Remove Subject Alternate Name Sanitization in Workload Cert Creation (#5798)

nimanch · web-flow · commit 070610dbc54e · 2021-11-08T21:08:35.000Z
1. Remove Subject Alternate Name Sanitization of Common Name, this leads to TLS Handshake Errors since the hostname differs from the SAN. 2. Added Unit Test 3. Enable 1ES Agents on CI E2E Tests End-End CI Run : https://msazure.visualstudio.com/One/_build/results?buildId=48717636&view=logs&j=f1061aa8-bee6-5103-5b5c-2b2c91b98c58 ## Azure IoT Edge PR checklist:
diff --git a/builds/checkin/e2e-checkin.yaml b/builds/checkin/e2e-checkin.yaml
@@ -58,12 +58,6 @@ stages:
           builtImages: $[ stageDependencies.PublishManifests.PublishManifest.result ]
           builtPackages: $[ stageDependencies.BuildPackages.linux.result ]
         steps:
-          # Since 1ES Agents may have a non-conformed RFC 1035 Host Name, Modify the Host Name here so that Downstream communication doesn't
-          # have TLS Handshake errors
-        - bash: |
-            echo "Writing Host Name e2e-$BUILD_BUILDID"
-            sudo hostnamectl set-hostname e2e-$BUILD_BUILDID
-          displayName: Modify Host Name
         - template: ../e2e/templates/e2e-setup.yaml
         - template: ../e2e/templates/e2e-run.yaml
 
diff --git a/builds/e2e/e2e.yaml b/builds/e2e/e2e.yaml
@@ -55,101 +55,90 @@ jobs:
     - template: templates/e2e-clear-docker-cached-images.yaml
     - template: templates/e2e-run.yaml
 
-# Using 1ES-hosted agents in master branch causes test failures; disabling
-# until fixed.
-# ################################################################################
-#   - job: ubuntu_1804_msmoby
-# ################################################################################
-#     displayName: Ubuntu 18.04 with iotedge-moby
-
-#     pool:
-#       name: $(pool.linux.name)
-#       demands:
-#       - ImageOverride -equals agent-aziotedge-ubuntu-18.04-msmoby
-
-#     variables:
-#       os: linux
-#       arch: amd64
-#       artifactName: iotedged-ubuntu18.04-amd64
-#       identityServiceArtifactName: packages_ubuntu-18.04_amd64
-#       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
-
-#     steps:
-#     - template: templates/e2e-setup.yaml
-#     - template: templates/e2e-run.yaml
+
+################################################################################
+  - job: ubuntu_1804_msmoby
+################################################################################
+    displayName: Ubuntu 18.04 with iotedge-moby
+
+    pool:
+      name: $(pool.linux.name)
+      demands:
+      - ImageOverride -equals agent-aziotedge-ubuntu-18.04-msmoby
+
+    variables:
+      os: linux
+      arch: amd64
+      artifactName: iotedged-ubuntu18.04-amd64
+      identityServiceArtifactName: packages_ubuntu-18.04_amd64
+      identityServicePackageFilter: aziot-identity-service_*_amd64.deb
+
+    steps:
+    - template: templates/e2e-setup.yaml
+    - template: templates/e2e-run.yaml
 
 ################################################################################
   - job: ubuntu_1804_docker
 ################################################################################
-    # displayName: Ubuntu 18.04 with Docker (minimal)
-    displayName: Ubuntu 18.04 with Docker
+
+    displayName: Ubuntu 18.04 with Docker minimal
 
     pool:
-      vmImage: ubuntu-18.04
-      # Using 1ES-hosted agents in master branch causes test failures; disabling
-      # until fixed.
-      # name: $(pool.linux.name)
-      # demands:
-      # - ImageOverride -equals agent-aziotedge-ubuntu-18.04-docker
+      name: $(pool.linux.name)
+      demands:
+      - ImageOverride -equals agent-aziotedge-ubuntu-18.04-docker
 
     variables:
       os: linux
       arch: amd64
       artifactName: iotedged-ubuntu18.04-amd64
       identityServiceArtifactName: packages_ubuntu-18.04_amd64
       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
-      # When we switch to 1ES-hosted agents, we can make this a minimal pipeline
-      # minimal: true
+      minimal: true
 
     steps:
     - template: templates/e2e-setup.yaml
     - template: templates/e2e-run.yaml
 
-# Using 1ES-hosted agents in master branch causes test failures; disabling
-# until fixed.
-# ################################################################################
-#   - job: ubuntu_2004_msmoby
-# ################################################################################
-#     displayName: Ubuntu 20.04 with iotedge-moby
-
-#     pool:
-#       name: $(pool.linux.name)
-#       demands:
-#       - ImageOverride -equals agent-aziotedge-ubuntu-20.04-msmoby
-
-#     variables:
-#       os: linux
-#       arch: amd64
-#       artifactName: iotedged-ubuntu20.04-amd64
-#       identityServiceArtifactName: packages_ubuntu-20.04_amd64
-#       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
-
-#     steps:
-#     - template: templates/e2e-setup.yaml
-#     - template: templates/e2e-run.yaml
+
+################################################################################
+  - job: ubuntu_2004_msmoby
+################################################################################
+    displayName: Ubuntu 20.04 with iotedge-moby
+
+    pool:
+      name: $(pool.linux.name)
+      demands:
+      - ImageOverride -equals agent-aziotedge-ubuntu-20.04-msmoby
+
+    variables:
+      os: linux
+      arch: amd64
+      artifactName: iotedged-ubuntu20.04-amd64
+      identityServiceArtifactName: packages_ubuntu-20.04_amd64
+      identityServicePackageFilter: aziot-identity-service_*_amd64.deb
+
+    steps:
+    - template: templates/e2e-setup.yaml
+    - template: templates/e2e-run.yaml
 
 ################################################################################
   - job: ubuntu_2004_docker
 ################################################################################
-    # displayName: Ubuntu 20.04 with Docker (minimal)
-    displayName: Ubuntu 20.04 with Docker
+    displayName: Ubuntu 20.04 with Docker minimal
 
     pool:
-      vmImage: ubuntu-20.04
-      # Using 1ES-hosted agents in master branch causes test failures; disabling
-      # until fixed.
-      # name: $(pool.linux.name)
-      # demands:
-      # - ImageOverride -equals agent-aziotedge-ubuntu-20.04-docker
+      name: $(pool.linux.name)
+      demands:
+      - ImageOverride -equals agent-aziotedge-ubuntu-20.04-docker
 
     variables:
       os: linux
       arch: amd64
       artifactName: iotedged-ubuntu20.04-amd64
       identityServiceArtifactName: packages_ubuntu-20.04_amd64
       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
-      # When we switch to 1ES-hosted agents, we can make this a minimal pipeline
-      # minimal: true
+      minimal: true
 
     steps:
     - template: templates/e2e-setup.yaml
@@ -161,17 +150,9 @@ jobs:
     displayName: CentOs7 amd64
 
     pool:
-      name: $(pool.custom.name)
+      name: $(pool.linux.name)
       demands:
-        - Agent.OS -equals Linux
-        - Agent.OSArchitecture -equals X64
-        - run-new-e2e-tests -equals true
-        - centos -equals 7
-      # Using 1ES-hosted agents in master branch causes test failures; disabling
-      # until fixed.
-      # name: $(pool.linux.name)
-      # demands:
-      # - ImageOverride -equals agent-aziotedge-centos-7-msmoby
+      - ImageOverride -equals agent-aziotedge-centos-7-msmoby
 
     variables:
       os: linux
diff --git a/edgelet/edgelet-http-workload/src/module/cert/identity.rs b/edgelet/edgelet-http-workload/src/module/cert/identity.rs
@@ -71,8 +71,7 @@ where
 
         let cert_id = format!("aziot-edged/module/{}:identity", &self.module_id);
 
-        let module_uri = super::sanitize_dns_name(self.module_uri);
-        let subject_alt_names = vec![super::SubjectAltName::Dns(module_uri)];
+        let subject_alt_names = vec![super::SubjectAltName::Dns(self.module_uri)];
 
         let csr_extensions = identity_cert_extensions().map_err(|_| {
             edgelet_http::error::server_error("failed to set identity csr extensions")
diff --git a/edgelet/edgelet-http-workload/src/module/cert/mod.rs b/edgelet/edgelet-http-workload/src/module/cert/mod.rs
@@ -133,22 +133,6 @@ impl CertApi {
     }
 }
 
-/// DNS names must conform to following rules per RFC 1035:
-///  - Length less than 64 characters
-///  - Contains only lowercase alphanumeric characters or '-'
-///  - Starts and ends with an alphanumeric character
-///
-/// This function removes illegal characters from a given DNS name and trims it to 63 characters.
-pub fn sanitize_dns_name(name: String) -> String {
-    name.trim_start_matches(|c: char| !c.is_ascii_alphabetic())
-        .trim_end_matches(|c: char| !c.is_ascii_alphanumeric())
-        .to_lowercase()
-        .chars()
-        .filter(|c| c.is_ascii_alphanumeric() || c == &'-')
-        .take(63)
-        .collect::<String>()
-}
-
 fn new_keys() -> Result<
     (
         openssl::pkey::PKey<openssl::pkey::Private>,
diff --git a/edgelet/edgelet-http-workload/src/module/cert/server.rs b/edgelet/edgelet-http-workload/src/module/cert/server.rs
@@ -95,14 +95,11 @@ where
         let common_name_san = if std::net::IpAddr::from_str(&common_name_san).is_ok() {
             super::SubjectAltName::Ip(common_name_san)
         } else {
-            let common_name_san = super::sanitize_dns_name(common_name_san);
-
             super::SubjectAltName::Dns(common_name_san)
         };
 
         // Server certificates have the module ID and certificate CN as the SANs.
-        let module_id_san = super::sanitize_dns_name(self.module_id);
-        let module_id_san = super::SubjectAltName::Dns(module_id_san);
+        let module_id_san = super::SubjectAltName::Dns(self.module_id);
 
         let subject_alt_names = vec![common_name_san, module_id_san];
 
@@ -133,17 +130,30 @@ fn server_cert_extensions(
 
 #[cfg(test)]
 mod tests {
+    use crate::module::cert::CertificateResponse;
     use http_common::server::Route;
 
     use edgelet_test_utils::{test_route_err, test_route_ok};
 
     const TEST_PATH: &str = "/modules/testModule/genid/1/certificate/server";
 
+    const MODULE_NAME: &str = "testModule";
+
+    async fn post(
+        route: super::Route<edgelet_test_utils::runtime::Runtime>,
+    ) -> http_common::server::RouteResponse {
+        let body = super::ServerCertificateRequest {
+            common_name: MODULE_NAME.to_string(),
+        };
+
+        route.post(Some(body)).await
+    }
+
     #[test]
     fn parse_uri() {
         // Valid URI
         let route = test_route_ok!(TEST_PATH);
-        assert_eq!("testModule", &route.module_id);
+        assert_eq!(MODULE_NAME, &route.module_id);
         assert_eq!("1", &route.gen_id);
         assert_eq!(nix::unistd::getpid().as_raw(), route.pid);
 
@@ -162,16 +172,35 @@ mod tests {
 
     #[tokio::test]
     async fn auth() {
-        async fn post(
-            route: super::Route<edgelet_test_utils::runtime::Runtime>,
-        ) -> http_common::server::RouteResponse {
-            let body = super::ServerCertificateRequest {
-                common_name: "testModule".to_string(),
-            };
-
-            route.post(Some(body)).await
+        edgelet_test_utils::test_auth_caller!(TEST_PATH, MODULE_NAME, post);
+    }
+
+    #[tokio::test]
+    async fn verifysans() {
+        let route = edgelet_test_utils::test_route_ok!(TEST_PATH);
+        {
+            let pid = nix::unistd::getpid().as_raw();
+            let mut runtime = route.runtime.lock().await;
+            runtime.module_auth = std::collections::BTreeMap::new();
+            runtime
+                .module_auth
+                .insert(MODULE_NAME.to_string(), vec![pid]);
         }
 
-        edgelet_test_utils::test_auth_caller!(TEST_PATH, "testModule", post);
+        let response = post(route).await.unwrap();
+        let body_bytes = hyper::body::to_bytes(response.into_body()).await.unwrap();
+        let cert_response = serde_json::from_str::<CertificateResponse>(
+            &String::from_utf8(body_bytes.to_vec()).unwrap(),
+        )
+        .unwrap()
+        .certificate;
+
+        let cert = openssl::x509::X509::from_pem(cert_response.as_bytes())
+            .map_err(|_| edgelet_http::error::server_error("failed to parse cert"));
+        let sans = cert.unwrap().subject_alt_names();
+        for san in sans.unwrap().iter() {
+            let name = san.dnsname().unwrap();
+            assert_eq!(MODULE_NAME.to_lowercase(), name.to_lowercase());
+        }
     }
 }
diff --git a/edgelet/edgelet-test-utils/src/clients/cert.rs b/edgelet/edgelet-test-utils/src/clients/cert.rs
@@ -74,13 +74,18 @@ impl CertClient {
 
         let csr = openssl::x509::X509Req::from_pem(csr).unwrap();
         let csr_pubkey = csr.public_key().unwrap();
+        let csr_extensions = csr.extensions().unwrap();
         assert!(csr.verify(&csr_pubkey).unwrap());
 
         let mut cert = openssl::x509::X509::builder().unwrap();
         cert.set_subject_name(csr.subject_name()).unwrap();
         cert.set_issuer_name(&issuer_name).unwrap();
         cert.set_pubkey(&csr_pubkey).unwrap();
 
+        for extension in csr_extensions.iter() {
+            cert.append_extension2(extension).unwrap();
+        }
+
         let not_before = openssl::asn1::Asn1Time::from_unix(0).unwrap();
         let not_after = openssl::asn1::Asn1Time::days_from_now(30).unwrap();
 
