Date   

Re: TLS for everything

Jon Price
 

Hi David,

 

Done – Issue 906.

 

I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec. 

 

It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!

 

-- Jon Price

 

From: cf-dev@... <cf-dev@...> On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM
To: cf-dev@...
Subject: Re: [cf-dev] TLS for everything

 

Hi everyone,

 

Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.

 

That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:

 

  1. Create an issue to track this feature of cf-for-vms in the cf-deployment github repo
    https://github.com/cloudfoundry/cf-deployment/issues
  2. While it's good to continue discussing this anywhere and everywhere (Slack, email, etc), let's make that that Github issue the canonical home for discussion about this going forward and try to "close the loop" back there if discussions are had elsewhere.
  3. If separate issues can be carved out for specific components, create issues on their repositories and link them back to the Github issue on cf-deployment.
    Github's auto-linking between issues should help us make these more discoverable, regardless of which direction the link is going.

Jon, would you like to do the honors as the thread starter here?

 


From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] TLS for everything

 

+1 on desiring everything to be encrypted on the network.

 

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

 

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:

Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?

2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222

3) route_registrar - not using nats-tls

4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--

Peter Burkholder |  cloud.gov compliance & security

please use cloud-gov-compliance@... for cloud.gov matters

 


Re: UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 
Edited

Hi Jeremy, 

Thanks for that testcase. I followed your testcase on our UAA Server except with one change; since we are setup with MFA, I used the uaac token sso to get Marissas token. The UAA app version is 74.24.0 and the UAAC version is 4.2.0. You can see I got the access denied error that I received with Postman. I attached snippet of the log errors. Also, I upgraded to UAA 74.24.0 by downloading source from https://github.com/cloudfoundry/uaa/archive/v74.24.0.zip  and compiling it using gradle. I am wondering if I am doing something incorrect during installation. Next I will try with a brand new intallation and see if that works. 


----- Command entered -----

COMMAND> uaac version
UAA client 4.2.0
 
COMMAND> uaac info
Unknown key: Max-Age = 86400
  app
    version: 74.24.0
{truncated} 
 
COMMAND> uaac token client get admin
Client secret:  ************************
 
Successfully fetched token via client credentials grant.
Target: https://*****************
Context: admin, from client admin
 
 
COMMAND> uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
New client secret:  ***************
Verify new client secret:  ***************
  scope: uaa.none
  client_id: introspect-test
  resource_ids: none
  authorized_grant_types: client_credentials
  autoapprove:
  authorities: uaa.resource
  name: introspect-test
  required_user_groups:
  lastmodified: 1600268652000
  id: introspect-test
  
PS C:\Users\vshetty\source\repos\pservices-cyberark-api\bin> uaac user add marissa --given_name marissa --family_name koala
 --emails marisa@...
Password:  *****
Verify password:  *****
user account successfully added
 
COMMAND> uaac token sso get seswt-uaa-cli
Client secret:
Passcode (from https://********/passcode):  ******
 
Successfully fetched token via owner passcode grant.
Target: https://***************
Context: marissa, from client seswt-uaa-cli
 
COMMAND> uaac context marissa
{ captured Marissa's token }
 
COMMAND> uaac token client get introspect-test
Client secret:  ***************
{ double checked that the token has the uaa.resource scope }

Successfully fetched token via client credentials grant.
Target: https://**************
Context: introspect-test, from client introspect-test
 
# MARISSA-TOKEN is actual token 
COMMAND> uaac curl --trace /introspect -X POST -d "token=MARISSA-TOKEN"
POST https://*****/introspect
REQUEST BODY: "token=MARISSA-TOKEN"
 
403 Forbidden
RESPONSE HEADERS:
  Date: Wed, 16 Sep 2020 15:18:29 GMT
  Content-Type: application/json
  Transfer-Encoding: chunked
  Connection: close
  Vary: Accept-Encoding
  Cache-Control: no-store
  Pragma: no-cache
  Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  X-Content-Type-Options: nosniff
  X-Vcap-Request-Id: 86dbda61-e43d-43e9-650f-2150836c4ea0
  X-Xss-Protection: 1; mode=block
  X-Frame-Options: DENY
RESPONSE BODY:
{
  "error": "access_denied",
  "error_description": "Access is denied"
}

--- Log file contents --- 

   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config,active from identity_zone where subdomain=? and active = ?]
   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.449] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [true], value class [java.lang.Boolean], SQL type unknown
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 7 of 20 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/introspect response_type:null
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/introspect response_type:null
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 8 of 20 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'introspectSecurity' processing request POST /introspect
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 9 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 10 of 20 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 11 of 20 in additional filter chain; firing Filter: 'HeaderWriterFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 12 of 20 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SESSION_LOGGER: No session found by id: Caching result for getSession(false) for this HttpServletRequest.
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.462] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove, lastmodified, required_user_groups from oauth_client_details where client_id = ? and identity_zone_id = ?]
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [introspect-test], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [uaa], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- OAuth2AuthenticationProcessingFilter: Authentication success: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 13 of 20 in additional filter chain; firing Filter: 'IdentityZoneSwitchingFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 14 of 20 in additional filter chain; firing Filter: 'DisableUserManagementSecurityFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 15 of 20 in additional filter chain; firing Filter: 'DisableInternalUserManagementFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 16 of 20 in additional filter chain; firing Filter: 'ClientBasicAuthenticationFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 17 of 20 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 18 of 20 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 19 of 20 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=**************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.499] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@17088b23, returned: -1
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.500] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: Loading properties [messages.properties]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.503] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en] - neither plain properties nor XML
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.504] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en_US] - neither plain properties nor XML
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'scimUserBootstrap'
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'delegatingApplicationListener'
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChai


Re: Topics or presentations? CAB call: Wednesday, Sept. 16th @ 8AM PT / 11AM ET / 4PM CET

Troy Topnik
 

GOOD NEWS EVERYONE!

We have a couple of presentations for tomorrow:

    • Auto-patching of app images: Piyali Banerjee, CAPI, VMware

    • New Quarks Secret feature: Mario Manno, Quarks, SUSE


TT

--
Troy Topnik
Senior Product Manager, 
SUSE Cloud Application Platform 
troy.topnik@...
 


Re: TLS for everything

David McClure
 

Hi everyone,

Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.

That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:

  1. Create an issue to track this feature of cf-for-vms in the cf-deployment github repo
    https://github.com/cloudfoundry/cf-deployment/issues
  2. While it's good to continue discussing this anywhere and everywhere (Slack, email, etc), let's make that that Github issue the canonical home for discussion about this going forward and try to "close the loop" back there if discussions are had elsewhere.
  3. If separate issues can be carved out for specific components, create issues on their repositories and link them back to the Github issue on cf-deployment.
    Github's auto-linking between issues should help us make these more discoverable, regardless of which direction the link is going.
Jon, would you like to do the honors as the thread starter here?


From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] TLS for everything
 
+1 on desiring everything to be encrypted on the network.

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security


Re: UAA api /introspect does not seem to be workign as expected #uaa

Jeremy Morony
 

Hi Viraj,

I couldn't replicate the issue you've described.  While logs are always helpful, more helpful would be a small set up replicating the issue. For example, this is what I did to replicate your issue using the UAA in development:

./gradlew clean run
uaac target http://localhost:8080/uaa
uaac token client get admin
uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
uaac token owner get cf marissa -p koala --scope uaa.user
uaac contexts #extract marissa's access token
uaac token client get introspect-test
uaac curl --trace /introspect -X POST -d "token=marissas-access-token"

200
RESPONSE HEADERS:
<snip>
RESPONSE BODY:
{
  "active": true // other claims omitted
}


From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Friday, September 11, 2020 12:44 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa
 
Jeremy, 

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? 

Thanks,
Viraj 


Re: TLS for everything

Miki Mokrysz <miki.mokrysz@...>
 

+1 on desiring everything to be encrypted on the network.

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters


Re: TLS for everything

Peter Burkholder
 

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters


TLS for everything

Jon Price
 

Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.


Topics or presentations? CAB call: Wednesday, Sept. 16th @ 8AM PT / 11AM ET / 4PM CET

Troy Topnik
 

As of right now, we don't have any topics for discussion or presentations scheduled for the next CAB call.

I'll keep polling project people informally on Slack, but if you have a topic you would like to discuss or a presentation of interest to the Cloud Foundry community, please respond on this thread or reach out to me directly.

Thanks,

TT

Chat room: go to slack.cloudfoundry.org and then join the #cab channel

Here are the meeting details for Wednesday:

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/757994996

Or iPhone one-tap :
    US: +16468769923,,757994996# or +16699006833,,757994996#
Or Telephone:
    Dial(for higher quality, dial a number based on your current location):
        US: +1 646 876 9923 or +1 669 900 6833 or +1 408 638 0968
    Meeting ID: 757 994 996
    International numbers available: https://zoom.us/zoomconference?m=BbM_MZowkH08pdKycQk10at13V5cLneM

Agenda doc: https://docs.google.com/document/d/1SCOlAquyUmNM-AQnekCOXiwhLs6gveTxAcduvDcW_xI


--
Troy Topnik
Senior Product Manager, 
SUSE Cloud Application Platform 
troy.topnik@...
 


CF K8s Networking office hours this week on Wednesday

Shannon Coen
 

Hello CF friends,

Members of the CF K8s Networking team will be on zoom this Wednesday from 10-10:30am PDT hosting office hours for the project. We welcome questions related to routing, load balancing, and security of traffic for applications and platform APIs in all data paths; ingress, east-west, and egress. We'll also be happy to share what we're working on and where we're headed.

The zoom link can be found on the CFF community calendar at https://www.cloudfoundry.org/community-calendar/


Hoping you all are healthy and staying safe,

Shannon Coen (He/Him)
Manager, Product Management
scoen@...
875 Howard Street 5th Floor, San Francisco CA 94103
Mobile: +1.415.640.0272



Re: CF Application Runtime PMC: Diego Project Lead Call for Nominations

Eric Malm
 

Hi, everyone,

VMware is nominating Amin Jamali for the Diego project lead in the Application Runtime PMC.

Amin has worked at Pivotal and VMware as a core contributor to Cloud Foundry since 2015. Since December 2018, he has been an engineer on the Diego team, and prior to that has worked on many other components of the CF App Runtime, including BOSH-Windows, Garden-Windows, and Buildpacks. Amin has an engineering background and previously has helped various startups build and deliver software solutions.

Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.

Thanks,
Eric Malm


From: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Friday, September 11, 2020 3:24 PM
To: cf-dev@... <cf-dev@...>
Subject: [cf-dev] CF Application Runtime PMC: Diego Project Lead Call for Nominations
 
Hi, everyone,

Josh Collins is stepping down from his role as the Diego project lead, as he is currently focused primarily on activities with the CF CLI team.

The Diego team now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.

Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.

Thanks,
Eric Malm, CF Application Runtime PMC Lead


Re: CF Application Runtime PMC: UAA Project Lead Call for Nominations

Eric Malm
 

Hi, everyone,

VMware is nominating Jeremy Morony for the UAA Project Lead in the Application Runtime PMC.

Jeremy is a software engineer and manager at VMware who has been working with the UAA team since February 2019. He has 20 years of programming, facilitation, coaching, and mentoring experience at both startups and larger companies.

Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.

Thanks,
Eric Malm


From: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Friday, September 11, 2020 3:22 PM
To: cf-dev@... <cf-dev@...>
Subject: [cf-dev] CF Application Runtime PMC: UAA Project Lead Call for Nominations
 
Hi, everyone,

Pablo Schuhmacher, the Project Lead for the UAA team within the Application Runtime PMC, is stepping down from the project, as he is now focusing on product management responsibilities inside of VMware. We thank him for his service.

The UAA team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.

Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.

Thanks,
Eric Malm, CF Application Runtime PMC Lead


CF Application Runtime PMC: Diego Project Lead Call for Nominations

Eric Malm
 

Hi, everyone,

Josh Collins is stepping down from his role as the Diego project lead, as he is currently focused primarily on activities with the CF CLI team.

The Diego team now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.

Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.

Thanks,
Eric Malm, CF Application Runtime PMC Lead


CF Application Runtime PMC: UAA Project Lead Call for Nominations

Eric Malm
 

Hi, everyone,

Pablo Schuhmacher, the Project Lead for the UAA team within the Application Runtime PMC, is stepping down from the project, as he is now focusing on product management responsibilities inside of VMware. We thank him for his service.

The UAA team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.

Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.

Thanks,
Eric Malm, CF Application Runtime PMC Lead


Re: UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 

Jeremy, 

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? 

Thanks,
Viraj 


Re: UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 

Hi Jeremy, 

Thanks for taklng the time to respond. Really appreciate it. 

I have double checked this many times. From Postman, I saw the request that is being sent and checked the bearer token to see the token scopes. The token contains the following (i added uaa.admin just as a test later)  

  "scope": [
    "uaa.resource",
    "uaa.admin"
],
  "grant_type": "client_credentials",

The request looks all fine.

Is there any configuration needed at the endpoints? I see the following configuration for /introspect from resource-endpoints.xml

    <http name="introspectSecurity" pattern="/introspect" create-session="stateless"
          entry-point-ref="basicAuthenticationEntryPoint"
          authentication-manager-ref="clientAuthenticationManager" use-expressions="true"
          xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/**" access="hasAuthority('uaa.resource')"/>
        <anonymous enabled="false"/>
        <custom-filter ref="oauthWithoutResourceAuthenticationFilter" position="PRE_AUTH_FILTER"/>
        <custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
        <expression-handler ref="oauthWebExpressionHandler"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
        <csrf disabled="true"/>
    </http>
Should there be one for Bearer token ? Not sure. 

As per the API docs for 74.14.0, 

Authorization One of the following authentication/authorization mechanisms:
  • Bearer token for a registered client with authority uaa.resource   [Recommended]
  • Basic authentication using client_id / client_secret for a registered client with authority uaa.resource   [Deprecated]
If both bearer token and basic auth credentials are provided, only the bearer token will be used.

Thanks,
Viraj 


Re: UAA api /introspect does not seem to be workign as expected #uaa

Jeremy Morony
 

Hi Viraj,

From the details provided it looks like the call to /introspect might be using the user's token in the authorize header instead of a client token.

A successful curl request looks like:

curl -X POST http://uaa.example.com/instropect - H "Authorization: bearer client-token" -d "token=user-token"

Hope this helps.

  Jeremy.



From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Thursday, September 10, 2020 2:58 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa
 
I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean? 

09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal: 7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityCo


Re: UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 
Edited

I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean? 

09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityCo


UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 

Hi All, 

We are using UAA version 74.14.0 

We have a UAA installation for our internal applications in cloudfoundry environment. We have been having a problem in verifying the oauth token (JWT token) using the /introspect token, but cannot seem to see the reason. I tried a test using postman. 

1. created a client with authority uaa.resource. See properties below. It has the uaa.resource authority. 

    scope: uaa.none
    resource_ids: none
    authorized_grant_types: client_credentials
    autoapprove:
    access_token_validity: 300
    authorities: uaa.resource

2. Generate a token for a user to test verification. 
3. Using postman, I tried to call /introspect api with the "Authorization: Basic ..." (this is deprecated). But this call worked fine and I was able to see the token in returned json. 
4. Using postman, I tried to call /introspect api with the "Authorization: Bearer {token}". This call failed with an error  

{
    "error""access_denied",
    "error_description""Access is denied"
}

I checked the bearer token and made sure that the scope has uaa.resource in there

"scope": [ "uaa.resource" ],

It looks like the /introspect call succeeds with "Authorization: basic .." but not "Authorization: bearer ..". 

Let me know what I am missing. I followed the API docs and I dont think I am missing any other authorithy for the client. 

Any help is appreciated. 

Thanks,
Viraj 



Re: CF Application Runtime PMC: Release Integration Project Lead Call for Nominations

Eric Malm
 

Hi, everyone,

VMware is nominating Paul Warren for the Release Integration project lead in the Application Runtime PMC.

Paul has worked on Cloud Foundry since 2015, serving as an engineer on UAA, the anchor on Volume Services and, most recently, as an engineer on Release Integration.

Prior to joining VMware, Paul has spent 20 years serving in various roles from Engineer to Architect to Product Manager across DellEMC, EMC, Documentum, and SSA, primarily focused on developers and developer tooling.

Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Tuesday, September 22, 2020.

Thanks,
Eric Malm


From: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Tuesday, September 8, 2020 3:47 PM
To: cf-dev@... <cf-dev@...>
Subject: [cf-dev] CF Application Runtime PMC: Release Integration Project Lead Call for Nominations
 
Hi, everyone,

Saikiran Yerram, the lead for the Release Integration project within the Application Runtime PMC, is stepping down. We thank him for his tremendous service in leading the cf-for-k8s and cf-deployment projects over the past year and a half.

The Release Integration team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Tuesday, September 22, 2020.

Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.

Thanks,
Eric Malm, CF Application Runtime PMC Lead