puppet-nova

Use of HTTP Without TLS

Bug #1785541 reported by Akond Rahman on 2018-08-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	puppet-nova	Won't Fix	Undecided	Unassigned

Bug Description

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

I found the use of HTTP Without TLS in the following scripts. As the smell appears for all scripts I am submitting one bug report, but I can submit multiple bug reports if necessary.

fuel-library/deployment/puppet/cobbler/examples/server_site.pp
fuel-library/deployment/puppet/cobbler/examples/site.pp
fuel-library/deployment/puppet/cobbler/manifests/apache.pp
fuel-library/deployment/puppet/cobbler/manifests/server.pp
fuel-library/deployment/puppet/fuel/examples/client.pp
fuel-library/deployment/puppet/fuel/examples/cobbler.pp
fuel-library/deployment/puppet/fuel/examples/host.pp
fuel-library/deployment/puppet/fuel/examples/nailgun.pp
fuel-library/deployment/puppet/fuel/manifests/auth.pp
fuel-library/deployment/puppet/fuel/manifests/cobbler.pp
fuel-library/deployment/puppet/fuel/manifests/keystone.pp
fuel-library/deployment/puppet/fuel/manifests/nailgun/client.pp
fuel-library/deployment/puppet/fuel/manifests/ostf/auth.pp
fuel-library/deployment/puppet/fuel/manifests/params.pp
fuel-library/deployment/puppet/fuel/manifests/rabbitmq.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/aodh/aodh.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/heat/heat.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/keystone/openrc_generate.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/murano/murano.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/roles/ironic_conductor.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/sahara/keystone.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/swift/parts/proxy.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/swift/parts/status.pp
fuel-library/deployment/puppet/openstack/manifests/img/cirros.pp
fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
fuel-library/deployment/puppet/openstack/manifests/puppetlabs_repos.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/astute/dump_rabbitmq_definitions.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/auth_file.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/credentials_file.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/database/database_backend_wait.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/wait_for_glance_backends.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/wait_for_keystone_backends.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/wait_for_nova_backends.pp
fuel-plugin-bigswitch/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp
fuel-plugin-bigswitch/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp
fuel-plugin-ceilometer-redis/deployment_scripts/puppet/modules/redis/tests/init.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/apps/mirror_npm.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/apps/mirror_rubygems.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/roles/docs.pp
fuel-plugin-ci/puppet-manifests/modules/jenkins/manifests/master.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/compute/aggregate.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/compute/vmware.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/contrail_webui.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/controller/aggregate.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/provision/analytics.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/provision/compute.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/provision/config.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/provision/control.pp
fuel-plugin-contrail/deployment_scripts/puppet/modules/contrail/manifests/provision/db.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/manifests/provision_services.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_dashboards.pp
fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/params.pp
fuel-plugin-influxdb-grafana/deployment_scripts/puppet/manifests/grafana_configuration.pp
fuel-plugin-influxdb-grafana/deployment_scripts/puppet/manifests/influxdb_configuration.pp
fuel-plugin-influxdb-grafana/deployment_scripts/puppet/modules/lma_monitoring_analytics/manifests/params.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-conductor-config.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-conductor.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic.pp
fuel-plugin-ironic/deployment_scripts/puppet/modules/ironic/manifests/bifrost.pp
fuel-plugin-ironic/deployment_scripts/puppet/modules/ironic/manifests/keystone/auth.pp
fuel-plugin-lma-collector/deployment_scripts/puppet/manifests/collectd.pp
fuel-plugin-lma-collector/deployment_scripts/puppet/modules/lma_collector/manifests/collectd/apache.pp
fuel-plugin-lma-collector/deployment_scripts/puppet/modules/lma_collector/manifests/collectd/base.pp
fuel-plugin-lma-collector/deployment_scripts/puppet/modules/lma_collector/manifests/influxdb.pp
fuel-plugin-lma-collector/deployment_scripts/puppet/modules/lma_collector/manifests/params.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/manifests/nagios_dashboard_url.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/manifests/nagios.pp
fuel-plugin-manila/deployment_scripts/puppet/manifests/image_upload.pp
fuel-plugin-manila/deployment_scripts/puppet/manifests/site.pp
fuel-plugin-manila/deployment_scripts/puppet/modules/manila_auxiliary/manifests/image.pp
fuel-plugin-mellanox/deployment_scripts/puppet/manifests/configure_mlnx_neo.pp
fuel-plugin-midonet/deployment_scripts/puppet/manifests/midonet-define-repositories.pp
fuel-plugin-midonet/deployment_scripts/puppet/manifests/midonet-edge-router-cleanup-bgp.pp
fuel-plugin-midonet/deployment_scripts/puppet/manifests/midonet-edge-router-setup-bgp-gw.pp
fuel-plugin-midonet/deployment_scripts/puppet/manifests/midonet-generate-openrc-for-gw.pp
fuel-plugin-midonet/deployment_scripts/puppet/manifests/midonet-host-registry.pp
fuel-plugin-midonet/deployment_scripts/puppet/manifests/midonet-install-agent.pp
fuel-plugin-murano/deployment_scripts/manifests/murano_dashboard.pp
fuel-plugin-murano/deployment_scripts/manifests/murano.pp
fuel-plugin-onos/deployment_scripts/puppet/manifests/neutron-config.pp
fuel-plugin-onos/deployment_scripts/puppet/manifests/onos-dashboard.pp
fuel-plugin-onos/deployment_scripts/puppet/modules/onos/manifests/service.pp
fuel-plugin-opendaylight/deployment_scripts/puppet/manifests/odl-dashboard.pp
fuel-plugin-opendaylight/deployment_scripts/puppet/modules/opendaylight/manifests/quagga.pp
fuel-plugin-opendaylight/deployment_scripts/puppet/modules/opendaylight/manifests/service.pp
fuel-plugin-opendaylight/deployment_scripts/puppet/modules/opendaylight/manifests/sfc.pp
fuel-plugin-plumgrid/deployment_scripts/puppet/manifests/director.pp
fuel-plugin-plumgrid/deployment_scripts/puppet/manifests/pg_common.pp
fuel-plugin-plumgrid/deployment_scripts/puppet/modules/plumgrid/manifests/repo.pp
packstack/packstack/puppet/modules/packstack/manifests/chrony.pp
packstack/packstack/puppet/modules/packstack/manifests/cinder/backup.pp
packstack/packstack/puppet/modules/packstack/manifests/heat.pp
packstack/packstack/puppet/modules/packstack/manifests/heat/cfn.pp
packstack/packstack/puppet/modules/packstack/manifests/keystone/aodh.pp
packstack/packstack/puppet/modules/packstack/manifests/keystone/gnocchi.pp
packstack/packstack/puppet/modules/packstack/manifests/keystone/panko.pp
packstack/packstack/puppet/modules/packstack/manifests/nova.pp
packstack/packstack/puppet/modules/packstack/manifests/nova/compute/ironic.pp
packstack/packstack/puppet/modules/packstack/manifests/nova/neutron.pp
packstack/packstack/puppet/modules/packstack/manifests/trove/rabbitmq.pp
puppet-aodh/manifests/auth.pp
puppet-aodh/manifests/keystone/auth.pp
puppet-aodh/manifests/keystone/authtoken.pp
puppet-barbican/manifests/api.pp
puppet-barbican/manifests/keystone/auth.pp
puppet-barbican/manifests/keystone/authtoken.pp
puppet-ceilometer/examples/site.pp
puppet-ceilometer/manifests/agent/auth.pp
puppet-ceilometer/manifests/keystone/auth.pp
puppet-ceilometer/manifests/keystone/authtoken.pp
puppet-ceph/manifests/osd.pp
puppet-ceph/manifests/repo.pp
puppet-ceph/manifests/rgw/keystone.pp
puppet-ceph/manifests/rgw/keystone/auth.pp
puppet-cinder/manifests/keystone/auth.pp
puppet-cinder/manifests/keystone/authtoken.pp
puppet-cinder/manifests/quota_set.pp
puppet-congress/manifests/keystone/auth.pp
puppet-congress/manifests/keystone/authtoken.pp
puppet-designate/manifests/keystone/auth.pp
puppet-designate/manifests/keystone/authtoken.pp
puppet-ec2api/manifests/keystone/auth.pp
puppet-ec2api/manifests/keystone/authtoken.pp
puppet-glance/manifests/api/authtoken.pp
puppet-glance/manifests/backend/swift.pp
puppet-glance/manifests/keystone/auth.pp
puppet-glance/manifests/registry/authtoken.pp
puppet-gnocchi/examples/site.pp
puppet-gnocchi/manifests/keystone/auth.pp
puppet-gnocchi/manifests/keystone/authtoken.pp
puppet-gnocchi/manifests/storage/swift.pp
puppet-heat/manifests/keystone/auth_cfn.pp
puppet-heat/manifests/keystone/auth.pp
puppet-heat/manifests/keystone/authtoken.pp
puppet-ironic/manifests/api/authtoken.pp
puppet-ironic/manifests/bifrost.pp
puppet-ironic/manifests/inspector.pp
puppet-ironic/manifests/inspector/authtoken.pp
puppet-ironic/manifests/keystone/auth_inspector.pp
puppet-ironic/manifests/keystone/auth.pp
puppet-keystone/examples/k2k_sp_shib.pp
puppet-keystone/examples/v3_basic.pp
puppet-keystone/examples/v3_domain_configuration.pp
puppet-keystone/manifests/endpoint.pp
puppet-keystone/manifests/service.pp
puppet-keystone/tests/site.pp
puppet-magnum/examples/magnum.pp
puppet-magnum/manifests/keystone/auth.pp
puppet-magnum/manifests/keystone/authtoken.pp
puppet-manila/manifests/compute/nova.pp
puppet-manila/manifests/keystone/auth.pp
puppet-manila/manifests/keystone/authtoken.pp
puppet-manila/manifests/network/neutron.pp
puppet-manila/manifests/type_set.pp
puppet-manila/manifests/type.pp
puppet-manila/manifests/volume/cinder.pp
puppet-midonet/manifests/agent/scrapper.pp
puppet-midonet/manifests/analytics.pp
puppet-midonet/manifests/cli.pp
puppet-midonet/manifests/cluster/run.pp
puppet-midonet/manifests/init.pp
puppet-midonet/manifests/mem.pp
puppet-midonet/manifests/mem/vhost.pp
puppet-midonet/manifests/repository/centos.pp
puppet-midonet/manifests/repository/ubuntu.pp
puppet-mistral/manifests/keystone/auth.pp
puppet-mistral/manifests/keystone/authtoken.pp
puppet-monasca/manifests/api.pp
puppet-monasca/manifests/params.pp
puppet-monasca/manifests/persister.pp
puppet-monasca/manifests/storm/config.pp
puppet-monasca/manifests/thresh.pp
puppet-murano/manifests/cfapi.pp
puppet-murano/manifests/init.pp
puppet-murano/manifests/keystone/auth.pp
puppet-murano/manifests/keystone/cfapi_auth.pp
puppet-neutron/examples/cisco_ml2.pp
puppet-neutron/manifests/agents/ml2/networking_baremetal.pp
puppet-neutron/manifests/designate.pp
puppet-neutron/manifests/keystone/auth.pp
puppet-neutron/manifests/keystone/authtoken.pp
puppet-neutron/manifests/plugins/cisco.pp
puppet-neutron/manifests/plugins/midonet.pp
puppet-neutron/manifests/plugins/ovs/opendaylight.pp
puppet-neutron/manifests/plugins/plumgrid.pp
puppet-neutron/manifests/server/notifications.pp
puppet-neutron/manifests/server/placement.pp
puppet-neutron/manifests/services/lbaas/octavia.pp
puppet-nova/manifests/init.pp
puppet-nova/manifests/ironic/common.pp
puppet-nova/manifests/keystone/auth.pp
puppet-nova/manifests/keystone/authtoken.pp
puppet-nova/manifests/metadata/novajoin/api.pp
puppet-nova/manifests/metadata/novajoin/auth.pp
puppet-nova/manifests/metadata/novajoin/authtoken.pp
puppet-nova/manifests/network/neutron.pp
puppet-nova/manifests/params.pp
puppet-nova/manifests/placement.pp
puppet-octavia/manifests/keystone/auth.pp
puppet-octavia/manifests/keystone/authtoken.pp
puppet-openstack-integration/manifests/ceph.pp
puppet-openstack-integration/manifests/designate.pp
puppet-openstack-integration/manifests/repos.pp
puppet-openstack-integration/manifests/sahara.pp
puppet-openstack-integration/manifests/swift.pp
puppet-rally/examples/rally.pp
puppet-sahara/manifests/keystone/auth.pp
puppet-sahara/manifests/keystone/authtoken.pp
puppet-swift/manifests/auth_file.pp
puppet-swift/manifests/bench.pp
puppet-swift/manifests/dispersion.pp
puppet-swift/manifests/keystone/auth.pp
puppet-swift/manifests/proxy/authtoken.pp
puppet-swift/manifests/proxy/ceilometer.pp
puppet-swift/manifests/proxy/s3token.pp
puppet-tripleo/manifests/haproxy.pp
puppet-tripleo/manifests/haproxy/endpoint.pp
puppet-tripleo/manifests/haproxy/horizon_endpoint.pp
puppet-tripleo/manifests/tls_proxy.pp
puppet-trove/manifests/conductor.pp
puppet-trove/manifests/guestagent.pp
puppet-trove/manifests/keystone/auth.pp
puppet-trove/manifests/keystone/authtoken.pp
puppet-trove/manifests/taskmanager.pp
puppet-vitrage/examples/vitrage.pp
puppet-vitrage/manifests/auth.pp
puppet-vitrage/manifests/keystone/auth.pp
puppet-vitrage/manifests/keystone/authtoken.pp
puppet-watcher/manifests/api.pp
puppet-watcher/manifests/keystone/auth.pp
puppet-watcher/manifests/keystone/authtoken.pp
puppet-zaqar/manifests/keystone/auth.pp
puppet-zaqar/manifests/keystone/authtoken.pp
puppet-zaqar/manifests/keystone/trust.pp

Any feedback is appreciated.

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2022-12-13:

We provide enough parameters to use tls. We do not force usage of https by default but users should decide whether they want to use TLS or not.

Changed in puppet-nova:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.