Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2037274: [crypto,transport]/missing_san: verify invalid certificates #1275

Merged
merged 1 commit into from
Jan 5, 2022
Merged

Bug 2037274: [crypto,transport]/missing_san: verify invalid certificates #1275

merged 1 commit into from
Jan 5, 2022

Conversation

s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Dec 22, 2021
edited
Loading

This introduces helper methods to verify invalid certificates
having missing SAN fields.

Additionally, this introduces a roundtripper decorator
which increases a metric if invalid certificates without a SAN field
are detected

See openshift/enhancements#980

Note: this functionality is against 4.9 only as this is the last release having tolerant behavior against missing SAN certs.

/cc @stlaz

@openshift-ci openshift-ci bot requested a review from stlaz December 22, 2021 12:38
@s-urbaniak s-urbaniak mentioned this pull request Dec 22, 2021
Merged
@s-urbaniak
Copy link
Contributor Author

/retest

@s-urbaniak s-urbaniak changed the title pkg/crypto/missing_san: initial commit Bug 2031839: [crypto,transport]/missing_san: verify invalid certificates Dec 23, 2021
@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Dec 23, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 23, 2021

@s-urbaniak: This pull request references Bugzilla bug 2031839, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.10.0) matches configured target release for branch (4.10.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

Bug 2031839: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 23, 2021

@s-urbaniak: This pull request references Bugzilla bug 2031839, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.10.0) matches configured target release for branch (4.10.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

Bug 2031839: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz
Copy link
Contributor

stlaz commented Jan 3, 2022

This is attempting to merge to master but I don't think we need this functionality there.

@s-urbaniak
Copy link
Contributor Author

@stlaz afaik we can't directly submit a PR against 4.9 without having a PR against master.

@s-urbaniak s-urbaniak changed the base branch from master to release-4.9 January 3, 2022 13:35
@openshift-ci openshift-ci bot added bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. and removed bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 3, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 3, 2022

@s-urbaniak: This pull request references Bugzilla bug 2031839, which is invalid:

  • expected the bug to target the "4.9.z" release, but it targets "4.10.0" instead
  • expected Bugzilla bug 2031839 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2031839: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak s-urbaniak force-pushed the missing-san branch 3 times, most recently from c3c4092 to 1a4bdc1 Compare January 3, 2022 13:45
@s-urbaniak s-urbaniak changed the title Bug 2031839: [crypto,transport]/missing_san: verify invalid certificates Bug 2036650: [crypto,transport]/missing_san: verify invalid certificates Jan 3, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 3, 2022

@s-urbaniak: This pull request references Bugzilla bug 2036650, which is invalid:

  • expected the bug to target the "4.9.z" release, but it targets "4.10.0" instead
  • expected dependent Bugzilla bug 2031839 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2036650: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
Copy link
Contributor Author

/bugzilla refresh

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 3, 2022

@s-urbaniak: This pull request references Bugzilla bug 2036650, which is invalid:

  • expected the bug to target the "4.9.z" release, but it targets "4.10.0" instead
  • expected dependent Bugzilla bug 2031839 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
Copy link
Contributor Author

actually, we can, let's skip master and target 4.9 directly.

@s-urbaniak
Copy link
Contributor Author

/bugzilla refresh

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 3, 2022

@s-urbaniak: This pull request references Bugzilla bug 2036650, which is invalid:

  • expected dependent Bugzilla bug 2031839 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
[crypto,transport]/missing_san: verify invalid certificates
d1e0ffe 
This introduces helper methods to verify invalid certificates
having missing SAN fields.

Additionally, this introduces a roundtripper decorator
which increases a metric if invalid certificates without a SAN field
are detected
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 3, 2022

@s-urbaniak: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@stlaz
Copy link
Contributor

stlaz commented Jan 4, 2022

/lgtm

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. bugzilla/severity-unspecified Referenced Bugzilla bug's severity is unspecified for the PR. and removed bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. labels Jan 4, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 4, 2022

@s-urbaniak: This pull request references Bugzilla bug 2036650, which is invalid:

  • expected the bug to target the "4.9.z" release, but it targets "---" instead
  • expected dependent Bugzilla bug 2031839 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2036650: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. and removed bugzilla/severity-unspecified Referenced Bugzilla bug's severity is unspecified for the PR. labels Jan 5, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2022

@openshift-bot: This pull request references Bugzilla bug 2036650, which is invalid:

  • expected dependent Bugzilla bug 2031839 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak s-urbaniak changed the title Bug 2036650: [crypto,transport]/missing_san: verify invalid certificates Bug 2037274: [crypto,transport]/missing_san: verify invalid certificates Jan 5, 2022
@openshift-ci openshift-ci bot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jan 5, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2022

@s-urbaniak: This pull request references Bugzilla bug 2037274, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.z) matches configured target release for branch (4.9.z)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2037272 is in the state CLOSED (CURRENTRELEASE), which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2037272 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
  • bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

Bug 2037274: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
Copy link
Contributor Author

/bugzilla refresh

@openshift-ci openshift-ci bot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Jan 5, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2022

@s-urbaniak: This pull request references Bugzilla bug 2037274, which is valid.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.z) matches configured target release for branch (4.9.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2037272 is in the state CLOSED (CURRENTRELEASE), which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2037272 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
  • bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sttts
Copy link
Contributor

sttts commented Jan 5, 2022

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: s-urbaniak, stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 5, 2022
@openshift-merge-robot openshift-merge-robot merged commit 1f38a6c into openshift:release-4.9 Jan 5, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2022

@s-urbaniak: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 2037274 has not been moved to the MODIFIED state.

In response to this:

Bug 2037274: [crypto,transport]/missing_san: verify invalid certificates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak s-urbaniak deleted the missing-san branch January 5, 2022 16:04
@s-urbaniak s-urbaniak restored the missing-san branch January 10, 2022 08:52
This was referenced Jan 10, 2022
Merged
Merged
@openshift-ci openshift-ci bot mentioned this pull request Jan 27, 2022
Merged
@openshift-ci openshift-ci bot mentioned this pull request Mar 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibihim ibihim ibihim left review comments

@stlaz stlaz stlaz left review comments

@xingxingxia xingxingxia Awaiting requested review from xingxingxia

Assignees

@stlaz stlaz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@s-urbaniak @stlaz @openshift-bot @sttts @ibihim @openshift-merge-robot