OpenStack Dashboard Charm

[SSL certs] Validate charm options before propagating changes

Bug #1772674 reported by Andrea Ieri
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Triaged
Wishlist
Unassigned

Bug Description

The charm accepts base64 encoded certificates on ssl_cert, ssl_key, and ssl_ca.
These certificates are - as far as I can tell - written to disk and installed without any prior validation. This implies that base64 data that does not decode to a certificate will still be processed and installed.

I see that install_ca_cert executes

  subprocess.check_call(['update-ca-certificates', '--fresh'])

This could theoretically catch corrupted CA certificates and have the config-changed hook fail; unfortunately, update-ca-certificates appears at a cursory check to be returning 0 even if it has to skip over garbage data. Perhaps the thinking there was rather to return non-zero if ca-certificates.crt cannot be updated.

In any case, I think doing some basic sanity checks on the config values could prevent the charm from pushing configuration that is syntactically incorrect. I don't think checks should necessarily go as far as proper certificate validation, because a basic "does this thing actually decode to a certificate?" would already help.

Of course the same logic could be extended to any config option, but this feature request is limited to SSL certificate handling.

Alvaro Uria (aluria)
tags: added: canonical-bootstack
James Page (james-page)
Changed in charm-openstack-dashboard:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to charm-openstack-dashboard (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/836797

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/836797
Committed: https://opendev.org/openstack/charm-openstack-dashboard/commit/fc2fc81ed589fc16be21d79bf5cea9923acf1497
Submitter: "Zuul (22348)"
Branch: master

commit fc2fc81ed589fc16be21d79bf5cea9923acf1497
Author: Ksawery Dziekoński <email address hidden>
Date: Wed Apr 6 12:35:22 2022 +0200

    Validate X509 certificate inputs

    Related: LP#1772674
    Change-Id: Ia6f44eb7aa0b37b0efa961d1ae48ac69c688b592

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Although the patch https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/836797 was submitted and merged during the zed cycle (22-, unfortunately, the associated charm-helpers change (https://github.com/juju/charm-helpers/pull/691) wasn't merged. Therefore, the patch to the openstack-dashboard charm was overwritten at the next charm-helpers sync. These were

b27c840 [2022-05-10] Merge "Validate X509 certificate inputs" [Gerrit Code Review]
...
036a392 [2022-08-30] Merge "Add Kinetic and Zed support" [Gerrit Code Review]

Therefore, the code in b27c840 patch is no longer present.

This means that the patch/fix is not present in the stable/zed, stable/2023.1 nor master branches of the code. I'll merge the the code, and raise the backports.

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

See also:

https://github.com/juju/charm-helpers/pull/718
https://bugs.launchpad.net/charm-helpers/+bug/1978902

This bug may be resolved by the above charm-helpers sync; it will require a gerrit review (charm-helpers sync), if it is not just picked up by other charm-helpers syncs as part of the engineering cycle.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.