Add basic validation for route TLS configuration - checks that input is "syntactically" valid. #8366
Conversation
| routeapi "github.com/openshift/origin/pkg/route/api" | ||
| ) | ||
|
|
||
| // disableRouteTLSValidation returns whether or not to disable TLS config validation checks. | ||
| func disableRouteTLSValidation() bool { |
There was a problem hiding this comment.
Why not just create a new function and invoke it from the router in the unique_host check (or in an optional pre check step, based on a flag)?
|
[test] |
|
Can we check the cert order by validation? We already do that in other On Tue, Apr 5, 2016 at 10:19 PM, Ram Ranganathan [email protected]
|
|
We don't have to validate in the api server - for instance, rejecting a route because the cert is malformed from the router side is sufficient. My concern is letting haproxy do it (or having to do it for every single route) if the check is simple enough for us to do. |
|
We can be more strict than what haproxy allows (especially if we give a good error message), as long as we can be sure we're not less strict. |
|
Ok - will rework this and get some bits in from the other PR. |
|
Do we think that will be sufficient? Do we know of anything else beyond On Wed, Apr 6, 2016 at 2:01 PM, Ram Ranganathan [email protected]
|
ramr
force-pushed
the
route-tls-validation
branch
3 times, most recently
from
6f97439 to
f60e526
Compare
|
Ok @smarterclayton PTAL I pushed some changes. I added a check for cert verification + check key mismatches. Don't think we can do a full blown verification on cacerts or destcacerts (aka only support well known certifying authorities) as I suspect there could well be self signed ones on the edge [my testing] + private CAs on the haproxy-to-pod traffic end (re-encrypt) - i think we should allow for that. |
|
[test] |
ramr
force-pushed
the
route-tls-validation
branch
from
f60e526 to
e3e7d76
Compare
|
[test] |
|
Define full blown verification of cacerts? What problems would openssl On Thu, Apr 7, 2016 at 6:25 AM, OpenShift Bot [email protected]
|
|
So what verification involves is - pem is valid, is a cert, checking the cert is valid (expiry + allowed domains), the certificate chain is valid (which would return an unknown authority for self-signed/generated CAs) and then optionally any extended key usages. We can do that for the edge certificates we have as we have the associated ca cert but not for the cacert/destination cacert themselves. imho, this seems a bit backward to do in golang code anyway when |
|
Can we test the certs in isolation rather than have to generate them into On Thu, Apr 7, 2016 at 2:52 PM, Ram Ranganathan [email protected]
|
|
So that was my original intent but then there was a point made regarding testing in isolation vs with the rest of the config as there could be potential of failures when run in "tandem". Which was the reason for doing the validate-config on the generated config (just the new certs/keys/cacerts would be written but all the existing config + the config for the new service alias and its config/certs would be tested). |
|
What would the tandem failure be?
|
|
Due to overlapping backend configs. Some error cases I can think off could be due to with content switching overlapping frontend/backend modes, duplicate keys (which we catch in the service aliases map), duplicates ids and acls (would have to be a custom config though). Not a complete set by any stretch but just from a more defensive standpoint - checking in tandem vs isolation would address that and possibly be a bit more future-proof as it does catch more error cases. |
|
The first couple you mentioned seem like things we have to catch for almost My concerns with #8353 (at least, as of now) are as follows:
On Thu, Apr 7, 2016 at 4:00 PM, Ram Ranganathan [email protected]
|
|
So as re: the concerns on #8353 :
Edited numbering |
|
Let's talk tomorrow.
|
|
sounds good. |
|
[test] |
| @@ -42,6 +42,7 @@ type TemplatePluginConfig struct { | |||
| StatsUsername string | |||
| StatsPassword string | |||
| IncludeUDP bool | |||
| ValidateRouteTLSConfig bool | |||
There was a problem hiding this comment.
Maybe this should be ExtendedValidation which more stringently tests the route against a set of known good safe configuration.
| if o.ExtendedValidation { | ||
| nextPlugin = controller.NewExtendedValidator(nextPlugin, statusPlugin) | ||
| } | ||
| plugin := controller.NewUniqueHost(nextPlugin, o.RouteSelectionFunc(), statusPlugin) |
There was a problem hiding this comment.
cast statusPlugin to RejectionRecorder here so we know we're not using its plugin functions
ramr
force-pushed
the
route-tls-validation
branch
from
1b2902b to
34b0242
Compare
|
@liggitt made the fixes as per your recommendations, cleaned up remnants of the old implementation and added more tests. @smarterclayton @knobunc fyi. |
|
For Online Beta they are disabling custom hostnames, so that means that we don't need to allow custom certs. We need to work out how ops can disable certs (perhaps by deploying a custom router). We also need to get this patch landed for GA. |
|
@smarterclayton /bump anything else needed on this? |
|
Regarding sni lookup order, is a crt-list the solution? https://rafpe.ninja/2016/04/24/haproxy-ssl-domains-in-crt-list/ |
|
Will do final follow up on Monday. |
Looks like it. We probably need logic to decide which route's cert to use for a host when multiple routes have the same host (in scenarios where that is allowed) |
|
[test] |
1 similar comment
|
[test] |
|
Test failure is real |
|
Do you believe it will land in time to v1.2.0 ? |
|
No, this is unfortunately too big for 1.2.0. You however will be able to use a 1.3.0.alpha track router image for that. |
input is "syntactically" valid.
o Checkpoint initial code.
o Add support for validating route tls config.
o Add option for validating route tls config.
o Validation fixes.
o Check private key + cert mismatches.
o Add tests.
o Record route rejection.
o Hook into add route processing + store invalid service alias configs
in another place - easy to check prior errors on readmission.
o Remove entry from invalid service alias configs upon route removal.
o Add generated completions.
o Bug fixes.
o Recording rejecting routes is not working completely.
o Fix status update problem - we should set the status to admitted
only if we had no errors handling a route.
o Rework to use a new controller - extended_validator as per
@smarterclayton comments.
o Cleanup validation as per @liggitt comments.
o Update bash completions.
o Fixup older validation unit tests.
o Changes as per @liggitt review comments + cleanup tests.
o Fix failing test.
ramr
force-pushed
the
route-tls-validation
branch
from
34b0242 to
cdf242e
Compare
|
rebased and fixed tests |
|
[test] |
|
Evaluated for origin test up to cdf242e |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3852/) |
|
@smarterclayton PTAL - rebased and fixed tests + all tests pass now. |
|
LGTM [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5924/) (Image: devenv-rhel7_4216) |
|
Evaluated for origin merge up to cdf242e |
Partial Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1312292
@smarterclayton PTAL Thx
The other PR #8353 would be needed in addition to this for a complete fix but this one provides a partial fix to check input is valid PEM format.
Updated with testing instructions/usage.