Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds support for sslyze>=3.0.0 #214

Closed
wants to merge 11 commits into from

Conversation

SaptakS
Copy link
Contributor

@SaptakS SaptakS commented Jan 19, 2021

Updates the https_check function to use code that works with sslyze>=3.0.0

  • fixes import errors for the current required modules
  • uses the new format for certificate analyzer
  • updates dependency of sslyze to >=3.0.0

Refs: #209

Also, thanks to Ethan's code snippet that helped in this commit.

🧪 Testing

Tested the code using the current test suite of pshtt in debian 10, with python 3.7
Following is the command I ran: python3 -m pytest

✅ Checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@lgtm-com
Copy link

lgtm-com bot commented Jan 19, 2021

This pull request introduces 1 alert when merging ce0af6c into 59f2bb0 - view on LGTM.com

new alerts:

  • 1 for Module is imported with 'import' and 'import from'

@SaptakS SaptakS force-pushed the sslyze3-support branch 3 times, most recently from c77fdc1 to 8a50ca8 Compare January 19, 2021 21:29
@mcdonnnj mcdonnnj added the improvement This issue or pull request will add or improve functionality, maintainability, or ease of use label Jan 20, 2021
@mcdonnnj mcdonnnj linked an issue Jan 20, 2021 that may be closed by this pull request
pshtt/pshtt.py Outdated Show resolved Hide resolved
Copy link
Contributor

@hillaryj hillaryj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

I've tested via the python tests as well as ran the tool locally (Mac OSX Catalina with Python 3.8.3) and got a nice little results.csv file out. Several other folks are reviewing as well - great work!

The codebase needs to be blackened as well as skeletonized and I'll add an issue for that if one doesn't exist.

Thanks again and great work!

Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all looks great to me. A big thank you to @SaptakS and @Ethanljf for working on this!

@jsf9k
Copy link
Member

jsf9k commented Jan 26, 2021

I think we should do a minor version bump before merging this. I tried to do this myself, but I can't commit to this branch, so I think @SaptakS will have to do it. Here's how:

  1. Make sure you have the semver Python package installed
  2. From the pshtt project root, simply run ./bump_version.sh minor

@jsf9k jsf9k requested a review from h-m-f-t January 26, 2021 15:28
@mcdonnnj
Copy link
Member

I think we should do a minor version bump before merging this. I tried to do this myself, but I can't commit to this branch, so I think @SaptakS will have to do it. Here's how:

1. Make sure you have the `semver` Python package installed

2. From the `pshtt` project root, simply run `./bump_version.sh minor`

GitHub has a feature to allow maintainers to edit forks:
https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork#enabling-repository-maintainer-permissions-on-existing-pull-requests

@SaptakS
Copy link
Contributor Author

SaptakS commented Jan 26, 2021

I agree with @mcdonnnj that the maintainers with write access should have permission to push to branches of fork. But I have done the version bump and the typo fix in the comment.

cc: @jsf9k @hillaryj

@SaptakS
Copy link
Contributor Author

SaptakS commented Jan 26, 2021

The codebase needs to be blackened as well as skeletonized and I'll add an issue for that if one doesn't exist.

I haven't done this in the PR because black is making changes in a lot of unrelated files.

@mcdonnnj
Copy link
Member

The codebase needs to be blackened as well as skeletonized and I'll add an issue for that if one doesn't exist.

I haven't done this in the PR because black is making changes in a lot of unrelated files.

That's fine as that is an "us" task, so don't worry about that. It's a long-term maintenance task for this project that we just haven't had the time to do yet.

@hillaryj
Copy link
Contributor

hillaryj commented Jan 26, 2021

Yup, that's absolutely out of the scope of this PR, although thank you for trying!

I added follow-on task #215 Skeletonize repository and standardize code formatting.

@SaptakS
Copy link
Contributor Author

SaptakS commented Feb 1, 2021

Hi @mcdonnnj , is there anything else needed from my side on this PR?

@jsf9k
Copy link
Member

jsf9k commented Feb 1, 2021

Hi @mcdonnnj , is there anything else needed from my side on this PR?

Nope, I think we are just waiting on reviews.

@mcdonnnj, are you good with merging once we get a positive review from you or is there someone else you feel we should wait for?

@mcdonnnj
Copy link
Member

mcdonnnj commented Feb 1, 2021

Hi @mcdonnnj , is there anything else needed from my side on this PR?

Nope, I think we are just waiting on reviews.

@mcdonnnj, are you good with merging once we get a positive review from you or is there someone else you feel we should wait for?

Review is on my to-do, I will finish it tonight or tomorrow morning. @jsf9k did we want to get anything from @h-m-f-t? Other than that there are no additional blockers from me.

@h-m-f-t
Copy link
Member

h-m-f-t commented Feb 1, 2021

I'm good here and don't need to review. Thanks @SaptakS!

@h-m-f-t h-m-f-t removed request for h-m-f-t and echudow February 1, 2021 21:19
SaptakS and others added 8 commits May 26, 2023 13:38
- fix comments
- use == instead of is

Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com>
- consider all deployments and if all validations succeed, then
consider it trusted
- use path_validation_results instead of received_certificate_chain
to consider if STORE is included in trust_store
- check self signed validation in cert_chain till the second last
cert since the last cert is root cert and hence is self signed anyways
- put all logic inside one loop over path_validation_results
@SaptakS
Copy link
Contributor Author

SaptakS commented May 26, 2023

I have rebased, resolved conflicts and pushed. Waiting for the tests to pass. I think someone with permission need to approve the workflows.

@michaelblyons
Copy link

Are the coveralls complaints innocuous?

@mcdonnnj
Copy link
Member

Are the coveralls complaints innocuous?

Relatively. Coverage decreased because total lines of code increased, but the current configuration doesn't do extensive testing for what is being modified in the first place. It's unreasonable to ask that testing be added from scratch to cover these changes so manual testing will have to suffice. As a result the coveralls complaints will be ignored.

Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes seem correct to me, and I'm inclined to approve. Have you done any testing beyond the (admittedly underwhelming) test suite? What I mean is, have you been using these changes to test against a wide array of servers?

In any event, we should probably do some testing on our end, just to get a warm and fuzzy that everything is still working. I can start looking into that next week.

@harrislapiroff
Copy link

@jsf9k How's that looking? We're very interested in getting this merged :)

@michaelblyons
Copy link

Hi folks. How was June? How's the review coming?

@tgoetheyn
Copy link

Well, Python 3.7 has reached end-of-life.
so hopefully someone comes back from vacation with enough energy to finally tackle this pull request

@gbinal
Copy link

gbinal commented Oct 11, 2023

Hi folks,

Just to help nudge this, my team is trying to use pshtt right now and can't at all at this point (some of the second order dependencies appear to no longer be hosted anymore).

Pretty please with sugar on top, can you all merge this PR?

@jsf9k
Copy link
Member

jsf9k commented Oct 16, 2023

This needs another rebase on top of develop before it can be merged, but we (cisagov) don't have permission to push changes to the PR branch. I did the rebase locally and it went cleanly, so this should be a five second task.

Alternatively, you can click the box to allow us to push up changes and I'll take care of it.

@dav3r
Copy link
Member

dav3r commented Oct 16, 2023

@SaptakS Can you also please bump the minor version by running this command?

./bump_version.sh minor

This will need to be done prior to merging.

@felddy
Copy link
Member

felddy commented Oct 16, 2023

its-happening

felddy added a commit that referenced this pull request Oct 16, 2023
Add support for sslyze 3  (superset of PR #214)
@felddy
Copy link
Member

felddy commented Oct 16, 2023

#248 was merged with a superset of these changes rebased to develop, as well as a few of the outstanding change requests. I'm waiting on some "eventual consistency" with GitHub's view of this PR. I think it will realize it is merged at some point. If not, I'll come back and close it.

Thank you to everyone that contributed to the PR.

@felddy felddy closed this Oct 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
improvement This issue or pull request will add or improve functionality, maintainability, or ease of use
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Sslyze version incompatibility