appengine-java-vm-runtime
appengine-java-vm-runtime copied to clipboard
GoogleCloudPlatform
Check local evaluation of secure constraints.
While debugging #164, it appears that http requests were able to terminate on the instance despite there being a confidential security constraint.
We need to verify if this really is possible? Perhaps only when the instance host is specified?
If so, we need to check the yaml generated constraints for confidential constraints. We should also consider ensuring that the normal jetty constraint processing is in place as a second line of defense.
I think there was some confusion as the stage 3 guestbook has only a role constraint and not a data constraint. Testing with some data constraints indicates that all it working as it should.
ha, you mean adding
?
On Wed, Feb 24, 2016 at 6:55 AM, Greg Wilkins [email protected] wrote:
Closed #179 https://github.com/GoogleCloudPlatform/appengine-java-vm-runtime/issues/179 .
— Reply to this email directly or view it on GitHub https://github.com/GoogleCloudPlatform/appengine-java-vm-runtime/issues/179#event-563721430 .
Yep,
I tested with:
<security-constraint>
<web-resource-collection>
<web-resource-name>data-constraint</web-resource-name>
<url-pattern>/dump/ssl/*</url-pattern>
</web-resource-collection>
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>data-constraint</web-resource-name>
<url-pattern>/dump/relax/*</url-pattern>
</web-resource-collection>
</security-constraint>
and all behaved as expected.
Yes! Thanks for the investigation... Now, for none default versions, you have to add the -dot- separator between the version and appname in the url, so it is more complicated for samples, but hey!
On Wed, Feb 24, 2016 at 7:32 AM, Greg Wilkins [email protected] wrote:
Yep,
I tested with:
data-constraint /dump/ssl/_ CONFIDENTIAL data-constraint /dump/relax/_ and all behaved as expected.
— Reply to this email directly or view it on GitHub https://github.com/GoogleCloudPlatform/appengine-java-vm-runtime/issues/179#issuecomment-188306832 .
To test, try http://1.project.appspot.com -- If security constraints are set properly, it won't work, if not, it might.
On Wed, Feb 24, 2016 at 7:42 AM, Ludovic Champenois < [email protected]> wrote:
Yes! Thanks for the investigation... Now, for none default versions, you have to add the -dot- separator between the version and appname in the url, so it is more complicated for samples, but hey!
On Wed, Feb 24, 2016 at 7:32 AM, Greg Wilkins [email protected] wrote:
Yep,
I tested with:
data-constraint /dump/ssl/*
CONFIDENTIAL data-constraint /dump/relax/* and all behaved as expected.
— Reply to this email directly or view it on GitHub < https://github.com/GoogleCloudPlatform/appengine-java-vm-runtime/issues/179#issuecomment-188306832
.
— Reply to this email directly or view it on GitHub https://github.com/GoogleCloudPlatform/appengine-java-vm-runtime/issues/179#issuecomment-188311085 .
- • *Les Vogel
- • *Cloud Developer Relations
- • *[email protected]
- • *+1-4 <%2B1-650-338-7103>08-676-7023
Reopened just so we can discuss and make sure all is OK. My test webapp with the constraints above is current deploy as default and as 20160224t154511. I have tried the following requests:
- https to version /dump/info Works? Should redirect to auth?
- http to version /dump/info redirects to auth
- https to version /dump/relax/info OK
- http to version /dump/relax/info OK
- https to version /dump/ssl/info OK
- http to version /dump/ssl/info redirects to https
- https to instance.version /anything SSL error
- http to instance.version /anything 404 not found ??
- https to default /dump/info redirects to auth
- http to default /dump/info redirects to auth
- https to default /dump/relax/info OK
- http to default /dump/relax/info OK
- https to default /dump/ssl/info OK
- http to default /dump/ssl/info redirects to https
- https to instance.default /anything SSL error
- http to instance.default /dump/relax/info OK
- http to instance.default /dump/ssl/info redirect to SSL error
So most of those look good and none look dangerous. A few look a little hard to explain....
Ah I was actually logged on for some of those, so the first correctly does redirect to auth.
So the only real mystery is why http to instance.version gives a 404, yet http to instance.default works?