Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update input validation for openssl_x509_certificate. #14080

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update input validation for openssl_x509_certificate. #14080

wants to merge 1 commit into from

Conversation

femiagbabiaka
Copy link

Fixes #14079.

Description

TL;DR, as I understand it, you must have one of common_name or a subject_alt_name entry. If you have a common_name entry, it must match the subject_alt_name entry. But common_name is not required.

Currently, the resource implicitly requires common_name to be specified: https://github.com/chef/chef/blob/main/lib/chef/resource/openssl_x509_certificate.rb#L221. Implicit because common_name isn't marked as required: https://github.com/chef/chef/blob/main/lib/chef/resource/openssl_x509_certificate.rb#L101.

I believe the correct solution is to leave the common_name and subject_alt_name property definitions as-is, add an unless check on the nilness of common_name, and require that one of subject_alt_name or common_name be set.

Related Issue

#14079

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@femiagbabiaka femiagbabiaka requested review from a team as code owners November 18, 2023 19:39
@github-actions github-actions bot added the documentation How do we use this project? label Nov 18, 2023
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 18, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@femiagbabiaka
Copy link
Author

I'm not 100% sure on how to resolve the last three bullet points in the checklist, and could use some assistance/advice in doing so. I assume that the documentation is generated by updating the property definition?

tpowell-progress
tpowell-progress reviewed Nov 21, 2023
View reviewed changes
lib/chef/resource/openssl_x509_certificate.rb
@@ -212,13 +212,18 @@ def request
end

def subject
if new_resource.common_name.nil? && new_resource.subject_alt_name.empty?
Chef::Log.fatal("Neither common_name nor subject_alt_name specified, one is required.")
raise "Neither common_name nor subject_alt_name specified, one is required."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this may be the correct way of doing things, I have concerns that this could break people by surprise. Can we do a deprecation first?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tpowell-progress that makes sense, thanks. I'm new to deprecation warnings in chef resources, is this a good pattern to follow?

chef/lib/chef/resource/archive_file.rb

Line 137 in d06dc07

def define_resource_requirements

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking around, I think that pattern makes sense, provided that you can accomplish the deprecation warning without getting too messy. If for some reason affixing the deprecation warning doesn't look clean, we can dig deeper, but I'd recommend just pushing a reasonable try at it and we can see if makes sense.

@tpowell-progress tpowell-progress added the Status: Waiting on Contributor A pull request that has unresolved requested actions from the author. label Nov 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tpowell-progress tpowell-progress tpowell-progress left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation How do we use this project? Focus: Community PR Review Status: Waiting on Contributor A pull request that has unresolved requested actions from the author.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

openssl_x509_certificate handles CN in a way that violates the x509 spec
2 participants
@femiagbabiaka @tpowell-progress