Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add awsCertlint worker #315

Merged
merged 10 commits into from
Apr 11, 2018
Merged

add awsCertlint worker #315

merged 10 commits into from
Apr 11, 2018

Conversation

adamdecaf
Copy link
Contributor

@adamdecaf adamdecaf commented Mar 25, 2018

Fixes: #257

# From tlsobs -observatory http://localhost:8083 maxx.nercomp.org 
--- Analyzers ---
* awslabs/certlint Results
 - No messages
# From tlsobs -observatory http://localhost:8083 federate.deere.com
--- Analyzers ---
* awslabs/certlint Results
 - Notice: Some python versions will not see SAN extension if it is the first extension	awslabs-certlint780452766

workerName = "awsCertlint"
workerDesc = "Runs awslabs/certlint over a given Certificate, categoriezes output for display on the certificate"

certlintDirectory = "/go/certlint" // path from tools/Dockerfile-scanner
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This path isn't ideal, but is it worthwhile to change? Probably, since I assume we're wanting to add more binaries to check certificates with.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adamdecaf
Copy link
Contributor Author

Oh. I called this awslabs/certlint because globalsign has a project under the same name. https://github.com/globalsign/certlint


ADD . /go/src/$PROJECT
ADD cipherscan/ /opt/cipherscan/
ADD conf/ /etc/tls-observatory/
RUN chown tlsobs -R /go /opt -R

# switch to tlsobs user
RUN mkdir -p /home/tlsobs && \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe use -m in the useradd command instead of mkdir /home/tlsobs ?


var (
workerName = "awsCertlint"
workerDesc = "Runs awslabs/certlint over a given Certificate, categoriezes output for display on the certificate"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/categoriezes/categorize/, but even though that sentence doesn't make a lot of sense. can you rephrase?

Notices []string `json:"Notices"`
Warnings []string `json:"Warnings"`
Errors []string `json:"Errors"`
FatalErrors []string `json:"FatalErrors"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:gofmt
nit: json keys should be lowercase

func (e eval) runCertlint(cert certificate.Certificate) (*Result, error) {
tmp, err := ioutil.TempFile("", "awslabs-certlint")
if err != nil {
return nil, fmt.Errorf("error creating temp dir", cert.ID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/temp dir/temp file/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also you're missing a %s in the format string

defer os.Remove(tmp.Name())
x509Cert, err := cert.ToX509()
if err != nil {
return nil, fmt.Errorf("error converting to x509.Certificate", cert.ID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing format string

}

// Run certlint over certificate
cmd := exec.Command("ruby", "-I", "lib:ext", "bin/certlint", tmp.Name())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like to run those with a timeout to prevent them from hanging. Take a look at https://github.com/mozilla/tls-observatory/blob/master/connection/retriever.go#L47-L56

}


// From: https://github.com/awslabs/certlint#output
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if certlint could return JSON output to make it easier to process it on our side. What do you think of that, @pzb?

Copy link
Contributor Author

@adamdecaf adamdecaf Mar 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fyi, I filed an issue about this too. amazon-archives/certlint#63

}

// Build results for webview
results = append(results, "* awslabs/certlint Results")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: remove "Results"
It would be nice to have a summary on the first line, such as * awslabs/certlint: no issues found or 1 warning found

@jvehent
Copy link
Contributor

jvehent commented Mar 28, 2018

This is looking pretty good!

@adamdecaf
Copy link
Contributor Author

@jvehent this should be good to go.

Copy link
Contributor

@jvehent jvehent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there! Since this makes use of a separate binary, you should disable the worker at init if the binary isn't found. Otherwise, all scans will fail with this error:
time="2018-04-09T09:11:15-04:00" level=error msg="Worker returned with errors" errors="[error starting awslabs/certlint on certificate %!s(int64=407), err=chdir /go/certlint: no such file or directory, out=\"\" for certificate %!s(int64=407)]" worker_name=awsCertlint

@adamdecaf
Copy link
Contributor Author

adamdecaf commented Apr 9, 2018

@jvehent good call. I forgot about doing that. It's fixed now. b6753c7

@jvehent jvehent merged commit 5880bbc into mozilla:master Apr 11, 2018
@adamdecaf adamdecaf deleted the aws-certlint branch April 11, 2018 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants