Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure SSL changes are logged. #5423

Merged
merged 4 commits into from
Jan 15, 2021
Merged

Ensure SSL changes are logged. #5423

merged 4 commits into from
Jan 15, 2021

Conversation

tcfdev
Copy link
Collaborator

@tcfdev tcfdev commented Jan 12, 2021
edited
Loading

There are three endpoints (Add, Generate, Delete) that manipulate SSL certificates
for a delivery service. (Actually there are more with the Let's Encrypt ACME
endpoints, but those have a different changelog order of operations). These all
must log their action in the Changelog for verification and confirmation when
the actions complete. Generate and Delete succesfully log the changes, however
Add was apparently not.

In fact, there are two successful cases where the SSL keys could be added and
the endpoint would return prematurely, preventing the action from being logged
in the Changelog. The Changelog entry is now performed before the return of
these two logic flows.

Additionally added a comment to a public package function (Generate) and clarified
language within the Changelog messages.

What does this PR (Pull Request) do?

Which Traffic Control components are affected by this PR?

  • Traffic Ops
  • Traffic Portal

What is the best way to verify this PR?

This PR can be validated by performing curl requests against the various endpoints.

You will need to replace the values where appropriate to work with your dataset (hostname, deliveryservice, key, cookies, etc.) Alternatively you can utilize TP for the Generate and Add/Update, but will need to use the curl call to Delete.

Generate example

curl --request POST \
  --url https://localhost:9090/api/3.1/deliveryservices/sslkeys/generate \
  --header 'Cookie: mojolicious={{cookie value}}' \
  --data '{"hostname":"*.unique-snowflake.xavier.localhost","country":"US","state":"New York","city":"Westchester","organization":"Marvel","businessUnit":"Xmen","version":7,"cdn":"xavier","deliveryservice":"unique-snowflake","key":"unique-snowflake"}'

Add / Update example

curl --request POST \
  --url https://localhost:9090/api/3.1/deliveryservices/sslkeys/add \
  --header 'Cookie: mojolicious={{Cookie Value}}' \
  --data '{"authType":"Self Signed","cdn":"xavier","deliveryservice":"unique-snowflake","businessUnit":"Xmen","city":"Westchester","organization":"Marvel","hostname":"*.unique-snowflake.xavier.localhost","country":"US","state":"New York","key":"unique-snowflake","version":8,"certificate":{"crt":"-----BEGIN CERTIFICATE-----\nMIID+TCCAuGgAwIBAgIQIBbwljulIIgo8iAnuzd+qDANBgkqhkiG9w0BAQsFADCB\nhDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRQwEgYDVQQHEwtXZXN0\nY2hlc3RlcjEPMA0GA1UEChMGTWFydmVsMQ0wCwYDVQQLEwRYbWVuMSwwKgYDVQQD\nDCMqLnVuaXF1ZS1zbm93Zmxha2UueGF2aWVyLmxvY2FsaG9zdDAeFw0yMTAxMTIw\nMDI3MTdaFw0yMjAxMTIwMDI3MTdaMIGEMQswCQYDVQQGEwJVUzERMA8GA1UECBMI\nTmV3IFlvcmsxFDASBgNVBAcTC1dlc3RjaGVzdGVyMQ8wDQYDVQQKEwZNYXJ2ZWwx\nDTALBgNVBAsTBFhtZW4xLDAqBgNVBAMMIyoudW5pcXVlLXNub3dmbGFrZS54YXZp\nZXIubG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4JSs\nGEBiA2xN25wIOOJYA0gcBN74bKNzxc0amFwVyz89R2xOrSFd9lw4v+5Mz3dO8gEM\nrtOIbOebs8GOStTyx929DtV3PuImiT7w1xBHcjXqIeIr0NXqI9D9B+BoZRYoNrN9\nczV9IfF/FFRKsZnK3iAhS1Ij8OOrmFJaJgmCXSNzPQWeUsjSTXcf9yIg7OXFnNCd\n5sqsom+FdhcWG4j1R26d1XnfFqGgUtVYatJMNqr2CqvnkTB2rPqyXQqGl+04lQiy\nYWJMsUZljW+K7VB+DOBxXIrevloNJOTla/HkW4/Sg53rBRZEcSK5UaqN4/bqtDfw\nNLXynP+94VOSw8p0xwIDAQABo2UwYzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww\nCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAuBgNVHREEJzAlgiMqLnVuaXF1ZS1z\nbm93Zmxha2UueGF2aWVyLmxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAFZ+R\nwD81a71qpAZ4surTBwXh6z2IbrTuonccXpjXwsQDyef+mO7C/JyDavz9qb91Y8rM\n9Fp72aD7f5fqzSwEBW15Cg3P+f5Swi9LQvrDxJmCACfEJo0poUKlnHYmlbrytvxy\nf8NcqHJ9BtjO/Uex9g5Lum6SOFrW6vzE6kRk82kmVLoergHONauuOTViATRdJXJY\noMYlf4GlFITsWCThTNFqALCHqBo1719t6mWm/ZmwAVXyyrxbMGssOu9zafQQsYBb\nWB6JZme16qi7tvh5uozgY6lEXEg1DLD9c96ZeGI03nAVETXvSkuZKj++RTADvq3c\nYyeUhrd1x/oIsGyT+g==\n-----END CERTIFICATE-----","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA4JSsGEBiA2xN25wIOOJYA0gcBN74bKNzxc0amFwVyz89R2xO\nrSFd9lw4v+5Mz3dO8gEMrtOIbOebs8GOStTyx929DtV3PuImiT7w1xBHcjXqIeIr\n0NXqI9D9B+BoZRYoNrN9czV9IfF/FFRKsZnK3iAhS1Ij8OOrmFJaJgmCXSNzPQWe\nUsjSTXcf9yIg7OXFnNCd5sqsom+FdhcWG4j1R26d1XnfFqGgUtVYatJMNqr2Cqvn\nkTB2rPqyXQqGl+04lQiyYWJMsUZljW+K7VB+DOBxXIrevloNJOTla/HkW4/Sg53r\nBRZEcSK5UaqN4/bqtDfwNLXynP+94VOSw8p0xwIDAQABAoIBAAdPL262oboEy1/r\nayUW0NCCh07tRt6aT0lPzJ7K2Ha9/yuU7daasGk1RS+R/PP/qRUdTaFfByCsRRgL\no6rx1VkF8YJLFk94otJytvn48KpZ8N3bc5ufarhxs9qOxjcMCpEFNH8MbZ8uMfmi\naK/xFnY2S38dFEhh0JLrkz2Lr6+CST+t2BtNwnn6olO0Xa7GI9LvxzQOuGCoEjky\nhavrbj3VnW4twLm5BwhahwjcN8u0BU+GdZokxn6cK3PkH6hczUOCGHLGywUHK5Ho\n9dDvm54mI+MHTatlBPkjKQUYyO8rI/wYalEN2yXILqIM1IoRh3wVRtgoCUQk3HHW\ncrKx7wECgYEA9pCWS9rJNFEQRZazQMQMX4gS7eEtR57vjQQq0+QLJ7FSSoRTC9w7\nn3LG+pD7xa2xlleDL+CfV8gf+Ppqx0v83gaWmGnIIGWifqkdqNydSPQIZeIKtDtO\n0X0nkM1SrmCr247yq+0t+69llyBe2vcRpetXi4qGPuzAEeDfunnlqUcCgYEA6Sy5\nR4d/OTOY3TdsbcPQkMxq25vEd+5xV7Up9sq9/mb14z6G2gMZdffAqvn5Ax+9XN+2\nrzdNeTjJrIkzbKpWp5I+QjBXlksjK4hxHu1dFmbD4JyQKjAl8/w3faKbIGHbi4K5\nHoMQOer8VWmmH1CAvyFb5raQBrhGUoEBZxgCmIECgYBgbAiqn2PB1tWzMQzmjgR8\ns30bk8yeTpRFpFSPSoXmPtz8kSTc5YJXh44y3NHo61UggxaleYU20edW+a8aQygf\nN5pa/jsqGDTkrYQQzj2gEvbZyP0AoJThLb10TidAVEPA9/UEsRsjauMip6EQpkA7\nj35L7p8zKmiuVS+JADSE7wKBgCidEJyD3kYBVbPaTnmD7NT7tfUQWZUmI/nJ5UhG\nIfeoyVVOc8CPX6TrhVSCe7vukFYX5UL5l/XwTThPIXTg6nz/fPacYvUbm0Ge300q\nvNcFCUMbIgUnI8Uufh/U7b4jLVFMcJ/+5hmgc1kRMM0tgW9JCS/TRpzVBfKi47Ko\nPPOBAoGBAL7vg3/R6RWY3vnWCTKGyOtZr3Fh87ypIijnQNZ2xjZIUwDhBk7gx80y\nmpueAjR+nQb3JfXGrV4iiGbRWIWZwf1Rj4HIUthkT01cQ3AUxcnYu+M4/Rv47lJr\nII+J8PzjT0ft6pKTX5MSMeyT8FeJqrskp/jj9DwJ240vnAtiflwn\n-----END RSA PRIVATE KEY-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICyjCCAbICAQAwgYQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEU\nMBIGA1UEBxMLV2VzdGNoZXN0ZXIxDzANBgNVBAoTBk1hcnZlbDENMAsGA1UECxME\nWG1lbjEsMCoGA1UEAwwjKi51bmlxdWUtc25vd2ZsYWtlLnhhdmllci5sb2NhbGhv\nc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDglKwYQGIDbE3bnAg4\n4lgDSBwE3vhso3PFzRqYXBXLPz1HbE6tIV32XDi/7kzPd07yAQyu04hs55uzwY5K\n1PLH3b0O1Xc+4iaJPvDXEEdyNeoh4ivQ1eoj0P0H4GhlFig2s31zNX0h8X8UVEqx\nmcreICFLUiPw46uYUlomCYJdI3M9BZ5SyNJNdx/3IiDs5cWc0J3myqyib4V2FxYb\niPVHbp3Ved8WoaBS1Vhq0kw2qvYKq+eRMHas+rJdCoaX7TiVCLJhYkyxRmWNb4rt\nUH4M4HFcit6+Wg0k5OVr8eRbj9KDnesFFkRxIrlRqo3j9uq0N/A0tfKc/73hU5LD\nynTHAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAIenbNRJsOZ0qZyjCwQW7lYV4\nMRi1Gz2mBJeE7UB9DELa7KwXxpvjftFhZRe1xuB3JYjqVt/x6YYkpQLr+6PXrRqW\ncHsjO5Y+uTdpnP2CjuMA0nK3ssZMKEmUBTR5DXKUL6JR+QqL6psvfbI+DTCoa9ra\npRz+1QQY/wz+ejuGrbdGWPcRcSPpZo1nhJjwIIHlkI/aZ7FdFQxsniQkFP2IVhBg\nCPxE/8hNrdsnbJw5gGy0WbAOqTSRv2Bbwr0YhbgXK8AqnmTtoGKhKGe1x/UmMQIA\nkMqiiKN8g03aSZl3YWSxgnhOHJ19LNAFBTPqgOVO2gdt0XLYl4EoUiA25zKnUw==\n-----END CERTIFICATE REQUEST-----\n"},"expiration":"2022-01-12T00:27:17Z"}'

Delete

curl --request DELETE \
  --url https://localhost:9090/api/3.1/deliveryservices/xmlId/{{xmlID}}/sslkeys \
  --header 'Cookie: mojolicious={{Cooking Value}}'

If this is a bug fix, what versions of Traffic Control are affected?

master (0ad2086)

The following criteria are ALL met by this PR

  • This PR includes tests OR I have explained why tests are unnecessary
  • This PR includes documentation OR I have explained why documentation is unnecessary
  • This PR includes an update to CHANGELOG.md OR such an update is not necessary
  • This PR includes any and all required license headers
  • This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY (see the Apache Software Foundation's security guidelines for details)

Additional Information

Taylor Frey added 2 commits January 11, 2021 17:09
Ensure SSL changes are logged.
906bc75 
There are three endpoints (Add, Generate, Delete) that manipulate SSL certificates
for a delivery service. (Actually there are more with the Let's Encrypt ACME
endpoints, but those have a different changelog order of operations). These all
must log their action in the Changelog for verification and confirmation when
the actions complete. Generate and Delete succesfully log the changes, however
Add was apparently not.

In fact, there are two successful cases where the SSL keys could be added and
the endpoint would return prematurely, preventing the action from being logged
in the Changelog. The Changelog entry is now performed before the return of
these two logic flows.

Additionally added a comment to a public package function (Generate) and clarified
language within the Changelog messages.
Add changelog.md entry for bugfix
7d80d8b
@tcfdev tcfdev marked this pull request as ready for review January 12, 2021 00:37
@mitchell852 mitchell852 added Traffic Ops related to Traffic Ops bug something isn't working as intended labels Jan 12, 2021
@mattjackson220 mattjackson220 self-requested a review January 14, 2021 17:21
mattjackson220
mattjackson220 approved these changes Jan 15, 2021
View reviewed changes
Copy link
Contributor

@mattjackson220 mattjackson220 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good, tests pass, and log messages show up as expected! Nice!

@mattjackson220 mattjackson220 merged commit 7d1192f into apache:master Jan 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattjackson220 mattjackson220 mattjackson220 approved these changes

Assignees
No one assigned
Labels
bug something isn't working as intended Traffic Ops related to Traffic Ops
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add/update SSL keys on a delivery service does not create change log entry
3 participants
@tcfdev @mattjackson220 @mitchell852