Make sure certificate is verified when required by RestApiClientAsync #1620
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## develop #1620 +/- ##
===========================================
- Coverage 86.04% 86.00% -0.05%
===========================================
Files 572 572
Lines 48653 48676 +23
===========================================
- Hits 41865 41863 -2
- Misses 6788 6813 +25 ☔ View full report in Codecov by Sentry. |
| @@ -26,6 +26,7 @@ def __init__(self, connection, configuration): | |||
| auth = BasicAuth(conf_auth['username'], conf_auth['password']) | |||
| self.client = RestApiClientAsync(None, | |||
| auth=auth, | |||
| cert_verify=connection.get('selfSignedCert', False), | |||
There was a problem hiding this comment.
Please provide a valid reason why this is False. Certificate verification must never be disabled by default.
There was a problem hiding this comment.
@mdazam1942 Can you send me the error message that you get when you try to talk to stix bundles using https
There was a problem hiding this comment.
STIX bundles are public URLs, the connector doesn't allow you to even pass a certificate.
There was a problem hiding this comment.
this is a special case. this is basically a demo connector. if anyone wants to use a url that is behind some kind of server that requires ssl cert validation then they can implement in their own. we have test cases using public url that doesn't require any ssl cert validation and in fact it rejects the call if the connector enforces it. here's error:
stix_shifter_utils.utils.error_response:error_response.py:91 unsupplied connector name connector error occurred: client_connector_error: (Cannot connect to host raw.githubusercontent.com:443 ssl:<ssl.SSLContext object at 0x7fd323d38540> [Network is unreachable])
There was a problem hiding this comment.
ok so we dont set the cert verify the false anymore. we made sure default ssl check is performed is certificate is not presented.
Every connector has functional unittest that run through Can you suggests what kind of test you are looking for? we can add functional unittests just for this class which will basically mock the ssl verification. |
|
Tested this changes on some connector that uses saas datasources api. They are returning We need to revert back few of those changes that require to have certificate |
mdazam1942
force-pushed
the
certificate_verification_fix
branch
from
afb0db2
to
2ea9106
Compare
| self.ssl_context.load_verify_locations(self.server_cert_name) | ||
| except Exception as ex: | ||
| self.logger.debug('Unable to load the certificate for ssl context. Reasons: Connection does not require certificate or unexpected exception while loading the certificate: ' + str(ex)) | ||
|
|
||
| self.ssl_context.verify_mode = ssl.CERT_REQUIRED |
There was a problem hiding this comment.
verify_mode and check_hostname cannot be conditional they must be applied even in the case of using a default ssl context but I don't see a call to ssl.create_default_context() any where.
There was a problem hiding this comment.
updated the code to remove ambiguity around certificate validation. now certificate is verified in both custom or default cases. also remove the option to force validation to false.
I want to see both positive and negative tests for: trusted and untrusted certificate chains, valid and invalid hostnames, current and expired certs as minimums. Any time you override the default validation you have to explicitly make sure it's actually correctly validating certificates. |
@Rory-Bray how do we handle mocking the server side functionality to do these tests? |
…#1620) Deprecates selfSignedCert: false bypasss
* CP4S-39527 Initial Translation Code - Draft * Tanium Threat Response * Fix Azure log analytics results translation. (#1612) Updating azure log analytics review comments. 1. Added transformer for converting int to float for latitude. 2.Updated TimestampConversion transformer to handle without milliseconds and added mappings for first and last observed. 3. Updated transformer to handle ConfidenceScore value is 'nan'. * Bump aioboto3 from 11.3.1 to 12.0.0 in /stix_shifter (#1611) Bumps [aioboto3](https://github.com/terrycain/aioboto3) from 11.3.1 to 12.0.0. - [Changelog](https://github.com/terrycain/aioboto3/blob/main/CHANGELOG.rst) - [Commits](terricain/aioboto3@v11.3.1...v12.0.0) --- updated-dependencies: - dependency-name: aioboto3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump pyopenssl from 23.2.0 to 23.3.0 in /stix_shifter (#1610) Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 23.2.0 to 23.3.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](pyca/pyopenssl@23.2.0...23.3.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * table of mapping script update for to-stix dialects (#1609) * Bump azure-identity from 1.14.1 to 1.15.0 in /stix_shifter (#1614) Bumps [azure-identity](https://github.com/Azure/azure-sdk-for-python) from 1.14.1 to 1.15.0. - [Release notes](https://github.com/Azure/azure-sdk-for-python/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-python/blob/main/doc/esrp_release.md) - [Commits](Azure/azure-sdk-for-python@azure-identity_1.14.1...azure-identity_1.15.0) --- updated-dependencies: - dependency-name: azure-identity dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump flatten-json from 0.1.13 to 0.1.14 in /stix_shifter (#1613) Bumps [flatten-json](https://github.com/amirziai/flatten) from 0.1.13 to 0.1.14. - [Release notes](https://github.com/amirziai/flatten/releases) - [Commits](https://github.com/amirziai/flatten/commits) --- updated-dependencies: - dependency-name: flatten-json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update CHANGELOG.md for 6.3.0 * Cisco secure email added readme detailed file. (#1615) * Added tested communication code for Tanium * Added suggestions from Azam. * Fix parameter assignment in error handling function (#1616) * Remove future timestamp qualifier conditions (#1619) * Make sure certificate is verified when required by RestApiClientAsync (#1620) Deprecates selfSignedCert: false bypasss * Update CHANGELOG.md for 7.0.0 * add email-message translation to ecs (#1621) * Update group_ref keyword documenation (#1622) * Initial To Stix mapping - Event and Transformers * Another temporary commit to hold x-oca-event form * Finished up the to_stix mapping + test. * Removed additional event data. * Fixing the unittest failure * Another Attempt * Added the missing fields to the Tanium API response and request. * Updated toStix and fromStix * Update CHANGELOG.md for 7.0.1 * second half of email.* mapping for elastic_ecs (#1632) * Sysdig connector (#1630) * Update machine ID field in QRadar module (#1634) Co-authored-by: Kane Brennan <Kane.Brennan@ibm.com> * Sysdig Connector - Formatting issue in sysdig_supported_stix.md file corrected (#1635) * Added the readme (WIP) * Undid an unintended change. * Another Attempt to undo the change. * Removing one more unintended change. * One more unintended change. * Updated the sample for the unit test. * Azam's suggestions. * Cleaned out the testing code I had left. * Clean-up - Fixed up the readme. * Added Azam's suggestions * Cleaned the Json so it's standardized. * Removed the total size from the meta data as it's not needed. * Cleaning up some comments+fixed observation queries. Signed-off-by: DerekRushton <derek.rushton1@ibm.com> * Making the config values consistent. Signed-off-by: DerekRushton <derek.rushton1@ibm.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: DerekRushton <derek.rushton1@ibm.com> Co-authored-by: thangaraj-ramesh <92723742+thangaraj-ramesh@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Danny Elliott <danny.elliott@ibm.com> Co-authored-by: Md Azam <mdazam@ca.ibm.com> Co-authored-by: Xiaokui Shu <subbyte@gmail.com> Co-authored-by: Alex-Kidston <113187177+Alex-Kidston@users.noreply.github.com> Co-authored-by: Kane Brennan <Kane.Brennan@ibm.com>
No description provided.