Alon Bar-Lev has posted comments on this change. Change subject: engine, webadmin: Webadmin read reports.xml from remote reports app ......................................................................
Patch Set 17: Code-Review-1 Verified-1 (8 comments) still security issues I will write up the proper ssl handling http://gerrit.ovirt.org/#/c/29723/17/backend/manager/modules/services/src/main/webapp/WEB-INF/web.xml File backend/manager/modules/services/src/main/webapp/WEB-INF/web.xml: Line 85: <url-pattern>/reports-status</url-pattern> Line 86: </servlet-mapping> Line 87: Line 88: <servlet> Line 89: <servlet-name>reports-xml</servlet-name> I still think that single servlet for reports with command= query parameter should be sufficient and allow easier integration with future needs at engine side. Line 90: <servlet-class>org.ovirt.engine.core.utils.servlet.ReportsServlet</servlet-class> Line 91: <init-param> Line 92: <param-name>url</param-name> Line 93: <param-value>%{ENGINE_REPORTS_XML_SERVICE}</param-value> http://gerrit.ovirt.org/#/c/29723/17/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/ReportsServlet.java File backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/ReportsServlet.java: Line 1: package org.ovirt.engine.core.utils.servlet; Line 2: Line 3: import org.apache.commons.lang.StringUtils; Line 4: import org.apache.log4j.Logger; please use slf4j Line 5: import org.ovirt.engine.core.common.config.Config; Line 6: import org.ovirt.engine.core.common.config.ConfigValues; Line 7: import org.ovirt.engine.core.utils.EngineLocalConfig; Line 8: import org.ovirt.engine.core.utils.crypt.EngineEncryptionUtils; Line 6: import org.ovirt.engine.core.common.config.ConfigValues; Line 7: import org.ovirt.engine.core.utils.EngineLocalConfig; Line 8: import org.ovirt.engine.core.utils.crypt.EngineEncryptionUtils; Line 9: import org.ovirt.engine.core.utils.ssl.AuthSSLProtocol; Line 10: import org.ovirt.engine.core.utils.ssl.NoAuthSSLProtocol; can we avoid using engine legacy utilities? we can have much simpler implementation using standard j2se without requiring the wrappers and httpclient. Line 11: Line 12: import javax.net.ssl.HostnameVerifier; Line 13: import javax.net.ssl.HttpsURLConnection; Line 14: import javax.net.ssl.SSLSession; Line 54: enableHostNameVerification = getBooleanInitParam(config.getInitParameter(ENABLE_HOST_NAME_VERIFICATION)); Line 55: enableTrustStoreCheck = getBooleanInitParam(config.getInitParameter(ENABLE_TRUST_STORE_CHECK)); Line 56: Line 57: if (enableTrustStoreCheck) { Line 58: HttpsURLConnection.setDefaultSSLSocketFactory(new AuthSSLProtocol(EngineEncryptionUtils.getTrustStore()).getSslcontext().getSocketFactory()); again... you are changing the default settings of the jre, this makes the entire jre to be insecure. Line 59: } else { Line 60: HttpsURLConnection.setDefaultSSLSocketFactory(new NoAuthSSLProtocol().getSslcontext().getSocketFactory()); Line 61: } Line 62: Line 56: Line 57: if (enableTrustStoreCheck) { Line 58: HttpsURLConnection.setDefaultSSLSocketFactory(new AuthSSLProtocol(EngineEncryptionUtils.getTrustStore()).getSslcontext().getSocketFactory()); Line 59: } else { Line 60: HttpsURLConnection.setDefaultSSLSocketFactory(new NoAuthSSLProtocol().getSslcontext().getSocketFactory()); same Line 61: } Line 62: Line 63: if (!enableHostNameVerification) { Line 64: HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { Line 60: HttpsURLConnection.setDefaultSSLSocketFactory(new NoAuthSSLProtocol().getSslcontext().getSocketFactory()); Line 61: } Line 62: Line 63: if (!enableHostNameVerification) { Line 64: HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { same Line 65: @Override Line 66: public boolean verify(String arg0, SSLSession arg1) { Line 67: return true; Line 68: } Line 109: if (!StringUtils.isEmpty(expanded)) { Line 110: booleanValue = Boolean.parseBoolean(expanded); Line 111: } Line 112: } Line 113: return booleanValue; why not something like: return Boolean.valueOf( EngineLocalConfig.getInstance().expandString( value.replaceAll("%\\{", "\\${") ) ); Line 114: } http://gerrit.ovirt.org/#/c/29723/17/packaging/etc/engine.conf.d/reports.conf File packaging/etc/engine.conf.d/reports.conf: Line 1: ENGINE_REPORTS_STATUS_SERVICE=Status Line 2: ENGINE_REPORTS_XML_SERVICE=reports.xml Line 3: ENGINE_REPORTS_ENABLE_HOST_NAME_VERIFICATION=false Line 4: ENGINE_REPORTS_ENABLE_TRUST_STORE_CHECK=false these should go into defaults... packaging/service/ovirt-engine/ovirt-engine.conf.in -- To view, visit http://gerrit.ovirt.org/29723 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I76db7ab889f21de083bb3c8276e8abb77b68fdb3 Gerrit-PatchSet: 17 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Alona Kaplan <alkap...@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com> Gerrit-Reviewer: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: Shirly Radco <sra...@redhat.com> Gerrit-Reviewer: Yaniv Dary <yd...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
