Support for Secure Content Libraries #2641
Labels
Comments
|
Howdy 🖐 brakthehack ! Thank you for your interest in this project. We value your feedback and will respond soon. If you want to contribute to this project, please make yourself familiar with the |
|
This issue is stale because it has been open for 90 days with no |
|
/remove-lifecycle stale |
|
This issue is stale because it has been open for 90 days with no |
brakthehack
added a commit
to brakthehack/govmomi
that referenced
this issue
Jul 20, 2022
Security policies are important as they allow vCenter to secure content at rest instead of requiring on thumbprints or TLS, which only verifies you are talking to the correct server, but does nothing if the contents themselves are compromised. This changes adds a new cli command to support querying existing library security policies. Support was added for creating new libraries with a security policy and querying libraries that may have a security policy attached. Support was added to the vcsim mux to handle the /api endpoint for the library module, since this endpoint is not served on /rest endpoints. I thought this approach made more sense than a new mux since the changes to add support for this were fairly minor. Having one module for all library functions made sense organizationally, since ventually they all could be migrated together to /api when the time comes. New bats tests for the library module were introduced. Closes: vmware#2641
brakthehack
added a commit
to brakthehack/govmomi
that referenced
this issue
Jul 20, 2022
Security policies are important as they allow vCenter to secure content
at rest instead of requiring on thumbprints or TLS, which only verifies
you are talking to the correct server, but does nothing if the contents
themselves are compromised.
This changes adds a new cli command to support querying existing
library security policies. Support was added for creating new libraries
with a security policy and querying libraries that may have a security
policy attached.
Support was added to the vcsim mux to handle the /api endpoint for the
library module, since this endpoint is not served on /rest endpoints.
I thought this approach made more sense than a new mux since the
changes to add support for this were fairly minor. Having one module for
all library functions made sense organizationally, since ventually they
all could be migrated together to /api when the time comes.
New bats tests for the library module were introduced.
```
[brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy
Name: OVF default policy
Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15
Rules:
Item: ovf
Rule: OVF_STRICT_VERIFICATION
[brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc
fc1417d7-b557-4128-bb31-8654961d9fa0
[brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0
Name: govc
ID: fc1417d7-b557-4128-bb31-8654961d9fa0
Path: /govc
Description:
Version: 2
Created: Wed Jul 20 15:56:11 2022
Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15
StorageBackings:
DatastoreID: nfsDatastore1
Type: DATASTORE
Subscription:
AutoSync: true
URL: https://wp-content.vmware.com/v2/latest/lib.json
Auth: NONE
Download: All
[brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}'
{
"name": "Kubernetes Service Content Library",
"policy": null
}
{
"name": "k8s",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
{
"name": "govc",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
```
Closes: vmware#2641
brakthehack
added a commit
to brakthehack/govmomi
that referenced
this issue
Jul 20, 2022
Security policies are important as they allow vCenter to secure content
at rest instead of requiring on thumbprints or TLS, which only verifies
you are talking to the correct server, but does nothing if the contents
themselves are compromised.
This changes adds a new cli command to support querying existing
library security policies. Support was added for creating new libraries
with a security policy and querying libraries that may have a security
policy attached.
Support was added to the vcsim mux to handle the /api endpoint for the
library module, since this endpoint is not served on /rest endpoints.
I thought this approach made more sense than a new mux since the
changes to add support for this were fairly minor. Having one module for
all library functions made sense organizationally, since ventually they
all could be migrated together to /api when the time comes.
New bats tests for the library module were introduced.
```
[brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy
Name: OVF default policy
Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15
Rules:
Item: ovf
Rule: OVF_STRICT_VERIFICATION
[brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc
fc1417d7-b557-4128-bb31-8654961d9fa0
[brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0
Name: govc
ID: fc1417d7-b557-4128-bb31-8654961d9fa0
Path: /govc
Description:
Version: 2
Created: Wed Jul 20 15:56:11 2022
Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15
StorageBackings:
DatastoreID: nfsDatastore1
Type: DATASTORE
Subscription:
AutoSync: true
URL: https://wp-content.vmware.com/v2/latest/lib.json
Auth: NONE
Download: All
[brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}'
{
"name": "Kubernetes Service Content Library",
"policy": null
}
{
"name": "k8s",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
{
"name": "govc",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
```
Closes: vmware#2641
13 tasks
brakthehack
added a commit
to brakthehack/govmomi
that referenced
this issue
Jul 21, 2022
Security policies are important as they allow vCenter to secure content
at rest instead of relying on thumbprints or TLS, which only verify
you are talking to the correct server, but does nothing if the contents
themselves are compromised.
This changes adds a new cli command to support querying existing
library security policies. Support was added for creating new libraries
with a security policy and querying libraries that may have a security
policy attached.
Support was added to the vcsim mux to handle the /api endpoint for the
library module, since the secpol endpoint is not served on /rest endpoints.
I thought this approach made more sense than a new handler since the
changes to add support for this were fairly minor. Having one module for
all library functions made sense organisationally, since eventually they
all could be migrated together to /api when the time comes.
New bats tests for the library module were introduced.
```
[brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy
Name: OVF default policy
Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15
Rules:
Item: ovf
Rule: OVF_STRICT_VERIFICATION
[brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc
fc1417d7-b557-4128-bb31-8654961d9fa0
[brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0
Name: govc
ID: fc1417d7-b557-4128-bb31-8654961d9fa0
Path: /govc
Description:
Version: 2
Created: Wed Jul 20 15:56:11 2022
Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15
StorageBackings:
DatastoreID: nfsDatastore1
Type: DATASTORE
Subscription:
AutoSync: true
URL: https://wp-content.vmware.com/v2/latest/lib.json
Auth: NONE
Download: All
[brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}'
{
"name": "Kubernetes Service Content Library",
"policy": null
}
{
"name": "k8s",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
{
"name": "govc",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
```
Closes: vmware#2641
brakthehack
added a commit
to brakthehack/govmomi
that referenced
this issue
Jul 21, 2022
Security policies are important as they allow vCenter to secure content
at rest instead of relying on thumbprints or TLS, which only verify
you are talking to the correct server, but does nothing if the contents
themselves are compromised.
This changes adds a new cli command to support querying existing
library security policies. Support was added for creating new libraries
with a security policy and querying libraries that may have a security
policy attached.
Support was added to the vcsim mux to handle the /api endpoint for the
library module, since the secpol endpoint is not served on /rest endpoints.
I thought this approach made more sense than a new handler since the
changes to add support for this were fairly minor. Having one module for
all library functions made sense organisationally, since eventually they
all could be migrated together to /api when the time comes.
New bats tests for the library module were introduced.
```
[brak govc (cl-security-policy)]$ ./govc library.policy.ls # Default policy
Name: OVF default policy
Policy ID: 356f6976-3123-9f7a-d67c-15f7e764ad15
Rules:
Item: ovf
Rule: OVF_STRICT_VERIFICATION
[brak govc (cl-security-policy)]$ ./govc library.create -ds=/cluster-1/datastore/nfsDatastore1 -policy=356f6976-3123-9f7a-d67c-15f7e764ad15 -sub=https://wp-content.vmware.com/v2/latest/lib.json -thumbprint=b2:52:9e:4d:57:9f:ea:53:4d:a0:0b:7f:d4:7e:55:91:56:c0:64:bb -dc=/datacenter-1 govc
fc1417d7-b557-4128-bb31-8654961d9fa0
[brak govc (cl-security-policy)]$ ./govc library.info fc1417d7-b557-4128-bb31-8654961d9fa0
Name: govc
ID: fc1417d7-b557-4128-bb31-8654961d9fa0
Path: /govc
Description:
Version: 2
Created: Wed Jul 20 15:56:11 2022
Security Policy ID 356f6976-3123-9f7a-d67c-15f7e764ad15
StorageBackings:
DatastoreID: nfsDatastore1
Type: DATASTORE
Subscription:
AutoSync: true
URL: https://wp-content.vmware.com/v2/latest/lib.json
Auth: NONE
Download: All
[brak govc (cl-security-policy)]$ ./govc library.ls -json | jq '.[] | {"name": .name, "policy":.security_policy_id}'
{
"name": "Kubernetes Service Content Library",
"policy": null
}
{
"name": "k8s",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
{
"name": "govc",
"policy": "356f6976-3123-9f7a-d67c-15f7e764ad15"
}
```
Closes: vmware#2641
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Govmomi does not support adding a content library with a security policy. Security policies can be used to verify that the bits pulled into the library are signed by a trusted authority.
https://developer.vmware.com/docs/vsphere-automation/latest/content/api/content/security-policies/get/
https://developer.vmware.com/docs/vsphere-automation/latest/content/api/content/subscribed-library/post/
Describe the solution you'd like
Extend the current implementation to be able to use a security policy when creating a library.
Describe alternatives you've considered
None. Adding the bindings here to support the current API is a pattern that has been used in the past.
Additional context
The text was updated successfully, but these errors were encountered: