You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/01/28 18:55:22 UTC
[GitHub] [trafficcontrol] rimashah25 opened a new pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
rimashah25 opened a new pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480
<!--
************ STOP!! ************
If this Pull Request is intended to fix a security vulnerability, DO NOT submit it! Instead, contact
the Apache Software Foundation Security Team at security@trafficcontrol.apache.org and follow the
guidelines at https://www.apache.org/security/ regarding vulnerability disclosure.
-->
## What does this PR (Pull Request) do?
<!-- Explain the changes you made here. If this fixes an Issue, identify it by
replacing the text in the checkbox item with the Issue number e.g.
- [x] This PR fixes #9001 OR is not related to any Issue
^ This will automatically close Issue number 9001 when the Pull Request is
merged (The '#' is important).
Be sure you check the box properly, see the "The following criteria are ALL
met by this PR" section for details.
-->
- [x] This PR fixes #5478 <!-- You can check for an issue here: https://github.com/apache/trafficcontrol/issues -->
## Which Traffic Control components are affected by this PR?
<!-- Please delete all components from this list that are NOT affected by this
Pull Request. Also, feel free to add the name of a tool or script that is
affected but not on the list.
Additionally, if this Pull Request does NOT affect documentation, please
explain why documentation is not required. -->
- Traffic Ops
## What is the best way to verify this PR?
<!-- Please include here ALL the steps necessary to test your Pull Request. If
it includes tests (and most should), outline here the steps needed to run the
tests. If not, lay out the manual testing procedure and please explain why
tests are unnecessary for this Pull Request. -->
1. Create a DS
2. Generate SSL keys (If using TP, go to mange SSL keys in a DS and then click on generate SSK keys OR use SSL Keys generate API)
3. Edit DS using PUT API (/api/3.0/deliveryservices/<ds-id>) and change the cdn id to a different value.
4. You should see an error as follows:
`{"alerts":[{"text":"delivery service has ssl keys that cannot be automatically changed, therefore CDN and routing name are immutable","level":"error"}]}`
and a 400 HTTP status code
## If this is a bug fix, what versions of Traffic Control are affected?
<!-- If this PR fixes a bug, please list here all of the affected versions - to
the best of your knowledge. It's also pretty helpful to include a commit hash
of where 'master' is at the time this PR is opened (if it affects master),
because what 'master' means will change over time. For example, if this PR
fixes a bug that's present in master (at commit hash '1df853c8'), in v4.0.0,
and in the current 4.0.1 Release candidate (e.g. RC1), then this list would
look like:
- master (1df853c8)
- 4.0.0
- 4.0.1 (RC1)
If you don't know what other versions might have this bug, AND don't know how
to find the commit hash of 'master', then feel free to leave this section
blank (or, preferably, delete it entirely).
-->
- master (456f7620
-
## The following criteria are ALL met by this PR
<!-- Check the boxes to signify that the associated statement is true. To
"check a box", replace the space inside of the square brackets with an 'x'.
e.g.
- [ x] <- Wrong
- [x ] <- Wrong
- [] <- Wrong
- [*] <- Wrong
- [x] <- Correct!
-->
- [x] I have explained why tests are unnecessary
- [x] have explained why documentation is unnecessary
- [x] This PR does not includes an update to CHANGELOG.md as it is not necessary
- [x] This PR includes any and all required license headers
- [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details)
## Additional Information
<!-- If you would like to include any additional information on the PR for
potential reviewers please put it here.
Some examples of this would be:
- Before and after screenshots/gifs of the Traffic Portal if it is affected
- Links to other dependent Pull Requests
- References to relevant context (e.g. new/updates to dependent libraries,
mailing list records, blueprints)
Feel free to leave this section blank (or, preferably, delete it entirely).
-->
Tests already present. No documentation change.
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] srijeet0406 commented on pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
srijeet0406 commented on pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480#issuecomment-770121468
Tested this in CiaB. I noticed an issue:
Consider a DS that has SSL keys associated with it.
If I try to update this DS with something that has a different CDN ID, but no CDN Name or Routing Name, it gives me the success message, which it shouldn't. I think it has got to do with the way you are handling the conditional statements in `deliveryservices.go`.
I would do something like this:
`Check for ds.CDNId to not be nil`
`Now, put all the other conditionals under if hasSSLKeys {...}`
`Inside this conditional, you can check for the old and new CDN IDs to be equal`
`Next, you would check for if the ds.RoutingName is nil or not, and if it isn't, proceed to check if its equal to the old routing name(this check goes within the if hasSSLKeys conditional)`
`Next, you would check for if the ds.CDNName is nil or not, and if it isn't, proceed to check if its equal to the old CDN name (this check goes within the if hasSSLKeys conditional)`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] rimashah25 commented on a change in pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
rimashah25 commented on a change in pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480#discussion_r567132341
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices_test.go
##########
@@ -70,7 +70,7 @@ func TestGetDetails(t *testing.T) {
if oldDetails.OldCdnName != "foo" {
t.Errorf("expected old cdn name to be foo, but got %v", oldDetails.OldCdnName)
}
- if *oldDetails.OldCdnId != 1 {
+ if oldDetails.OldCdnId != 1 {
t.Errorf("expected old cdn id to be 1, but got %v", oldDetails.OldCdnName)
Review comment:
Done
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] rimashah25 commented on a change in pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
rimashah25 commented on a change in pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480#discussion_r566396009
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go
##########
@@ -862,8 +863,8 @@ func updateV31(w http.ResponseWriter, r *http.Request, inf *api.APIInfo, dsV31 *
if err != nil {
return nil, http.StatusInternalServerError, nil, fmt.Errorf("querying delivery service with sslKeyVersion failed: %s", err)
}
- if ds.CDNName != nil && ds.RoutingName != nil {
- if sslKeysExist && (oldDetails.OldCdnName != *ds.CDNName || oldDetails.OldRoutingName != *ds.RoutingName) {
+ if (ds.CDNName != nil || ds.CDNID != nil) && ds.RoutingName != nil {
+ if sslKeysExist && (*oldDetails.OldCdnId != *ds.CDNID || oldDetails.OldCdnName != *ds.CDNName || oldDetails.OldRoutingName != *ds.RoutingName) {
Review comment:
I feel that I am complicating the solution by defining CDNID as a pointer of type int instead of int.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] rawlinp merged pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
rawlinp merged pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] rawlinp merged pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
rawlinp merged pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] srijeet0406 commented on a change in pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
srijeet0406 commented on a change in pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480#discussion_r566373860
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices_test.go
##########
@@ -70,6 +70,9 @@ func TestGetDetails(t *testing.T) {
if oldDetails.OldCdnName != "foo" {
t.Errorf("expected old cdn name to be foo, but got %v", oldDetails.OldCdnName)
}
+ if *oldDetails.OldCdnId != 1 {
Review comment:
You need to add a `nil` check for `oldDetails.OldCdnId` here. Basically something like is being done in line 61.
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go
##########
@@ -862,8 +863,8 @@ func updateV31(w http.ResponseWriter, r *http.Request, inf *api.APIInfo, dsV31 *
if err != nil {
return nil, http.StatusInternalServerError, nil, fmt.Errorf("querying delivery service with sslKeyVersion failed: %s", err)
}
- if ds.CDNName != nil && ds.RoutingName != nil {
- if sslKeysExist && (oldDetails.OldCdnName != *ds.CDNName || oldDetails.OldRoutingName != *ds.RoutingName) {
+ if (ds.CDNName != nil || ds.CDNID != nil) && ds.RoutingName != nil {
+ if sslKeysExist && (*oldDetails.OldCdnId != *ds.CDNID || oldDetails.OldCdnName != *ds.CDNName || oldDetails.OldRoutingName != *ds.RoutingName) {
Review comment:
If `oldDetails.OldCdnId` is `nil`, this will seg fault here.
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go
##########
@@ -862,8 +863,8 @@ func updateV31(w http.ResponseWriter, r *http.Request, inf *api.APIInfo, dsV31 *
if err != nil {
return nil, http.StatusInternalServerError, nil, fmt.Errorf("querying delivery service with sslKeyVersion failed: %s", err)
}
- if ds.CDNName != nil && ds.RoutingName != nil {
- if sslKeysExist && (oldDetails.OldCdnName != *ds.CDNName || oldDetails.OldRoutingName != *ds.RoutingName) {
+ if (ds.CDNName != nil || ds.CDNID != nil) && ds.RoutingName != nil {
Review comment:
If one of ds.CDNName or ds.CDNID is nil, this will cause the next line to seg fault
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] srijeet0406 commented on a change in pull request #5480: Added a check against cdn.id when updating DS with existing SSL keys
Posted by GitBox <gi...@apache.org>.
srijeet0406 commented on a change in pull request #5480:
URL: https://github.com/apache/trafficcontrol/pull/5480#discussion_r567129964
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices_test.go
##########
@@ -70,7 +70,7 @@ func TestGetDetails(t *testing.T) {
if oldDetails.OldCdnName != "foo" {
t.Errorf("expected old cdn name to be foo, but got %v", oldDetails.OldCdnName)
}
- if *oldDetails.OldCdnId != 1 {
+ if oldDetails.OldCdnId != 1 {
t.Errorf("expected old cdn id to be 1, but got %v", oldDetails.OldCdnName)
Review comment:
This needs to be `oldDetails.OldCdnId`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org