-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security support for exporter and collector #57
Conversation
pkg/collector/tcp.go
Outdated
@@ -40,6 +41,43 @@ func (cp *collectingProcess) startTCPServer() { | |||
} | |||
} | |||
|
|||
func (cp *collectingProcess) StartTLSServer(serverCert []byte, serverKey []byte) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is TLSserver not supported with UDP transport? I see TLSclient in exporting process written for both TCP and UDP transport.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just realized you had WIP in the title. If you are planning to address the above already, please ignore the comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For UDP Transport, we will need to use DTLS. Still working on that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
StartTLSServer(serverCert []byte, serverKey []byte) can be simplified as StartTLSServer(serverCert, serverKey []byte)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shihhaoli Thanks! will update it.
d130042
to
74abc0c
Compare
e5c8be0
to
98ab187
Compare
Codecov Report
@@ Coverage Diff @@
## master #57 +/- ##
==========================================
- Coverage 81.14% 80.26% -0.89%
==========================================
Files 13 13
Lines 1496 1591 +95
==========================================
+ Hits 1214 1277 +63
- Misses 191 212 +21
- Partials 91 102 +11
Flags with carried forward coverage won't be shown. Click here to find out more.
|
pkg/collector/process.go
Outdated
func (cp *collectingProcess) Start() { | ||
if cp.address.Network() == "tcp" { | ||
cp.startTCPServer() | ||
} else if cp.address.Network() == "udp" { | ||
cp.startUDPServer() | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this removed to let the user start regular tcp/udp server or server with TLS/DTLS encryption? If so, I feel it is better to take in a input from the user through InitCollectorProcess on whether to use encryption or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just checking if these comments are resolved or not. From the latest code changes, it doesn't seem so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reminding. Changes got postponed by other PRs. Will update asap.
pkg/exporter/process.go
Outdated
@@ -98,6 +101,60 @@ func InitExportingProcess(collectorAddr net.Addr, obsID uint32, tempRefTimeout u | |||
return expProc, nil | |||
} | |||
|
|||
func InitExportingProcessWithTLS(collectorAddr net.Addr, obsID uint32, cert []byte) (*ExportingProcess, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here as well taking the input for encryption may be better. We can save some duplication of code and make this library function simpler.
0186ea8
to
02e0484
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/test/exporter_collector_test.go
Outdated
func TestSingleRecordUDPTransport(t *testing.T) { | ||
address, err := net.ResolveUDPAddr("udp", "0.0.0.0:4739") | ||
address, err := net.ResolveUDPAddr("udp", "0.0.0.0:4630") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's use random port by giving 0?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. updated with random port, but also added some code to support the random port since previously we directly used hard-coded address passed from users. If you think the commit is not quite relevant to current PR, I can move it to another PR separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you changed the port number other than 4739 in the tests, I suggested a random open port. We should only expect users to give 4739, since it is the standard IPFIX port, right?
What is the extra code required to accept random port? Is that required in tests code or actual code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's true. I changed the port number because if we use same port for all the tests, it will have conflicts (some of the tests cannot start collector since the port is occupied.). extra code is mainly about update address after the listener resolves the random port. I also added a get address function for get the latest address of the collector.
We can extend the standalone collector in a different PR. Overall it looks good to me. |
pkg/intermediate/aggregate_test.go
Outdated
@@ -167,6 +167,7 @@ func TestGetTupleRecordMap(t *testing.T) { | |||
} | |||
|
|||
func TestAggregateMsgByFlowKey(t *testing.T) { | |||
registry.LoadRegistry() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do it in init, so it will be applicable for all test functions.
pkg/test/exporter_collector_test.go
Outdated
func TestSingleRecordUDPTransport(t *testing.T) { | ||
address, err := net.ResolveUDPAddr("udp", "0.0.0.0:4739") | ||
address, err := net.ResolveUDPAddr("udp", "0.0.0.0:4630") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you changed the port number other than 4739 in the tests, I suggested a random open port. We should only expect users to give 4739, since it is the standard IPFIX port, right?
What is the extra code required to accept random port? Is that required in tests code or actual code?
cmd/collector/collector.go
Outdated
@@ -130,7 +130,7 @@ func run() error { | |||
return fmt.Errorf("input given ipfix.transport flag is not supported or valid") | |||
} | |||
// Initialize collecting process | |||
cp, err := collector.InitCollectingProcess(netAddr, 65535, 0) | |||
cp, err := collector.InitCollectingProcess(netAddr, 65535, 0, false, nil, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For public methods, we can consider creating a struct for all the input parameters.
This can avoid changing the code on the caller side whenever we need to add new parameters in the future.
I was asked by WCP team to do something like that when they consume a library maintained by our team. Otherwise every time we upgrade our library, that could break their existing code.
For example, a struct like https://gitreview.eng.vmware.com/c/nsx/+/312057/7/solutions/nsxi/go/src/nsxi/validator/validator.go#61
and used in https://gitreview.eng.vmware.com/c/nsx/+/312057/7/solutions/nsxi/go/src/nsxi/validator/validator.go#311
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks it will also be clearer for users to pass parameters. Updated for exporter and intermediate process too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shihhaoli It is a good suggestion to make consumption easier.
However, it is better to avoid company-specific internal links in the OSS repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I made the same mistake while developing openstack long time ago (referring bugzilla link for bug fix in the commit message) :-)
Any suggestion how to do this in the future? Send an email instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I felt if there are non-vmware folks following the conversation, they may not get complete context with the links that are not accessible. Yes offline mode through email or slack sounds good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, then those non-vmware people will completely hide from our conversations, but at least they will not complain inaccessible links : -)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or keeping the context to an accessible project will also work :)
pkg/intermediate/aggregate.go
Outdated
if err != nil { | ||
return fmt.Errorf("IANA Registry is not loaded correctly with originalExporterIPv4Address.") | ||
} | ||
address = net.ParseIP(message.ExportAddress).To4() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may rearrange the code so that net.ParseIP() can be executed only once (i.e. lines 281 and 286, also lines 287 and 292).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Address related extra code looks fine to me.
pkg/intermediate/aggregate.go
Outdated
} | ||
address = net.ParseIP(message.ExportAddress).To16() | ||
} else { | ||
return fmt.Errorf("original exporter address is not in correct format.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a convention, punctuation not required in fmt.Errorf.
24e5d6d
to
2a5aad5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM except for one comment on TODO.
pkg/exporter/process.go
Outdated
klog.Errorf("Cannot the create the connection to configured ExportingProcess %s: %v", collectorAddr.String(), err) | ||
return nil, err | ||
} | ||
// TODO: Get obsID, tempRefTimeout as args which can be of dynamic size supporting both TCP and UDP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this todo not needed anymore right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, removed it. Thanks!
Fixes #50