Perform log.fatal if TLS flags are used when tls.enabled=false #2893

[clock21am]

Signed-off-by: Rajdeep Kaur rajdeep51994@gmail.com

Which problem is this PR solving?

• Resolves Error/warn if TLS flags are used when tls.enabled=false #2893 Terminate the program if tls.enabled=false

Short description of the changes

• Added log.fatal if tls.enabled=false for client as well as server

[clock21am]

@yurishkuro let me know what you think now

[yurishkuro]

I think the point of the issue was to raise an error if enabled=false but other flags are present. There's nothing wrong with enabled=false by itself. Also, this is not specific to ES, if you want to refer to the actual property it would be c.Prefix + tlsEnabled

[clock21am]

noted

[clock21am]

@yurishkuro let me know what you think now

[yurishkuro]

• not sure if this will pass the linter, if not you can swap the condition and do a return in the else part.
• it looks odd when local var is upper case, use tls or cfg

[yurishkuro]

did you run make lint?

[yurishkuro]

• c.ShowEnabled == false doesn't mean that tls was disabled, it means that the CLI option does not need to be present
• even if TLS is disabled (p.Enable == false), doesn't mean that this is an error. The error is when it is false but any other flags are non-empty: (!p.Enabled || !c.ShowEnabled) && anyOtherFieldIsNotEmpty

[clock21am]

@yurishkuro ran lint and tests let me know what you think now

[albertteoh]

The failing unit test job is due to linter errors, the majority of which are:

if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)

Whether if the linter is right about this being a good style or not is debatable. :)

One option is:

	tls, err := cfg.getTLSFlagsConfig().InitFromViper(v)
	if err != nil {
		return err
	}
	cfg.TLS = tls
	return nil

To check for linter errors, run make lint.

[clock21am]

@albertteoh don't think see this is the output of make lint and it does point to any of my changes

time staticcheck ./... \
                | grep -v \
                        -e model/model.pb.go \
                        -e proto-gen \
                        -e _test.pb.go \
                        -e thrift-gen/ \
                        -e swagger-gen/ \
                >> .lint.log || true

real    0m5.547s
user    0m5.165s
sys     0m7.180s
time gosec -quiet -exclude=G104,G107 ./...
Results:


[/Users/rkaur/github/jaeger/plugin/sampling/strategystore/adaptive/processor.go:226] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    225: func addJitter(jitterAmount time.Duration) {
  > 226:        delay := (jitterAmount / 2) + time.Duration(rand.Int63n(int64(jitterAmount/2)))
    227:        time.Sleep(delay)



[/Users/rkaur/github/jaeger/pkg/discovery/grpcresolver/grpc_resolver.go:68] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    67:         seed := time.Now().UnixNano()
  > 68:         random := rand.New(rand.NewSource(seed))
    69:         r := &Resolver{



[/Users/rkaur/github/jaeger/crossdock/services/tracehandler.go:308] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    307:        // A random 8-byte hex
  > 308:        return fmt.Sprintf("%x", rand.Int63())
    309: }



[/Users/rkaur/github/jaeger/cmd/ingester/app/processor/decorator/retry.go:54] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    53:         propagateError: false,
  > 54:         rand:           rand.New(rand.NewSource(time.Now().UnixNano())),
    55: }



[/Users/rkaur/github/jaeger/cmd/collector/app/sanitizer/cache/auto_refresh_cache.go:136] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    135: func getRandomSleepTime(interval time.Duration) time.Duration {
  > 136:        return (interval / 2) + time.Duration(rand.Int63n(int64(interval/2)))
    137: }



[/Users/rkaur/github/jaeger/cmd/anonymizer/app/uiconv/reader.go:40] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    39: func NewReader(capturedFile string, logger *zap.Logger) (*Reader, error) {
  > 40:         cf, err := os.OpenFile(capturedFile, os.O_RDONLY, os.ModePerm)
    41:         if err != nil {



[/Users/rkaur/github/jaeger/cmd/anonymizer/app/uiconv/extractor.go:38] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    37: func NewExtractor(uiFile string, traceID string, reader *Reader, logger *zap.Logger) (*Extractor, error) {
  > 38:         f, err := os.OpenFile(uiFile, os.O_CREATE|os.O_WRONLY, os.ModePerm)
    39:         if err != nil {



[/Users/rkaur/github/jaeger/model/converter/thrift/jaeger/from_domain.go:106] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    105:        for idx, kv := range kvs {
  > 106:                jaegerTags[idx] = d.keyValueToTag(&kv)
    107:        }



[/Users/rkaur/github/jaeger/cmd/anonymizer/main.go:72] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    71:                         for _, span := range spans {
  > 72:                                 writer.WriteSpan(&span)
    73:                         }



Summary:
  Gosec  : dev
  Files  : 441
  Lines  : 73829
  Nosec  : 10
  Issues : 9

      164.77 real       166.34 user       224.53 sys
make: *** [lint-gosec] Error 1

[clock21am]

@albertteoh ooh it is make go-lint

[albertteoh]

make lint should run make go-lint, but it looks like it's gosec -quiet -exclude=G104,G107 ./... that's failing for you before it gets to call make go-lint. This is odd, because gosec passes in CI (and for me as well).

Did you run make install-tools to install gosec? which gosec should point to $GOPATH/bin/gosec.

[clock21am]

installed explicitly gosec but didn't run make install-tools

[clock21am]

it should show a warning now should not show failing

[clock21am]

ooh less than 95 got it

[codecov]

Codecov Report

Merging #3030 (8ef54be) into main (2dfd77d) will decrease coverage by 0.08%.
The diff coverage is 80.89%.

@@            Coverage Diff             @@
##             main    #3030      +/-   ##
==========================================
- Coverage   96.53%   96.44%   -0.09%     
==========================================
  Files         264      264              
  Lines       15449    15509      +60     
==========================================
+ Hits        14913    14957      +44     
- Misses        451      463      +12     
- Partials       85       89       +4     

Impacted Files	Coverage Δ
plugin/storage/grpc/factory.go	94.64% <0.00%> (-5.36%)	⬇️
plugin/storage/kafka/options.go	89.38% <0.00%> (-2.59%)	⬇️
cmd/es-rollover/app/actions.go	89.65% <25.00%> (-10.35%)	⬇️
plugin/storage/cassandra/options.go	97.91% <33.33%> (-2.09%)	⬇️
plugin/storage/es/options.go	98.51% <42.85%> (-1.49%)	⬇️
cmd/agent/app/reporter/grpc/flags.go	100.00% <100.00%> (ø)
cmd/collector/app/builder_flags.go	100.00% <100.00%> (ø)
cmd/query/app/flags.go	100.00% <100.00%> (ø)
pkg/config/tlscfg/flags.go	100.00% <100.00%> (ø)
plugin/metrics/prometheus/factory.go	100.00% <100.00%> (ø)
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2dfd77d...8ef54be. Read the comment docs.

[albertteoh]

To help with identifying test coverage gaps locally, I know of a few options (folks reading this, please feel free to add other suggestions):

• your IDE should support executing tests with coverage.
• run make cover from the project root. This checks coverage for the entire project so it takes some time.
• I personally like to use a command that I install in .zshrc that is like make cover but runs from a path relative to the current dir, so it's much quicker. Happy to share that if you prefer this option.

[albertteoh]

Error just checks that the error is not nil. I would use EqualError to assert on the actual error message.

[albertteoh]

cAPATH seems like an unconventional name, I would use caPath.

[albertteoh]

@yurishkuro what is the purpose of ShowEnabled and ShowServerName?

If I do a search for ClientFlagsConfig{ in the project, both are always set to true, so the zero value of false is not used, or perhaps I've missed something.

Similarly for ShowClientCA.

[yurishkuro]

They weren't always true, some settings did not apply to some use cases. This may have changed since then.

[albertteoh]

@clock21am The Show* flags have been removed in #3106 which should simplify efforts for you in this PR. Please merge these changes in from master.

[albertteoh]

and thanks for confirming, Yuri.

[clock21am]

Thanks for the review @albertteoh @yurishkuro i will rebase my branch and fix it

[albertteoh]

why isn't there an else case here like the others?

[albertteoh]

is this line of code ever called? I can't see where c.ShowServerName == false.

[albertteoh]

nit: I would extract fmt.Errorf("%s has been disable", c.Prefix+tlsEnabled) into a function so there's only one place where the error message is defined.

Also, consider rewording this to be clearer on what is causing the error, a suggestion:

fmt.Errorf("some tls flags were set while %s=false", c.Prefix+tlsEnabled)

[albertteoh]

will this ever be called? I can't see where cShowClientCA == false.

[albertteoh]

I think the if/else cases could be simplified back to what it was before but add a bool var. So something like:

	p.CAPath = v.GetString(c.Prefix + tlsCA)
	p.CertPath = v.GetString(c.Prefix + tlsCert)
	p.KeyPath = v.GetString(c.Prefix + tlsKey)

        // or alternatively could loop over a list of these options.
	areTLSFlagsUsed := v.IsSet(c.Prefix+tlsCA) || v.IsSet(c.Prefix+tlsCert) || v.IsSet(c.Prefix+tlsKey)
        ...
	if (!p.Enabled || !c.ShowEnabled) && (p.SkipHostVerify && areTLSFlagsUsed) {
		return p, fmt.Errorf("%s has been disable", c.Prefix+tlsEnabled)
	}

[albertteoh]

why is the error ignored? I thought we'd want to report the TLS flag usage error for Kafka storage too?

[clock21am]

because it has been set to true later https://github.com/jaegertracing/jaeger/blob/master/pkg/kafka/auth/config.go#L96

[yurishkuro]

Suggested change

	return p, fmt.Errorf("%s has been disable", c.Prefix+tlsEnabled)
	return p, fmt.Errorf("TLS parameters do not apply when %s=false", c.Prefix+tlsEnabled)

[yurishkuro]

This does not test for the type of error, only that it is not nil (the last argument is only used when logging a failure).

If you want to test for the actual error, I would suggest this:

require.Error(t, err)
assert.Contains(t, err.Error(), "some relevant substring of the message")

[jpkrohling]

What's the status of this PR?

[clock21am]

Hey

What's the status of this PR?

hey will start working on it again..somehow lost it will update it today.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. You may re-open it if you need more time.

[yurishkuro]

@clock21am thank you!