kubeclient 4.9.2 → 4.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9220de071696f945ccb667a13ea89c697d935f97abaabad9350bf8d39596d0b3
-  data.tar.gz: 508742ac151675cc00e0dda915f5f44cb5622c90ad56aa97de06967880925297
+  metadata.gz: 3f402a08fef66f160df49d507487769073b248828869a2c874d78e947b1d6686
+  data.tar.gz: 5d371f47861538f1e3e9deced8d1c41be1e0ca857ab8ed0607a75417948bb6f6
 SHA512:
-  metadata.gz: ab7ec603082fd9c11089e721ebb7d98bdd4092b76f9d173f3075351db41c4ab76ca2e8cf2a54818bf0f6bc5d9749ed64dc51af262acc93c527ba0a4e1b1637cb
-  data.tar.gz: daaf00389fbd89a5eff46397e4a176de5fb540a292a706c093c289f476c250f1cdb7caaad3fa3a865841704c1a141be6861d189f8a59bda2dcff35581742e981
+  metadata.gz: f06a16d02e150194d06a4aa2c37a23bd1b7bbef4daca379ed7f60dd9581310b98cd3026d86e90b1b23d861fe6186d05e003d41380cb1edeaf7a2e52ccc594520
+  data.tar.gz: 7fbceb84c48af3bf4f28eadb05a2807a61196a26a66d72eb836ee5faa23d9a22fb1bd8e76fd16febd794007f1f0fd487000db40f543143789d33225c2350ccd0

data/.github/workflows/actions.yml

@@ -10,18 +10,24 @@ on:
     - '**'
 jobs:
   build:
-    runs-on: ${{ matrix.os }}
+    continue-on-error: true
+    runs-on: ${{ matrix.os_and_command.os }}
     strategy:
       matrix:
-        ruby: [ '2.5', '2.6', '2.7', '3.0', 'truffleruby-head' ]
-        os: ['ubuntu-latest', 'macos-latest']
-        task: [test]
+        ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1', 'ruby-head', 'truffleruby-head' ]
+        os_and_command:
+        - os: 'macos-latest'
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: ubuntu-latest
+          # Sometimes minitest starts and then just hangs printing nothing.
+          # Github by default kills after 6hours(!). Hopefully SIGTERM may let it print some details?
+          command: 'timeout --signal=TERM 3m env TESTOPTS="--verbose" test/config/update_certs_k0s.rb'
         include:
         # run rubocop against lowest supported ruby
         - os: ubuntu-latest
           ruby: '2.5'
-          task: rubocop
-    name: ${{ matrix.os }} ${{ matrix.ruby }} rake ${{ matrix.task }}
+          command: 'bundle exec rake rubocop'
+    name: ${{ matrix.os_and_command.os }} ${{ matrix.ruby }} rake ${{ matrix.os_and_command.command }}
     steps:
     - uses: actions/checkout@v2
     # actions/setup-ruby did not support truffle or bundler caching
@@ -31,5 +37,6 @@ jobs:
         bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
     - run: gem install rake bundler
     - run: bundle install
-    - run: bundle exec rake ${{ matrix.task }}
+    - run: ${{ matrix.os_and_command.command }}
+    timeout-minutes: 10
 

data/CHANGELOG.md

@@ -4,6 +4,45 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.9.3 — 2021-03-23
+
+### Fixed
+
+- VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
+  (normal situation for production clusters with public domain and certificate!),
+  `Config` was returning ssl_options[:verify_ssl] hard-coded to `VERIFY_NONE` :-(
+
+  Assuming you passed those ssl_options to Kubeclient::Client, this means that
+  instead of checking server's certificate against your system CA store,
+  it would accept ANY certificate, allowing easy man-in-the middle attacks.
+
+  This is especially dangerous with user/password or token credentials
+  because MITM attacker could simply steal those credentials to the cluster
+  and do anything you could do on the cluster.
+
+  This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
+  [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
+
+- Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
+  When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
+
+  Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
+  `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
+
+- `Config`: fixed parsing of `certificate-authority` file containing concatenation of
+  several certificates.  Previously, server's cert was checked against only first CA cert,
+  resulting in possible "certificate verify failed" errors.
+
+  An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA
+  itself is signed by another custom CA.
+  But also helps when you simply concatenate independent certs. (#461, #552)
+
+  - Still broken (#460): inline `certificate-authority-data` is still parsed using `add_cert`
+    method that handles only one cert.
+
+These don't affect code that supplies `Client` parameters directly,
+only code that uses `Config`.
+
 ## 4.9.2 — 2021-05-30
 
 ### Added

data/README.md

@@ -9,6 +9,13 @@ The client supports GET, POST, PUT, DELETE on all the entities available in kube
 The client currently supports Kubernetes REST api version v1.
 To learn more about groups and versions in kubernetes refer to [k8s docs](https://kubernetes.io/docs/api/)
 
+## VULNERABILITY❗
+
+If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
+endangering your connection and cluster credentials.
+See [latest CHANGELOG.md](https://github.com/ManageIQ/kubeclient/blob/master/CHANGELOG.md) for details and which versions got a fix.
+Open an issue if you want a backport to another version.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/kubeclient.gemspec

@@ -31,6 +31,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
+  spec.add_development_dependency 'net-smtp'
 
   spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'

data/lib/kubeclient/config.rb

@@ -51,20 +51,22 @@ module Kubeclient
         user['exec_result'] = ExecCredentials.run(exec_opts)
       end
 
-      ca_cert_data     = fetch_cluster_ca_data(cluster)
       client_cert_data = fetch_user_cert_data(user)
       client_key_data  = fetch_user_key_data(user)
       auth_options     = fetch_user_auth_options(user)
 
       ssl_options = {}
 
-      if !ca_cert_data.nil?
+      ssl_options[:verify_ssl] = if cluster['insecure-skip-tls-verify'] == true
+                                   OpenSSL::SSL::VERIFY_NONE
+                                 else
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 end
+
+      if cluster_ca_data?(cluster)
         cert_store = OpenSSL::X509::Store.new
-        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
-        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+        populate_cert_store_from_cluster_ca_data(cluster, cert_store)
         ssl_options[:cert_store] = cert_store
-      else
-        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
       end
 
       unless client_cert_data.nil?
@@ -131,11 +133,16 @@ module Kubeclient
       [cluster, user, namespace]
     end
 
-    def fetch_cluster_ca_data(cluster)
+    def cluster_ca_data?(cluster)
+      cluster.key?('certificate-authority') || cluster.key?('certificate-authority-data')
+    end
+
+    def populate_cert_store_from_cluster_ca_data(cluster, cert_store)
       if cluster.key?('certificate-authority')
-        File.read(ext_file_path(cluster['certificate-authority']))
+        cert_store.add_file(ext_file_path(cluster['certificate-authority']))
       elsif cluster.key?('certificate-authority-data')
-        Base64.decode64(cluster['certificate-authority-data'])
+        ca_cert_data = Base64.decode64(cluster['certificate-authority-data'])
+        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
       end
     end
 

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.9.2'.freeze
+  VERSION = '4.9.3'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.9.2
+  version: 4.9.3
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-30 00:00:00.000000000 Z
+date: 2022-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -150,6 +150,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: net-smtp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jsonpath
   requirement: !ruby/object:Gem::Requirement
@@ -270,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: A client for Kubernetes REST api