New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Secure Content Libraries #2641
Comments
Howdy 🖐 brakthehack ! Thank you for your interest in this project. We value your feedback and will respond soon. If you want to contribute to this project, please make yourself familiar with the |
This issue is stale because it has been open for 90 days with no |
/remove-lifecycle stale |
This issue is stale because it has been open for 90 days with no |
Security policies are important as they allow vCenter to secure content at rest instead of requiring on thumbprints or TLS, which only verifies you are talking to the correct server, but does nothing if the contents themselves are compromised. This changes adds a new cli command to support querying existing library security policies. Support was added for creating new libraries with a security policy and querying libraries that may have a security policy attached. Support was added to the vcsim mux to handle the /api endpoint for the library module, since this endpoint is not served on /rest endpoints. I thought this approach made more sense than a new mux since the changes to add support for this were fairly minor. Having one module for all library functions made sense organizationally, since ventually they all could be migrated together to /api when the time comes. New bats tests for the library module were introduced. Closes: vmware#2641
Security policies are important as they allow vCenter to secure content at rest instead of requiring on thumbprints or TLS, which only verifies you are talking to the correct server, but does nothing if the contents themselves are compromised. This changes adds a new cli command to support querying existing library security policies. Support was added for creating new libraries with a security policy and querying libraries that may have a security policy attached. Support was added to the vcsim mux to handle the /api endpoint for the library module, since this endpoint is not served on /rest endpoints. I thought this approach made more sense than a new mux since the changes to add support for this were fairly minor. Having one module for all library functions made sense organizationally, since ventually they all could be migrated together to /api when the time comes. New bats tests for the library module were introduced. ``` [brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy Name: OVF default policy Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15 Rules: Item: ovf Rule: OVF_STRICT_VERIFICATION [brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc fc1417d7-b557-4128-bb31-8654961d9fa0 [brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0 Name: govc ID: fc1417d7-b557-4128-bb31-8654961d9fa0 Path: /govc Description: Version: 2 Created: Wed Jul 20 15:56:11 2022 Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15 StorageBackings: DatastoreID: nfsDatastore1 Type: DATASTORE Subscription: AutoSync: true URL: https://wp-content.vmware.com/v2/latest/lib.json Auth: NONE Download: All [brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}' { "name": "Kubernetes Service Content Library", "policy": null } { "name": "k8s", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } { "name": "govc", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } ``` Closes: vmware#2641
Security policies are important as they allow vCenter to secure content at rest instead of requiring on thumbprints or TLS, which only verifies you are talking to the correct server, but does nothing if the contents themselves are compromised. This changes adds a new cli command to support querying existing library security policies. Support was added for creating new libraries with a security policy and querying libraries that may have a security policy attached. Support was added to the vcsim mux to handle the /api endpoint for the library module, since this endpoint is not served on /rest endpoints. I thought this approach made more sense than a new mux since the changes to add support for this were fairly minor. Having one module for all library functions made sense organizationally, since ventually they all could be migrated together to /api when the time comes. New bats tests for the library module were introduced. ``` [brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy Name: OVF default policy Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15 Rules: Item: ovf Rule: OVF_STRICT_VERIFICATION [brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc fc1417d7-b557-4128-bb31-8654961d9fa0 [brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0 Name: govc ID: fc1417d7-b557-4128-bb31-8654961d9fa0 Path: /govc Description: Version: 2 Created: Wed Jul 20 15:56:11 2022 Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15 StorageBackings: DatastoreID: nfsDatastore1 Type: DATASTORE Subscription: AutoSync: true URL: https://wp-content.vmware.com/v2/latest/lib.json Auth: NONE Download: All [brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}' { "name": "Kubernetes Service Content Library", "policy": null } { "name": "k8s", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } { "name": "govc", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } ``` Closes: vmware#2641
Security policies are important as they allow vCenter to secure content at rest instead of relying on thumbprints or TLS, which only verify you are talking to the correct server, but does nothing if the contents themselves are compromised. This changes adds a new cli command to support querying existing library security policies. Support was added for creating new libraries with a security policy and querying libraries that may have a security policy attached. Support was added to the vcsim mux to handle the /api endpoint for the library module, since the secpol endpoint is not served on /rest endpoints. I thought this approach made more sense than a new handler since the changes to add support for this were fairly minor. Having one module for all library functions made sense organisationally, since eventually they all could be migrated together to /api when the time comes. New bats tests for the library module were introduced. ``` [brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy Name: OVF default policy Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15 Rules: Item: ovf Rule: OVF_STRICT_VERIFICATION [brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc fc1417d7-b557-4128-bb31-8654961d9fa0 [brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0 Name: govc ID: fc1417d7-b557-4128-bb31-8654961d9fa0 Path: /govc Description: Version: 2 Created: Wed Jul 20 15:56:11 2022 Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15 StorageBackings: DatastoreID: nfsDatastore1 Type: DATASTORE Subscription: AutoSync: true URL: https://wp-content.vmware.com/v2/latest/lib.json Auth: NONE Download: All [brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}' { "name": "Kubernetes Service Content Library", "policy": null } { "name": "k8s", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } { "name": "govc", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } ``` Closes: vmware#2641
Security policies are important as they allow vCenter to secure content at rest instead of relying on thumbprints or TLS, which only verify you are talking to the correct server, but does nothing if the contents themselves are compromised. This changes adds a new cli command to support querying existing library security policies. Support was added for creating new libraries with a security policy and querying libraries that may have a security policy attached. Support was added to the vcsim mux to handle the /api endpoint for the library module, since the secpol endpoint is not served on /rest endpoints. I thought this approach made more sense than a new handler since the changes to add support for this were fairly minor. Having one module for all library functions made sense organisationally, since eventually they all could be migrated together to /api when the time comes. New bats tests for the library module were introduced. ``` [brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy Name: OVF default policy Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15 Rules: Item: ovf Rule: OVF_STRICT_VERIFICATION [brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc fc1417d7-b557-4128-bb31-8654961d9fa0 [brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0 Name: govc ID: fc1417d7-b557-4128-bb31-8654961d9fa0 Path: /govc Description: Version: 2 Created: Wed Jul 20 15:56:11 2022 Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15 StorageBackings: DatastoreID: nfsDatastore1 Type: DATASTORE Subscription: AutoSync: true URL: https://wp-content.vmware.com/v2/latest/lib.json Auth: NONE Download: All [brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}' { "name": "Kubernetes Service Content Library", "policy": null } { "name": "k8s", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } { "name": "govc", "policy": "356f6976-3123-9f7a-d67c-15f7e764ad15" } ``` Closes: vmware#2641
Is your feature request related to a problem? Please describe.
Govmomi does not support adding a content library with a security policy. Security policies can be used to verify that the bits pulled into the library are signed by a trusted authority.
https://developer.vmware.com/docs/vsphere-automation/latest/content/api/content/security-policies/get/
https://developer.vmware.com/docs/vsphere-automation/latest/content/api/content/subscribed-library/post/
Describe the solution you'd like
Extend the current implementation to be able to use a security policy when creating a library.
Describe alternatives you've considered
None. Adding the bindings here to support the current API is a pattern that has been used in the past.
Additional context
The text was updated successfully, but these errors were encountered: