8000 Adding SSL support to server and command line clients. by dkrupp · Pull Request #899 · Ericsson/codechecker · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Adding SSL support to server and command line clients. #899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 12, 2017
Merged

Adding SSL support to server and command line clients. #899

merged 1 commit into from
Sep 12, 2017

Conversation

dkrupp
Copy link
Member
@dkrupp dkrupp commented Sep 11, 2017

No description provided.

Xazax-hun
Xazax-hun suggested changes Sep 12, 2017
View reviewed changes
Copy link
Contributor
@Xazax-hun Xazax-hun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to codacy: ssl.wrap_socket call with no SSL/TLS protocol version specified, the default SSLv23 could be insecure, possible security issue.

Maybe we should fix this problem.

libcodechecker/libclient/authentication_helper.py Outdated
self.__host = host
self.__port = port
self.transport = THttpClient.THttpClient(self.__host, self.__port, uri)
url = protocol+"://"+host+":"+str(port)+uri
self.transport = THttpClient.THttpClient(url)
self.protocol = TJSONProtocol.TJSONProtocol(self.transport)
self.client = codeCheckerAuthentication.Client(self.protocol)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The protocol and self.protocol are two distinct things. Maybe we should name them separately.

libcodechecker/libclient/product_helper.py Outdated
self.__host = host
self.__port = port
self.transport = THttpClient.THttpClient(self.__host, self.__port, uri)
url = protocol+"://"+host+":"+str(port)+uri
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This url creating code is there multiple times, maybe worth to create a function?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment about the name of protocol as above.

libcodechecker/server/client_db_access_server.py Outdated
certfile=ssl_cert_file)

else:
LOG.info("SSL key or cert files not found. cert:" +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to display this message even if the user never configured this? It is just an ergonomic change in the future.

libcodechecker/util.py Outdated
@@ -266,7 +266,7 @@ def split_server_url(url):
LOG.debug("Parsing server url '{0}'".format(url))

protocol = 'http'
if url.startswith('http'):
if url.startswith('http') or url.startswith('https'):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If url starts with https it also starts with http right? This check might be redundant.

tests/libtest/thrift_client_to_db.py Outdated
host, port, '/' + product + '/v' + VERSION + endpoint)
url = protocol+"://"+host+":"+str(port) +\
'/' + product + '/v' + VERSION + endpoint
print ("setup viewer client:"+url)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this print intended? If so, maybe having a space after colon and starting with capital letter would be great.

@dkrupp dkrupp force-pushed the add_ssl_support branch 3 times, most recently from 38b8933 to 3db75c1 Compare September 12, 2017 08:51
Xazax-hun
Xazax-hun approved these changes Sep 12, 2017
View reviewed changes
Copy link
Contributor
@Xazax-hun Xazax-hun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few nits otherwise LGTM!

tests/libtest/codechecker.py Outdated

url = protocol + "://"+server_data['viewer_host'] +\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you could use the just introduced util here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please format the code better so + is wrapped in spaces around the operand.

tests/libtest/thrift_client_to_db.py Outdated
auto_handle_connection=True, session_token=None):
# Import only if necessary; some tests may not add this to PYTHONPATH.
from libcodechecker import session_manager
from codeCheckerDBAccess_v6 import codeCheckerDBAccess
from codeCheckerDBAccess_v6.constants import MAX_QUERY_SIZE

self.max_query_size = MAX_QUERY_SIZE
transport = THttpClient.THttpClient(
host, port, '/' + product + '/v' + VERSION + endpoint)
url = protocol+"://"+host+":"+str(port) +\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the introduced util applicable here?

tests/libtest/thrift_client_to_db.py Outdated
full_uri = '/v' + VERSION + uri
if product:
full_uri = '/' + product + full_uri

transport = THttpClient.THttpClient(host, port, full_uri)
url = proto+"://"+host+":"+str(port)+full_uri
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the introduced util applicable here?

tests/libtest/thrift_client_to_db.py Outdated
session_token=None):
# Import only if necessary; some tests may not add this to PYTHONPATH.
from libcodechecker import session_manager
from Authentication_v6 import codeCheckerAuthentication

transport = THttpClient.THttpClient(host, port, '/v' + VERSION + uri)
url = proto+"://"+host+":"+str(port)+'/v' + VERSION + uri
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the introduced util applicable here?

@whisperity whisperity added API change 📄 Content of patch changes API! GUI 🎨 labels Sep 12, 2017
whisperity
whisperity requested changes Sep 12, 2017
View reviewed changes
Copy link
Contributor
@whisperity whisperity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor stuff. Mostly docs and stuff. Thank you, @dkrupp, for implementing this.

docs/products.md Outdated
PRODUCT_URL` parameter, which specifies the access protocol,
server host, port, and the product's unique endpoint
in the following format: `http[s]://localhost:8001/Default`,
where `Default` is the product's endpoint. See the [User Guide](/docs/user_guide.md#product_url-format )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a space before the )

docs/usage.md Outdated
```
CodeChecker store ./reports --host localhost --port 8555 --name tmux
CodeChecker store ./reports --name tmux --url http://loclahost:8555/Default
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

localhost has a typo in it

docs/products.md Outdated
details.
PRODUCT_URL` parameter, which specifies the access protocol,
server host, port, and the product's unique endpoint
in the following format: `http[s]://localhost:8001/Default`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is http mandatory even if we are using only HTTP?

docs/user_guide.md Outdated
B41A

To enable SSL simply place ssl certificate to `<CONFIG_DIRECTORY>/cert.pem`
and the corresponding private key to `<CONFIG_DIRECTORY>/key.pem`.
When the server finds these files upon start-up. SSL will be automatically enabled.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sentences are broken wrongly, perhaps you meant a , instead of .?

docs/user_guide.md Outdated
You can enforce SSL security on your listening socket. In this case all clients must
access your server using the `https://host:port` URL format.

To enable SSL simply place ssl certificate to `<CONFIG_DIRECTORY>/cert.pem`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSL is uppercase, and then lowercase.

tests/libtest/codechecker.py Outdated
@@ -87,7 +88,7 @@ def logout(codechecker_cfg, test_project_path):
logout_cmd = ['CodeChecker', 'cmd', 'login',
'--logout',
'--verbose', 'debug',
'--url', 'localhost:' + port]
'--url', protocol+'://'+'localhost:' + port]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

operator format

tests/libtest/codechecker.py Outdated

url = protocol + "://"+server_data['viewer_host'] +\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

operator format

tests/ssl_example_cert/cert.pem
@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a self-signed certificate? Are we sure we are not leaking anything here?

docs/user_guide.md
@@ -940,6 +967,15 @@ root account arguments:
not require authentication otherwise.
~~~~~~~~~~~~~~~~~~~~~

### Enfore secure socket (SSL)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should link to some generally available guide which explains how to make an SSL certificate?

tests/ssl_example_cert/cert.pem
@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The shell actions that were used to make these test files, I think, should be saved to this folder in an .sh file too.

@dkrupp dkrupp force-pushed the add_ssl_support branch 4 times, most recently from 3a661b2 to e05e2af Compare September 12, 2017 12:34
@dkrupp dkrupp requested a review from whisperity September 12, 2017 12:52
@dkrupp dkrupp force-pushed the add_ssl_support branch 2 times, most recently from 10ec4b4 to 4bae654 Compare September 12, 2017 13:53
@csordasmarton csordasmarton merged commit d471e20 into Ericsson:master Sep 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xazax-hun Xazax-hun Xazax-hun approved these changes

@csordasmarton csordasmarton Awaiting requested review from csordasmarton

@whisperity whisperity Awaiting requested review from whisperity

Assignees
No one assigned
Labels
API change 📄 Content of patch changes API! GUI 🎨
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dkrupp @Xazax-hun @whisperity @csordasmarton
0