[TRACKER] All potential ssl hotspots

djberg96 commented 4 years ago

Due to a series of recent events where we've been affected by various ssl issues, this issue is mainly a collection point to note all the places where any potential future issues may arise. In short, anywhere we use ssh keys, tls versions, etc. For now, just point out the file/model/provider/repo/whatever, and what's possibly significant.

...work in progress, will add stuff as I find it, and from comments...

CORE

app/models/conversion_host.rb - connection checking and ssh args.
app/models/host.rb - The verify_credentials_with_ssh, connect_ssh and ssh_run_script methods.
app/models/miq_cockpit_ws_worker/authenticator.rb - The ssh_command method.
app/models/manageiq/providers/embedded_ansible/automation_manager/machine_credential.rb - ssh_key_data
lib/git_worktree - rugged/libgit2 stuff
lib/miq_cockpit - remote-login-ssh stuff
lib/ansible/runner/credential/machine_credential.rb - the following methods:write_ssh_key_file, write_network_ssh_key_file, network_ssh_key_file
db/fixtures/customization_templates.yml:397: :description: This template enables placing ssh public key in authorized keys
app/models/service_template_transformation_plan_task.rb - conversion_options_source_provider_vmwarews_ssh(storage)
app/models/miq_cockpit_ws_worker/authenticator.rb - def self.ssh_command related to the lib/cockpit stuff above
app/models/manageiq/providers/embedded_ansible/automation_manager/scm_credential.rb - def ensure_newline_for_ssh_key
app/models/manageiq/providers/embedded_ansible/automation_manager/network_credential.rb - ssh auth_key, auth_key_password in attrs
app/models/manageiq/providers/embedded_ansible/automation_manager/machine_credential.rb - ssh auth_key, auth_key_password in attrs
app/models/manageiq/providers/embedded_ansible/automation_manager/google_credential.rb - ssh auth_key, auth_key_password in attrs
app/models/manageiq/providers/ansible_tower/automation_manager/vault_credential.rb - has a constant, TOWER_KIND = 'ssh'.freeze
app/models/manageiq/providers/ansible_tower/inventory/parser/automation_manager.rb - logic based around credential lib/tasks_private/spec_helper.rake - ssh_key_data
spec/models/manageiq/providers/ansible_tower/automation_manager/refresher_spec.rb - tests machine_credential stuff
spec/vcr_cassettes/manageiq/providers/ansible_tower/automation_manager/refresher.yml - tests credentials
spec/vcr_cassettes/manageiq/providers/ansible_tower/automation_manager/refresher_targeted_configuration_script_source.yml - references to ssh_key_data and ssh_key_unlock
spec/vcr_cassettes/manageiq/providers/ansible_tower/automation_manager/refresher_targeted/configuration_script_sources_in_batches.yml
spec/vcr_cassettes/manageiq/providers/ansible_tower/automation_manager/refresher_targeted/configuration_script.yml:494 - ssh_key_data and ssh_key_unlock

OVIRT

app/models/manageiq/providers/redhat/infra_manager.rb - something with endpoints.ssh_keypair and authentications.ssh_keypair
app/models/manageiq/providers/redhat/infra_manager/api_integration.rb - also ssh keypairs
app/models/manageiq/providers/redhat/infra_manager/event_fetcher.rb - two constants, SYSTEM_FAILED_SSH_HOST_RESTART and SYSTEM_SSH_HOST_RESTART
app/models/manageiq/providers/redhat/infra_manager/host.rb calls verify_credentials_with_ssh(auth_type, options)
app/models/manageiq/providers/redhat/infra_manager/ovirt_services.rb - regenerate_ssh_keys and authorized_ssh_keys and the ovirt specs with vcr_cassettes that have ssh stuff (will matter for this issue, I think)

FOREMAN

spec/vcr_cassettes/manageiq/providers/foreman/configuration_manager/refresher_api_locations_v2.yml has a handful of references to ssh_authorized_keys

LENOVO

spec/vcr_cassettes/manageiq/providers/lenovo/physical_infra_manager/mock_aicc.yml
spec/vcr_cassettes/manageiq/providers/lenovo/physical_infra_manager/full_refresh_second_lxca.yml
spec/vcr_cassettes/manageiq/providers/lenovo/inventory/parser/full_refresh.yml all have references to "initd": "sshd"

ANSIBLE TOWER

app/models/manageiq/providers/ansible_tower/automation_manager/google_credential.rb
app/models/manageiq/providers/ansible_tower/automation_manager/machine_credential.rb
app/models/manageiq/providers/ansible_tower/automation_manager/network_credential.rb
app/models/manageiq/providers/ansible_tower/automation_manager/scm_credential.rb

GOOGLE

app/models/manageiq/providers/google/inventory/collector/cloud_manager.rb - def parse_compute_metadata_ssh_keys(metadata), def key_pairs_ems_ref(ssh_key)
spec/vcr_cassettes/manageiq/providers/google/cloud_manager/refresher.yml has keys that are ssh_keys

AMAZON

app/models/manageiq/providers/amazon/agent_coordinator.rb - def perform_commands(ssh, commands), a Net::SCP.upload! and a LinuxAdmin::SSH.new(ip, agent_ami_login_user, auth_key)
spec/fixtures/orchestration_templates/cfn_parameters.yaml - has some key pair stuff
spec/models/manageiq/providers/amazon/cloud_manager/event_catcher/cloud_watch/AWS_API_CALL_CreateSecurityGroup.json
spec/models/manageiq/providers/amazon/cloud_manager/event_catcher/cloud_watch/AWS_API_CALL_ProvisionProduct.json
spec/models/manageiq/providers/amazon/cloud_manager/event_catcher/config/AWS_CloudFormation_Stack_DELETE.json ... some of the other JSON files
spec/vcr_cassettes/manageiq/providers/amazon/cloud_manager/refresher_inventory_object.yml - info about keypairs for instance access
spec/vcr_cassettes/manageiq/providers/amazon/cloud_manager/refresher_targeted/orchestration_stack.yml - more keypairs for instance access
spec/vcr_cassettes/manageiq/providers/amazon/cloud_manager/refresher_targeted/orchestration_stacks_nested.yml - yet more instance access keypairs
spec/vcr_cassettes/manageiq/providers/amazon/cloud_manager/refresher_targeted/orchestration_stacks_nested_with_vm.yml - yes you guessed correctly
spec/vcr_cassettes/manageiq/providers/amazon/cloud_manager/refresher_vm_reconnect.yml - miq-ssh-http-https

AZURE

lib/tasks_private/build_azure.sh - whatever --authentication-type ssh --ssh-key-value ~/.ssh/id_rsa.pub \ does
spec/vcr_cassettes/manageiq/providers/azure/cloud_manager/refresher.yml
spec/vcr_cassettes/manageiq/providers/azure/cloud_manager/refresher_inventory_object.yml

"the last two list the paths of the person who recorded the cassette: "path":"/home/dberger/.ssh/authorized_keys" and I don't know if we care" - we should probably scrub that.

MISC

manageiq-ssh-util - It's an ssh wrapper.

d-m-u commented 4 years ago

scvmm

ssh: spec/tools/scvmm_data/get_inventory_output_hash.yml — bunch of ssh key yaml stuff spec/tools/scvmm_data/get_inventory_output.yml — same spec/tools/scvmm_data/get_inventory_output.xml — same

tls:none

manageiq-providers-ibm_cloud

ssh: app/models/manageiq/providers/ibm_cloud/inventory/collector/power_virtual_servers.rb — def sshkeys app/models/manageiq/providers/ibm_cloud/inventory/parser/power_virtual_servers.rb — def sshkeys

tls:none

openstack

ssh: spec/models/manageiq/providers/openstack/infra_manager/host_spec.rb — tests ssh fleecing app/models/manageiq/providers/openstack/infra_manager.rb — keypair stuff spec/models/manageiq/providers/openstack/infra_manager_spec.rb — test credential verification app/models/manageiq/providers/openstack/infra_manager/host.rb — def ssh_users_and_passwords, def authentication_best_fit(requested_type = nil) spec/models/manageiq/providers/openstack/infra_manager/event_parser_spec.rb — test command execution via SSH

tls:none

kubevirt

ssh: spec/fixtures/files/template-without-parameters.yml — cloudInitNoCloud yaml has references to ssh_authorized_keys

tls: none

azure_stack

ssh: spec/fixtures/orchestration_templates/deployment.json spec/models/manageiq/providers/azure_stack/cloud_manager/vcr_fixtures/full-refresh-deployment.json

both of the above have a networkSecurityGroupName has a security_rules field with ssh

tls: none

vmware has a single reference:

ssh: spec/tools/vcsim/README.md — the notes for Setup a VC Simulator for Recording EmsRefresh Specs

tls: none

openshift

ssh:none

tls: app/models/manageiq/providers/openshift/inventory/parser/openshift_parser_mixin.rb: def parse_route(route) has a TODO that is for persisting tls

autsde

ssh:none

tls: lib/autosde_oas_client/generated/lib/autosde_openapi_client/configuration.rb — couple settings for verifying SSL host names

[a note for me: the providers with no references to ssh/tls so far are nuage, nsxt, kubernetes, ibm_terraform, and redfish]

d-m-u commented 3 years ago

api

ssh: spec/requests/conversion_hosts_spec.rb app/controllers/api/conversion_hosts_controller.rb — optional conversion_host_ssh_private_key and vmware_ssh_private_key params

tls: app/controllers/api/conversion_hosts_controller.rb —optional tls_ca_certs param

Fryguy commented 3 years ago

@djberg96 Out of curiosity, what is goal/purpose of this list? I see that it's various places we use ssl, but why?

djberg96 commented 3 years ago

@Fryguy We had a string of cases related to SSL issues, that I think ultimately were caused by changes in SSL itself. Dennis asked us to put together a list of possible hotspots in case they sprung up again.

The issue appears to have settled down. Closing for now.

ManageIQ / manageiq