From 16ebf30a79e8e3cc2df48787b210fd78950f8260 Mon Sep 17 00:00:00 2001 From: Pavel Boldyrev <627562+bpg@users.noreply.github.com> Date: Sun, 1 Oct 2023 14:19:51 -0400 Subject: [PATCH] fix(api): set min TLS version 1.3, secure HTTP-only cookie (#596) * fix(api): set min TLS version 1.3, secure HTTP-only cookie * remove `all-tests-passed` job --------- Signed-off-by: Pavel Boldyrev <627562+bpg@users.noreply.github.com> --- .github/workflows/golangci-lint.yml | 4 ++-- .github/workflows/test.yml | 11 ++--------- proxmox/api/client.go | 1 + proxmox/api/ticket_auth.go | 6 ++++-- proxmoxtf/resource/file.go | 1 + 5 files changed, 10 insertions(+), 13 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index a7617065..db584e83 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -18,9 +18,9 @@ jobs: steps: - uses: actions/checkout@v4 with: - fetch-depth: 1 + fetch-depth: 0 - - uses: dorny/paths-filter@v2.2.1 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1 id: filter with: filters: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 02936c15..6cb56e62 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,7 +18,7 @@ jobs: with: fetch-depth: 1 - - uses: dorny/paths-filter@v2.2.1 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1 id: filter with: filters: | @@ -49,7 +49,7 @@ jobs: with: fetch-depth: 1 - - uses: dorny/paths-filter@v2.2.1 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1 id: filter with: filters: | @@ -70,10 +70,3 @@ jobs: if: steps.filter.outputs.go == 'true' timeout-minutes: 10 run: go test -v -cover ./... - - all-tests-passed: - name: All Tests Passed - needs: test - runs-on: ubuntu-latest - steps: - - run: echo "PASS" diff --git a/proxmox/api/client.go b/proxmox/api/client.go index 0411a8e8..17e11e38 100644 --- a/proxmox/api/client.go +++ b/proxmox/api/client.go @@ -75,6 +75,7 @@ func NewConnection(endpoint string, insecure bool) (*Connection, error) { var transport http.RoundTripper = &http.Transport{ TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS13, InsecureSkipVerify: insecure, //nolint:gosec }, } diff --git a/proxmox/api/ticket_auth.go b/proxmox/api/ticket_auth.go index 4d6c692a..9ae32b52 100644 --- a/proxmox/api/ticket_auth.go +++ b/proxmox/api/ticket_auth.go @@ -125,8 +125,10 @@ func (t *ticketAuthenticator) AuthenticateRequest(ctx context.Context, req *http } req.AddCookie(&http.Cookie{ - Name: "PVEAuthCookie", - Value: *a.Ticket, + HttpOnly: true, + Name: "PVEAuthCookie", + Secure: true, + Value: *a.Ticket, }) if req.Method != http.MethodGet { diff --git a/proxmoxtf/resource/file.go b/proxmoxtf/resource/file.go index 8c4a1a22..a35e14a6 100644 --- a/proxmoxtf/resource/file.go +++ b/proxmoxtf/resource/file.go @@ -382,6 +382,7 @@ func fileCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag httpClient := http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ + MaxVersion: tls.VersionTLS13, InsecureSkipVerify: sourceFileInsecure, }, },