Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DPS Auth requires Mutual TLS #2910

Merged
merged 4 commits into from Nov 4, 2019

Conversation

@chrisgilmerproj
Copy link
Contributor

chrisgilmerproj commented Nov 1, 2019

Description

DPS Auth uses Mutual TLS and I was unaware of this and gave bad guidance when we added CLI flags to split the services and listeners. This appeared in a security review of the architecture where we discovered that the dps.move.mil points to the NLB and not the ALB. On review of the code its clear that it expect to get the Mutual TLS cert for authentication before doing anything with DPS in the same way that Orders API does.

The fix is the enable the flags on the app-client-tls container definition and remove it from the app container definition.

Code Review Verification Steps

  • Tested in the Experimental environment (for changes to containers, app startup, or connection to data stores)
  • Request review from a member of a different team.
  • Have the Pivotal acceptance criteria been met for this change?

References

@chrisgilmerproj chrisgilmerproj requested review from jim, mr337, Ryan-Koch and rdhariwal Nov 1, 2019
@chrisgilmerproj chrisgilmerproj self-assigned this Nov 1, 2019
@@ -17,8 +17,6 @@
"production",
"--debug-logging",
"--log-task-metadata",
"--db-env",
"container",

This comment has been minimized.

Copy link
@chrisgilmerproj

chrisgilmerproj Nov 1, 2019

Author Contributor

This was duplicated for some reason. We don't need it twice.

@chrisgilmerproj

This comment has been minimized.

Copy link
Contributor Author

chrisgilmerproj commented Nov 4, 2019

This deployed to experimental with no problems and I was able to log into the Office app. I think we're good to go.

@chrisgilmerproj chrisgilmerproj merged commit 006b5fb into master Nov 4, 2019
16 checks passed
16 checks passed
Summary no rules match, no planned actions
Details
ci/circleci: acceptance_tests_experimental Your tests passed on CircleCI!
Details
ci/circleci: acceptance_tests_local Your tests passed on CircleCI!
Details
ci/circleci: acceptance_tests_staging Your tests passed on CircleCI!
Details
ci/circleci: build_app Your tests passed on CircleCI!
Details
ci/circleci: build_migrations Your tests passed on CircleCI!
Details
ci/circleci: build_storybook_app Your tests passed on CircleCI!
Details
ci/circleci: build_tasks Your tests passed on CircleCI!
Details
ci/circleci: build_tools Your tests passed on CircleCI!
Details
ci/circleci: check_generated_code Your tests passed on CircleCI!
Details
ci/circleci: client_test Your tests passed on CircleCI!
Details
ci/circleci: integration_tests Your tests passed on CircleCI!
Details
ci/circleci: pre_deps_golang Your tests passed on CircleCI!
Details
ci/circleci: pre_deps_yarn Your tests passed on CircleCI!
Details
ci/circleci: pre_test Your tests passed on CircleCI!
Details
ci/circleci: server_test Your tests passed on CircleCI!
Details
@chrisgilmerproj chrisgilmerproj deleted the cg_dps_mutual_tls branch Nov 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.