Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per-Delivery Service TLS versions #5922

Merged
merged 34 commits into from
Jul 8, 2021
Merged

Per-Delivery Service TLS versions #5922

merged 34 commits into from
Jul 8, 2021

Conversation

ocket8888
Copy link
Contributor

What does this PR (Pull Request) do?

This PR adds a new field to Delivery Services: tlsVersions. This allows users to specify the versions of TLS which should be allowable for clients retrieving Delivery Service content.

Which Traffic Control components are affected by this PR?

  • Documentation
  • Traffic Ops Client (Go)
  • Traffic Ops

What is the best way to verify this PR?

Make sure the new tests pass, and that none of the old ones are broken.

The following criteria are ALL met by this PR

  • This PR includes tests
  • This PR includes documentation
  • This PR includes an update to CHANGELOG.md
  • This PR includes any and all required license headers
  • This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY

@ocket8888 ocket8888 force-pushed the to/ds-tls-versions branch 8 times, most recently from 940348b to 9b9966d Compare June 14, 2021 13:31
rawlinp
rawlinp requested changes Jun 15, 2021
View reviewed changes
lib/go-tc/deliveryservices.go Outdated Show resolved Hide resolved
lib/go-tc/deliveryservices.go Outdated Show resolved Hide resolved
lib/go-tc/deliveryservices.go Outdated Show resolved Hide resolved
lib/go-tc/deliveryservices.go Outdated Show resolved Hide resolved
traffic_ops/traffic_ops_golang/dbhelpers/db_helpers.go Outdated Show resolved Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go Outdated Show resolved Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go Outdated Show resolved Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go Show resolved Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go Outdated Show resolved Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go Outdated Show resolved Hide resolved
@ocket8888 ocket8888 force-pushed the to/ds-tls-versions branch 3 times, most recently from 7d21dac to d9c4278 Compare June 15, 2021 18:22
@ocket8888 ocket8888 mentioned this pull request Jun 15, 2021
Closed
7 tasks
@ocket8888 ocket8888 force-pushed the to/ds-tls-versions branch from 5d0ffdb to 535c572 Compare June 16, 2021 17:23
@rawlinp rawlinp added new feature A new feature, capability or behavior Traffic Ops related to Traffic Ops labels Jun 17, 2021
@ocket8888 ocket8888 force-pushed the to/ds-tls-versions branch from 4368246 to 5d2fd27 Compare June 30, 2021 19:58
rawlinp
rawlinp requested changes Jun 30, 2021
View reviewed changes
Copy link
Contributor

@rawlinp rawlinp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor issue but otherwise looks good to go

traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go Show resolved Hide resolved
@ocket8888 ocket8888 force-pushed the to/ds-tls-versions branch 2 times, most recently from caf920b to 7954470 Compare July 7, 2021 22:34
rawlinp
rawlinp requested changes Jul 8, 2021
View reviewed changes
Copy link
Contributor

@rawlinp rawlinp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unit test failure:

--- FAIL: TestReadGetDeliveryServices (0.00s)
    deliveryservices_test.go:418: Unexpected system error reading Delivery Services: getting delivery services: sql: expected 69 destination arguments in Scan, not 70
FAIL
FAIL	github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/deliveryservice	2.138s

TO API test failure:

--- FAIL: TestDeliveryServices (10.10s)
    --- FAIL: TestDeliveryServices/TLS_Versions_property (0.01s)
        deliveryservices_test.go:2457: Unexpected error creating a Delivery Service: error requesting Traffic Ops: path 'https://localhost:30443/api/4.0/deliveryservices' gave HTTP error 400 Bad Request - error-level alerts: invalid request: 'regionalGeoBlocking' is required, 'active' is required, 'dscp' is required, 'geoLimit' is required, 'geoProvider' is required, 'logsEnabled' is required, type fields: 'ipv6RoutingEnabled' is required if type is 'HTTP' - alerts: {Alerts:[{Text:invalid request: 'regionalGeoBlocking' is required, 'active' is required, 'dscp' is required, 'geoLimit' is required, 'geoProvider' is required, 'logsEnabled' is required, type fields: 'ipv6RoutingEnabled' is required if type is 'HTTP' Level:error}]}
FAIL

@ocket8888 ocket8888 force-pushed the to/ds-tls-versions branch from 7954470 to 7b0b015 Compare July 8, 2021 18:28
ocket8888 added 5 commits July 8, 2021 12:28
@ocket8888
Add TLSVersions handling and validation for invalid versions to /deli…
963a564 
…veryservices
@ocket8888
Fix incorrect responses from /deliveryservices/{ID}/safe
1c65065 
Previously, it would return APIv3.1 structures for API version 1.5, 2.0,
3.0, 3.1, and 4.0 (as well as unrecognized versions). It now returns the
appropriate version structures for each requested version.

This fixes apache#5891
@ocket8888
Fix DSRs storing/returning APIv4 DSes with empty tlsVersions instead …
2d3b9b0 
…of null
@ocket8888
Fix being unable to update DSes with no TLS versions
614cb32
@ocket8888
Add ATC "known" TLS versions and a warning generation function for po…
cbf726e 
…ssibly insecure version sets
ocket8888 added 27 commits July 8, 2021 12:28
@ocket8888
Add tlsVersions warnings to /deliveryservices
5c15609
@ocket8888
Add validation that prevents tlsVersions on STEERING/CLIENT_STEERING …
a728a1e 
…delivery services
@ocket8888
Fix a bug where adding TLS versions returns a 500 ISE response
9631e9f
@ocket8888
Fix indirection of non-pointer value
31c2fef
@ocket8888
Add TLS versions tests to the v4 API client
98bd97e
@ocket8888
Remove 'lastUpdated' timestamps from testing data
07be77a 
This breaks parsing when the API endpoints that use this data change
from our custom format to RFC3339.
@ocket8888
Update /deliveryservices documentation
37215d7
@ocket8888
Update /deliveryservices/{{ID}} documentation
a8d2549
@ocket8888
Update /deliveryservices/{{ID}}/safe documentation
b52c9eb
@ocket8888
Update /deliveryservice_requests documentation
0f57db6
@ocket8888
Update /deliveryservice_requests/{{ID}}/status documentation
6524edc
@ocket8888
Update /deliveryservice_requests/{{ID}}/assign documentation
1b9780f
@ocket8888
Update /servers/{{ID}}/deliveryservices documentation
366bdbc
@ocket8888
Add section about TLS versions to the Delivery Service overview docs
de6c80c
@ocket8888
Updated CHANGELOG
9fea661
@ocket8888
Revert non-nullable DS fields
9ae9895
@ocket8888
Change version checking to proper upgrade to preserve existing pattern
69c8862
@ocket8888
Rename function to make its purpose clear
f265cf6
@ocket8888
Move comment into GoDoc where it's more useful
4a60946
@ocket8888
Use Exec for queries that don't return rows
4086804
@ocket8888
Consolidate TLS Versions warnings into a single function
d3c598e 
That function is now a method of a Delivery Service, which means the
call signatures of various functions in the
github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/deliveryservice
package no longer need to be changed.
@ocket8888
re-use query for TLS Versions
e0674ea
@ocket8888
Fix tests for new query structure
d6970f8
@ocket8888
Revert all breaking DS changes
ecac684
@ocket8888
Fix not saving DS changes
be79836
@ocket8888
Fix unit test failure
c768b14
@ocket8888
Fix integration test missing required DS fields
7b0b015
@rawlinp rawlinp merged commit a7a0ddb into apache:master Jul 8, 2021
@ocket8888 ocket8888 deleted the to/ds-tls-versions branch July 8, 2021 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rob05c rob05c rob05c left review comments

@rawlinp rawlinp rawlinp approved these changes

Assignees
No one assigned
Labels
new feature A new feature, capability or behavior Traffic Ops related to Traffic Ops
Projects
None yet
Milestone
No milestone
3 participants
@ocket8888 @rob05c @rawlinp