nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NIFI-4274) SSLContextService keystore and truststore location property descriptors incorrectly attempt to evaluate EL
Date Thu, 10 Aug 2017 03:51:00 GMT

    [ https://issues.apache.org/jira/browse/NIFI-4274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121010#comment-16121010
] 

ASF GitHub Bot commented on NIFI-4274:
--------------------------------------

GitHub user alopresto opened a pull request:

    https://github.com/apache/nifi/pull/2071

    NIFI-4274 Removed incorrect EL evaluation from StandardSSLContextService file validator

    Thank you for submitting a contribution to Apache NiFi.
    
    In order to streamline the review of the contribution we ask you
    to ensure the following steps have been taken:
    
    ### For all changes:
    - [x] Is there a JIRA ticket associated with this PR? Is it referenced 
         in the commit message?
    
    - [x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying
to resolve? Pay particular attention to the hyphen "-" character.
    
    - [x] Has your PR been rebased against the latest commit within the target branch (typically
master)?
    
    - [ ] Is your initial contribution a single, squashed commit?
    
    ### For code changes:
    - [x] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check
clean install at the root nifi folder?
    - [x] Have you written or updated unit tests to verify your changes?
    - [ ] If adding new dependencies to the code, are these dependencies licensed in a way
that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?

    - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file
under nifi-assembly?
    - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file
found under nifi-assembly?
    - [x] If adding new Properties, have you added .displayName in addition to .name (programmatic
access) for each of the new properties?
    
    ### For documentation related changes:
    - [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
    
    ### Note:
    Please ensure that once the PR is submitted, you check travis-ci for build issues and
submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/alopresto/nifi NIFI-4274

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/2071.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2071
    
----
commit 09e338c3e75ae5e295fc1697fb2c887e02a67785
Author: Andy LoPresto <alopresto@apache.org>
Date:   2017-08-10T03:03:33Z

    NIFI-4274 Added unit tests for StandardSSLContextService file validator.

commit dd0d8904adf49038e2afcff0aebd477597099cf1
Author: Andy LoPresto <alopresto@apache.org>
Date:   2017-08-10T03:44:27Z

    NIFI-4274 Added failing unit test for StandardSSLContextService file validator.

commit cbbba6789e39b0810e98636088625f7778ded59c
Author: Andy LoPresto <alopresto@apache.org>
Date:   2017-08-10T03:46:10Z

    NIFI-4274 Removed EL evaluation logic from custom file validator.
    All tests pass.

----


> SSLContextService keystore and truststore location property descriptors incorrectly attempt
to evaluate EL
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-4274
>                 URL: https://issues.apache.org/jira/browse/NIFI-4274
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.3.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: expression-language, security, tls, truststore
>
> As reported on [Stack Overflow|https://stackoverflow.com/q/45561985/70465], the {{StandardSSLContextService}}
truststore location property descriptor would not evaluate an environment variable containing
the location of the truststore file. The reporter said that by adding a space prior to the
EL expression, it would evaluate, but result in an invalid path because it started with a
space. 
> Bryan Bende pointed out that this field does not support Expression Language. 
> While I could not reproduce this behavior, I did verify using a remote debugger that
while the field does not support EL, the [custom file validator incorrectly attempts to evaluate
EL|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java#L183-L183],
which is counter-indicated by the documentation and will cause issues. This line follows immediately
after comments explaining the existence of the custom validator is because the default evaluates
EL, which is not desired here. 
> While personally, I do not believe these fields should support EL (security risk of the
sensitive location being changed outside of NiFi with no visibility), the documentation and
actual behavior should at least agree. 
> The custom validator should not evaluate EL. Follow on discussion on this ticket or the
mailing list may lead to new requirements to handle EL, but this can be implemented correctly
and consistently at such time. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message