You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ti...@apache.org on 2020/02/18 12:24:15 UTC
[servicecomb-kie] branch master updated: #95 Add go secure check
(#96)
This is an automated email from the ASF dual-hosted git repository.
tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-kie.git
The following commit(s) were added to refs/heads/master by this push:
new 51d6e1b #95 Add go secure check (#96)
51d6e1b is described below
commit 51d6e1b577097d58c40c598d7cf20c6bff5fa9a4
Author: zhulijian <zh...@huawei.com>
AuthorDate: Tue Feb 18 20:24:08 2020 +0800
#95 Add go secure check (#96)
* Add go secure check.
Signed-off-by: zhulijian <zh...@huawei.com>
* Solving go secure issues
Signed-off-by: zhulijian <zh...@huawei.com>
* update document about verifyPeer parameter
---
.travis.yml | 4 ++++
client/client.go | 1 +
docs/configurations/storage.md | 6 +++++-
scripts/travis/goSecureChecker.sh | 29 +++++++++++++++++++++++++++++
server/config/struct.go | 1 +
server/handler/noop_auth_handler.go | 5 ++++-
server/resource/v1/common.go | 5 ++++-
server/service/mongo/session/session.go | 3 ++-
8 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index a2f7b8a..3f4489b 100755
--- a/.travis.yml
+++ b/.travis.yml
@@ -49,6 +49,10 @@ jobs:
script:
- go get github.com/fzipp/gocyclo
- bash scripts/travis/goCycloChecker.sh
+ - stage: GoSecure Checker
+ script:
+ - go get github.com/securego/gosec/cmd/gosec
+ - bash -x scripts/travis/goSecureChecker.sh
- stage: Unit Test
script:
- export GOPROXY=https://goproxy.io
diff --git a/client/client.go b/client/client.go
index 2bc1d43..8d0c66e 100644
--- a/client/client.go
+++ b/client/client.go
@@ -71,6 +71,7 @@ func New(config Config) (*Client, error) {
}
httpOpts := &httpclient.Options{}
if u.Scheme == "https" {
+ // #nosec
httpOpts.TLSConfig = &tls.Config{
InsecureSkipVerify: !config.VerifyPeer,
}
diff --git a/docs/configurations/storage.md b/docs/configurations/storage.md
index a221661..71b8d14 100644
--- a/docs/configurations/storage.md
+++ b/docs/configurations/storage.md
@@ -14,7 +14,10 @@ you can use mongo db as kie server storage to save configuration
>*(optional, bool)* enable TLS communication to mongodb server
**rootCAFile**
->*(optional, bool)* if sslEnabled is true, you must give a ca file
+>*(optional, string)* if sslEnabled is true, you must give a ca file
+
+**verifyPeer**
+>*(optional, bool)* if verifyPeer is true, kie will verify database server's certificate, otherwise not
### Example
@@ -25,6 +28,7 @@ db:
timeout: 5s
sslEnabled: true
rootCAFile: /opt/kie/ca.crt
+ verifyPeer: true
```
diff --git a/scripts/travis/goSecureChecker.sh b/scripts/travis/goSecureChecker.sh
new file mode 100644
index 0000000..de89283
--- /dev/null
+++ b/scripts/travis/goSecureChecker.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+gosec ./... > result.txt
+cat result.txt
+rm -rf result.txt
+issueCount=$(gosec ./... | grep "Issues" |awk -F":" '{print $2}')
+if [ $? == 0 ] && [[ $issueCount -eq 0 ]] ; then
+ echo "No GoSecure warnings found"
+ exit 0
+else
+ echo "GoSecure Warnings found"
+ exit 1
+fi
+
diff --git a/server/config/struct.go b/server/config/struct.go
index c3c32a4..054ead3 100644
--- a/server/config/struct.go
+++ b/server/config/struct.go
@@ -36,4 +36,5 @@ type DB struct {
SSLEnabled bool `yaml:"sslEnabled"`
RootCA string `yaml:"rootCAFile"`
Timeout string `yaml:"timeout"`
+ VerifyPeer bool `yaml:"verifyPeer"`
}
diff --git a/server/handler/noop_auth_handler.go b/server/handler/noop_auth_handler.go
index b4a3833..7ad3fda 100644
--- a/server/handler/noop_auth_handler.go
+++ b/server/handler/noop_auth_handler.go
@@ -20,6 +20,7 @@ package handler
import (
"github.com/go-chassis/go-chassis/core/handler"
"github.com/go-chassis/go-chassis/core/invocation"
+ "github.com/go-mesh/openlogging"
)
//NoopAuthHandler not need implement any logic
@@ -41,5 +42,7 @@ func (bk *NoopAuthHandler) Name() string {
return "auth-handler"
}
func init() {
- handler.RegisterHandler("auth-handler", newDomainResolver)
+ if err := handler.RegisterHandler("auth-handler", newDomainResolver); err != nil {
+ openlogging.Fatal("register auth-handler failed: " + err.Error())
+ }
}
diff --git a/server/resource/v1/common.go b/server/resource/v1/common.go
index e121d9b..ee14240 100644
--- a/server/resource/v1/common.go
+++ b/server/resource/v1/common.go
@@ -168,7 +168,10 @@ func eventHappened(rctx *restful.Context, waitStr string, topic *pubsub.Topic) (
UserAgent: rctx.ReadHeader("User-Agent"),
Event: make(chan *pubsub.KVChangeEvent, 1),
}
- pubsub.ObserveOnce(o, topic)
+ err = pubsub.ObserveOnce(o, topic)
+ if err != nil {
+ return false, errors.New("observe once failed: " + err.Error())
+ }
select {
case <-time.After(d):
happened = false
diff --git a/server/service/mongo/session/session.go b/server/service/mongo/session/session.go
index 40af57d..aed43b3 100644
--- a/server/service/mongo/session/session.go
+++ b/server/service/mongo/session/session.go
@@ -110,9 +110,10 @@ func Init() error {
return
}
pool.AppendCertsFromPEM(caCert)
+ // #nosec
tc := &tls.Config{
RootCAs: pool,
- InsecureSkipVerify: true,
+ InsecureSkipVerify: !config.GetDB().VerifyPeer,
}
clientOps = append(clientOps, options.Client().SetTLSConfig(tc))
openlogging.Info("enabled ssl communication to mongodb")