#95 Add go secure check (#96)
* Add go secure check.
Signed-off-by: zhulijian <zhulijian1@huawei.com>
* Solving go secure issues
Signed-off-by: zhulijian <zhulijian1@huawei.com>
* update document about verifyPeer parameter
diff --git a/.travis.yml b/.travis.yml
index a2f7b8a..3f4489b 100755
--- a/.travis.yml
+++ b/.travis.yml
@@ -49,6 +49,10 @@
script:
- go get github.com/fzipp/gocyclo
- bash scripts/travis/goCycloChecker.sh
+ - stage: GoSecure Checker
+ script:
+ - go get github.com/securego/gosec/cmd/gosec
+ - bash -x scripts/travis/goSecureChecker.sh
- stage: Unit Test
script:
- export GOPROXY=https://goproxy.io
diff --git a/client/client.go b/client/client.go
index 2bc1d43..8d0c66e 100644
--- a/client/client.go
+++ b/client/client.go
@@ -71,6 +71,7 @@
}
httpOpts := &httpclient.Options{}
if u.Scheme == "https" {
+ // #nosec
httpOpts.TLSConfig = &tls.Config{
InsecureSkipVerify: !config.VerifyPeer,
}
diff --git a/docs/configurations/storage.md b/docs/configurations/storage.md
index a221661..71b8d14 100644
--- a/docs/configurations/storage.md
+++ b/docs/configurations/storage.md
@@ -14,7 +14,10 @@
>*(optional, bool)* enable TLS communication to mongodb server
**rootCAFile**
->*(optional, bool)* if sslEnabled is true, you must give a ca file
+>*(optional, string)* if sslEnabled is true, you must give a ca file
+
+**verifyPeer**
+>*(optional, bool)* if verifyPeer is true, kie will verify database server's certificate, otherwise not
### Example
@@ -25,6 +28,7 @@
timeout: 5s
sslEnabled: true
rootCAFile: /opt/kie/ca.crt
+ verifyPeer: true
```
diff --git a/scripts/travis/goSecureChecker.sh b/scripts/travis/goSecureChecker.sh
new file mode 100644
index 0000000..de89283
--- /dev/null
+++ b/scripts/travis/goSecureChecker.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+gosec ./... > result.txt
+cat result.txt
+rm -rf result.txt
+issueCount=$(gosec ./... | grep "Issues" |awk -F":" '{print $2}')
+if [ $? == 0 ] && [[ $issueCount -eq 0 ]] ; then
+ echo "No GoSecure warnings found"
+ exit 0
+else
+ echo "GoSecure Warnings found"
+ exit 1
+fi
+
diff --git a/server/config/struct.go b/server/config/struct.go
index c3c32a4..054ead3 100644
--- a/server/config/struct.go
+++ b/server/config/struct.go
@@ -36,4 +36,5 @@
SSLEnabled bool `yaml:"sslEnabled"`
RootCA string `yaml:"rootCAFile"`
Timeout string `yaml:"timeout"`
+ VerifyPeer bool `yaml:"verifyPeer"`
}
diff --git a/server/handler/noop_auth_handler.go b/server/handler/noop_auth_handler.go
index b4a3833..7ad3fda 100644
--- a/server/handler/noop_auth_handler.go
+++ b/server/handler/noop_auth_handler.go
@@ -20,6 +20,7 @@
import (
"github.com/go-chassis/go-chassis/core/handler"
"github.com/go-chassis/go-chassis/core/invocation"
+ "github.com/go-mesh/openlogging"
)
//NoopAuthHandler not need implement any logic
@@ -41,5 +42,7 @@
return "auth-handler"
}
func init() {
- handler.RegisterHandler("auth-handler", newDomainResolver)
+ if err := handler.RegisterHandler("auth-handler", newDomainResolver); err != nil {
+ openlogging.Fatal("register auth-handler failed: " + err.Error())
+ }
}
diff --git a/server/resource/v1/common.go b/server/resource/v1/common.go
index e121d9b..ee14240 100644
--- a/server/resource/v1/common.go
+++ b/server/resource/v1/common.go
@@ -168,7 +168,10 @@
UserAgent: rctx.ReadHeader("User-Agent"),
Event: make(chan *pubsub.KVChangeEvent, 1),
}
- pubsub.ObserveOnce(o, topic)
+ err = pubsub.ObserveOnce(o, topic)
+ if err != nil {
+ return false, errors.New("observe once failed: " + err.Error())
+ }
select {
case <-time.After(d):
happened = false
diff --git a/server/service/mongo/session/session.go b/server/service/mongo/session/session.go
index 40af57d..aed43b3 100644
--- a/server/service/mongo/session/session.go
+++ b/server/service/mongo/session/session.go
@@ -110,9 +110,10 @@
return
}
pool.AppendCertsFromPEM(caCert)
+ // #nosec
tc := &tls.Config{
RootCAs: pool,
- InsecureSkipVerify: true,
+ InsecureSkipVerify: !config.GetDB().VerifyPeer,
}
clientOps = append(clientOps, options.Client().SetTLSConfig(tc))
openlogging.Info("enabled ssl communication to mongodb")
