Secure PVAccess #115
Draft
Secure PVAccess #115
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ates include MIC token handling in CCR, public key integrity checks, and associated cleanups and comments for improved Kerberos security context management."
…addition of public key, ACLs, and attributes. Improve Dockerfile structure with schema/application loading and cleanup, and enhance SSSD configurations."
… unnecessary parameters, and implement full LDAP-based key verification. Added new helper methods for DN generation, public key retrieval from LDAP, and base64 encoding. Enhanced IP and hostname fallback for authentication."
…ve error handling. - Migrate from `ldap_init` to `ldap_initialize`. - Replace `ldap_get_values` with `ldap_get_values_len` to properly handle binary data. - Enhance error handling for LDAP operations (`ldap_set_option`, `ldap_bind`, etc.). - Streamline LDAP query logic and attribute retrieval process.
…tication method handling."
…s, and streamline dependencies."
…min, softIOC, and client bashrc scripts."
…iable parsing and expand support for standard fields (name, organization, org unit, country) with server-specific variants."
… readability, fixed const correctness, replaced placeholders with ${DOCKER_USERNAME}, and standardized variable naming in authnldap.cpp/h to enhance maintainability."
…commands into single chained operations. Adjust LDAP include directive to address deprecation warnings for better compatibility on macOS."
…code utility. Replace SASL bind with simple bind. Improve memory management and string handling in encoding/decoding functions."
- Added expiration time for LDAP credentials (not_before and not_after fields). - Fixed incorrect parameter order in CertFactory::verifySignature. - Ensured consistent base64 decoding for signature and public keys. - Improved error messages for key-related exceptions. - Refactored `getPublicKey` to use `const` correctness and nullptr. - Renamed `publicKeyString` to `public_key_string` for consistency. These changes improve correctness, readability, and robustness."
…variables for improved readability and reusability across authentication modules."
…efactor variable initialization and improve GSSAPI error reporting"
…eros authentication. - Refactored `fromAuthNEnv` to `fromAuthEnv` for standardization across LDAP, JWT, and Kerberos configurations. - Introduced detailed documentation and comments for clarity in Kerberos authentication processes, including MIC verification, credential handling, and CCR validation. - Simplified formatting, enhanced error reporting, and ensured memory cleanup in Kerberos-related functions. - Added constants for Kerberos default configuration and improved logging for debugging. Ensures cleaner and more maintainable code with enhanced inline documentation.
…ticator' to 'Standard Authenticator', enhance documentation, refactor configuration handling, and add detailed Kerberos-specific options and logic."
…ation modules for improved client/server credential handling. Updates include documentation adjustments, method implementations, and corresponding usage in authentication workflows."
…tCredentials` for better client/server distinction. Introduced standardized naming for option-related methods and improved documentation for modularity and clarity. Removed unused files and redundant methods for cleaner structure."
…checks and context state initialization."
…S connections across all tools when OpenSSL is enabled."
…ness in certificate handling code - Refactored functions to remove `inline` specifier for clearer implementation and maintainability. - Enhanced const correctness across various methods and parameters. - Introduced a `cert_config_uri_base` member to support extended certificate configuration URIs. - Updated certificate and OCSP status handling to include better type safety and initialization improvements. - Refined static utility functions for certificate handling and time conversion."
`pvxcert -R` is failing to establish a TLS connection unless a short delay after client context is built (e.g. add the -v flag). As a short term Kludge I've added a 0.01 second wait after building the connection and its working now. I will investigate the race condition later and add a permanent fix.
…d detailed certificate monitoring/debugging messages, and standardize log formatting to improve clarity and traceability.
…ion, and documentation files to ensure compatibility with the new release.
…blyGood` methods with `getStatusCategory` and `getEffectiveStatusCategory` for improved clarity. Introduce `cert_status_category_t` enum to centralize status representation.
… with `cert_status_category_t` for enhanced status clarity and flexibility. Update logic to handle `UNKNOWN_STATUS` and refactor state transitions for improved maintainability and debugging. Enhance logging across workflows. Introduce and utilize `sslkeylogfile_log` functionality when enabled.
…ks with `cert_status_category_t` for greater flexibility and clarity across workflows. Update state transition logic to handle `UNKNOWN_STATUS`, enhance logging for better debugging, and improve maintainability.
… with `cert_status_category_t` for enhanced status clarity and flexibility. Update logic to handle `UNKNOWN_STATUS` and refactor state transitions for improved maintainability and debugging. Enhance logging across workflows. Introduce and utilize `sslkeylogfile_log` functionality when enabled.
…atible OpenSSL library versions, disable TLS if mismatches are found, and enhance logging for debugging library issues.
- Improve logging for certificate status updates and connection workflows. - Standardize log formatting and add new debugging statements for better traceability. - Simplify openssl integration by including new modules (`opensslgbl`, `certfactory`, `certstatus*`). - Update version references to `1.4` in documentation and configuration files. - Tidy and reorganize module inclusion in `setup.py` for clarity.
…o streamline connection logic.
…up unused dependencies.
…nsure compatibility with OpenSSL headers.
…ABLE_OPENSSL block.
…on logic under `PVXS_ENABLE_OPENSSL` guard.
…ate expected values for `client1` and `client2` across `testtlswithcms` and `testtlswithcmsandstapling`.
- Adjust test expectations for certificate status counters in `testtlswithcms` and `testtlswithcmsandstapling`. - Improve error handling and logging in `clientconn.cpp` for failed non-blocking connections. - Refine TLS and certificate monitoring conditional logic under `PVXS_ENABLE_OPENSSL`. - Enhance OpenSSL initialization comment for clarity in `opensslgbl.cpp`.
…ceed with channel creation.
…line channel creation logic.
- Introduced new `status_cli` and `status_svr` loggers for client and server status debugging. - Added consistent log statements for state transitions across major classes (`Server`, `SSLContext`, `Connection`, `Channel`, etc.). - Modified constructors and methods to track state changes through debug logs for enhanced traceability. - Updated relevant files to ensure all state changes are logged consistently.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…matting changes.
…nn.cpp` and `serverconn.cpp`: - Eliminated `retryChannelCreation` and `retryConnectionValidation` methods along with their static wrappers under `PVXS_ENABLE_OPENSSL`. - Cleaned up related declarations in `clientimpl.h` and `serverconn.h`. - Streamlined code by removing redundant functionality.
…ation logic: - Eliminated redundant `AwaitingPeerCertValidity` state in `clientconn.cpp` and `serverconn.cpp`. - Added `Validated` state to clearly mark successful validation. - Removed unused OpenSSL retry and pending validation logic. - Improved state transition debugging for enhanced clarity.
- Wrapped `dlfcn.h` and OpenSSL-specific logging methods (`logOsslVersions` and `logOsslSymbolOrigins`) with `_WIN32` guards. - Prevent unnecessary code execution and warnings on Windows. - Ensure platform-specific compatibility with OpenSSL logic.
- Replaced `cert_status.status.s.c_str()` with `pva_status.status.s.c_str()` in `log_warn_printf` for accurate logging.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All changes for Secure PVAccess.
This PR is not meant to be merged.