably easier and more acceptable.

[aaaaalbert]

Remove trailing )

[aaaaalbert]

Use sys.executable instead of python. (It could be python3, python2.7 etc. depending on your setup.)

[aaaaalbert]

And/or consider Popening a Python interpreter a common function and spin it off into a separate function. (The code seems to do this a lot, across files in the PR).

[trishankatdatadog]

Hi Sebastien,

Sorry, don't mean to press you, but could we please get a dev release at least ASAP? We have the Agent 6.6 release frozen at the end of next week, and I'd like to test this ASAP, so that we can update TUF in the Agent next week if all goes well. Thanks very much in advance!

Cc: @nmuesch @olivielpeau

[awwad]

No problem. I'll merge sometime today (and release).

[trishankatdatadog]

@nmuesch Can we get your customer to install the latest stable Agent, and then update TUF manually to see if that fixes the problem?

[awwad]

Merged and an alpha released produced: https://github.com/theupdateframework/tuf/releases/tag/v0.11.2-alpha

Oh, I should mention that I wasn't expecting to put this on PyPI until the vulnerability is resolved. I hope that's OK. I could be convinced otherwise, so if this is an issue, LMK. For now, it's just on GitHub.

[awwad]

@trishankatdatadog

[trishankatdatadog]

@awwad Could we please get a tuf-0.11.2.dev1 release on PyPI? Otherwise, it's hard for us to beta test this. The dev release ensures users cannot install it by accident (need to pass --pre flag to pip). Thanks!

[awwad]

https://pypi.org/project/tuf/0.11.2.dev1/
There's some confusion in the way we have dev version numbers listed, so mind the version.

[trishankatdatadog]

Thanks @awwad !