From d1983226dfdde5f380f7c1e9edf20ffd55223970 Mon Sep 17 00:00:00 2001 From: thepetk Date: Wed, 15 Nov 2023 14:54:02 +0000 Subject: [PATCH 1/6] Disable http2 in server Signed-off-by: thepetk --- index/server/pkg/server/index.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/index/server/pkg/server/index.go b/index/server/pkg/server/index.go index 3a580c295..42af8547e 100644 --- a/index/server/pkg/server/index.go +++ b/index/server/pkg/server/index.go @@ -16,6 +16,7 @@ package server import ( + "crypto/tls" "encoding/json" "io/ioutil" "log" @@ -72,6 +73,7 @@ func ServeRegistry() { Handler: handler, ReadTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second, + TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), } go indexServer.ListenAndServe() From 1d142819f3618e1b8d87191b81e193e8b19ce184 Mon Sep 17 00:00:00 2001 From: thepetk Date: Fri, 24 Nov 2023 15:38:22 +0000 Subject: [PATCH 2/6] Add env var for http2 enablement Signed-off-by: thepetk --- index/server/README.md | 55 ++++++++++++++++++-------------- index/server/build.sh | 5 ++- index/server/pkg/server/index.go | 14 +++++++- 3 files changed, 48 insertions(+), 26 deletions(-) diff --git a/index/server/README.md b/index/server/README.md index e678e6d15..7d3d5be46 100644 --- a/index/server/README.md +++ b/index/server/README.md @@ -12,26 +12,26 @@ Edit the OpenAPI spec `openapi.yaml`, under `paths` you can define your endpoint ```yaml paths: - /foo: - get: - summary: - description: - # 'serveFoo' points to handler function 'ServeFoo' - operationId: serveFoo - parameters: # the OpenAPI specifications of the endpoint parameters - # spec for passing a bar query parameter /foo?bar= - - name: bar - in: query - description: - required: false - schema: - type: string - responses: # the OpenAPI specifications for the endpoint responses - default: - description: - content: - # Content type(s) - text/html: {} + /foo: + get: + summary: + description: + # 'serveFoo' points to handler function 'ServeFoo' + operationId: serveFoo + parameters: # the OpenAPI specifications of the endpoint parameters + # spec for passing a bar query parameter /foo?bar= + - name: bar + in: query + description: + required: false + schema: + type: string + responses: # the OpenAPI specifications for the endpoint responses + default: + description: + content: + # Content type(s) + text/html: {} ``` See [swagger.io/docs](https://swagger.io/docs/specification/paths-and-operations) for more information. @@ -72,20 +72,27 @@ bash push.sh quay.io/someuser/devfile-index-base ### Source Generation -Index server build uses the CLI tool `oapi-codegen` to generate the schema types `pkg/server/types.gen.go` and endpoint definition `pkg/server/endpoint.gen.go` sources. When changing the OpenAPI specification, such as [defining endpoints](#defining-endpoints), it is required to regenerate these changes into the source. +Index server build uses the CLI tool `oapi-codegen` to generate the schema types `pkg/server/types.gen.go` and endpoint definition `pkg/server/endpoint.gen.go` sources. When changing the OpenAPI specification, such as [defining endpoints](#defining-endpoints), it is required to regenerate these changes into the source. -The source generation can be done by manually building the index server with: +The source generation can be done by manually building the index server with: ```bash bash build.sh ``` + or to just generate the source files by running: ```bash bash codegen.sh ``` -**Important**: When committing to this repository, it is *required* to include the up to date source generation in your pull requests. Not including up to date source generation will lead to the PR check to fail. +**Important**: When committing to this repository, it is _required_ to include the up to date source generation in your pull requests. Not including up to date source generation will lead to the PR check to fail. + +### Enabling HTTP/2 on the Index Server + +By default, http/2 on the index server is disabled due to [CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3). + +If you want to enable http/2, build with `ENABLE_HTTP2=true bash build.sh`. ## Testing @@ -104,4 +111,4 @@ go test ./... **Environment Variables** - `DEVFILE_REGISTRY`: Optional environment variable for specifying testing registry path - - default: `../../tests/registry` + - default: `../../tests/registry` diff --git a/index/server/build.sh b/index/server/build.sh index 6e5841fec..98504e28e 100755 --- a/index/server/build.sh +++ b/index/server/build.sh @@ -15,6 +15,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Environment variable which enables http2 protocol +ENABLE_HTTP2 ?= false + # Build the index container for the registry buildfolder="$(realpath $(dirname ${BASH_SOURCE[0]}))" @@ -22,4 +25,4 @@ buildfolder="$(realpath $(dirname ${BASH_SOURCE[0]}))" bash ${buildfolder}/codegen.sh # Build the index server -docker build -t devfile-index-base:latest $buildfolder +docker build -t devfile-index-base:latest $buildfolder --build-arg ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS} diff --git a/index/server/pkg/server/index.go b/index/server/pkg/server/index.go index 42af8547e..1fedbf5f8 100644 --- a/index/server/pkg/server/index.go +++ b/index/server/pkg/server/index.go @@ -21,6 +21,7 @@ import ( "io/ioutil" "log" "net/http" + "os" "time" "github.com/prometheus/client_golang/prometheus" @@ -68,12 +69,23 @@ func ServeRegistry() { handler := http.NewServeMux() handler.Handle("/metrics", promhttp.Handler()) prometheus.MustRegister(getIndexLatency) + + // Retrieve the option to enable HTTP2 + enableHTTP2 := os.Getenv("ENABLE_HTTP2") + if enableHTTP2 == "" { + enableHTTP2 = "false" + } + indexServer := &http.Server{ Addr: ":7071", Handler: handler, ReadTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second, - TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), + } + + // Disable HTTP2 by default + if enableHTTP2 == "false" { + indexServer.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) } go indexServer.ListenAndServe() From 26386e48ec4ee49d24841198607e96cdd53667ff Mon Sep 17 00:00:00 2001 From: thepetk Date: Fri, 24 Nov 2023 15:39:18 +0000 Subject: [PATCH 3/6] Fix typo for env var Signed-off-by: thepetk --- index/server/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index/server/build.sh b/index/server/build.sh index 98504e28e..64afeeaaa 100755 --- a/index/server/build.sh +++ b/index/server/build.sh @@ -25,4 +25,4 @@ buildfolder="$(realpath $(dirname ${BASH_SOURCE[0]}))" bash ${buildfolder}/codegen.sh # Build the index server -docker build -t devfile-index-base:latest $buildfolder --build-arg ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS} +docker build -t devfile-index-base:latest $buildfolder --build-arg ENABLE_HTTP2=${ENABLE_HTTP2} From 58e5689aa3940f5681cf7668e5a25190ed7f2cb2 Mon Sep 17 00:00:00 2001 From: thepetk Date: Fri, 24 Nov 2023 16:00:04 +0000 Subject: [PATCH 4/6] Add env var to dockerfile Signed-off-by: thepetk --- index/server/Dockerfile | 4 ++++ index/server/build.sh | 5 +---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/index/server/Dockerfile b/index/server/Dockerfile index 1e6333ee6..9d1fad0b9 100644 --- a/index/server/Dockerfile +++ b/index/server/Dockerfile @@ -40,6 +40,10 @@ RUN set -x ; \ # Modify the permissions on the necessary files to allow the container to properly run as a non-root UID RUN mkdir -p /www/data && chmod -R g+rwx /www/data +# disable http/2 on the index server by default +ARG ENABLE_HTTP2=false +ENV ENABLE_HTTP2=${ENABLE_HTTP2} + # Set env vars for the locations of the devfile stacks and index.json ENV DEVFILE_STACKS /registry/stacks ENV DEVFILE_SAMPLES /registry/samples diff --git a/index/server/build.sh b/index/server/build.sh index 64afeeaaa..7dcb71ea6 100755 --- a/index/server/build.sh +++ b/index/server/build.sh @@ -15,9 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Environment variable which enables http2 protocol -ENABLE_HTTP2 ?= false - # Build the index container for the registry buildfolder="$(realpath $(dirname ${BASH_SOURCE[0]}))" @@ -25,4 +22,4 @@ buildfolder="$(realpath $(dirname ${BASH_SOURCE[0]}))" bash ${buildfolder}/codegen.sh # Build the index server -docker build -t devfile-index-base:latest $buildfolder --build-arg ENABLE_HTTP2=${ENABLE_HTTP2} +docker build -t devfile-index-base:latest --build-arg ENABLE_HTTP2=${ENABLE_HTTP2} $buildfolder From e910cec83902d9175b22fb8b937b50db2326d0c8 Mon Sep 17 00:00:00 2001 From: thepetk Date: Fri, 24 Nov 2023 16:17:06 +0000 Subject: [PATCH 5/6] Fix ci.yaml workflow Signed-off-by: thepetk --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 14201571e..980aa4693 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -103,7 +103,7 @@ jobs: cd index/server export GOPATH=$(go env GOPATH) go install github.com/deepmap/oapi-codegen/cmd/oapi-codegen@v1.12.4 - bash ./build.sh + ENABLE_HTTP2="false" bash ./build.sh - name: Test index server run: cd index/server && go test ./... -coverprofile cover.out From cbbac605b3efc121b6589eaac7c7930b12731b81 Mon Sep 17 00:00:00 2001 From: thepetk Date: Fri, 24 Nov 2023 16:29:03 +0000 Subject: [PATCH 6/6] Fix typo in the workflows Signed-off-by: thepetk --- .github/workflows/ci.yaml | 2 +- build_registry.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 980aa4693..14201571e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -103,7 +103,7 @@ jobs: cd index/server export GOPATH=$(go env GOPATH) go install github.com/deepmap/oapi-codegen/cmd/oapi-codegen@v1.12.4 - ENABLE_HTTP2="false" bash ./build.sh + bash ./build.sh - name: Test index server run: cd index/server && go test ./... -coverprofile cover.out diff --git a/build_registry.sh b/build_registry.sh index 633aef446..0c68fa257 100755 --- a/build_registry.sh +++ b/build_registry.sh @@ -28,7 +28,7 @@ BASE_DIR=$(dirname $0) . ${BASE_DIR}/setenv.sh # Build the index server base image -. ${BASE_DIR}/index/server/build.sh +ENABLE_HTTP2="false" . ${BASE_DIR}/index/server/build.sh # Build the test devfile registry image docker build -t devfile-index:latest -f ${BASE_DIR}/.ci/Dockerfile ${BASE_DIR}