Details
-
Type:
Improvement
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 9.1.10 Major Release
-
Labels:None
-
Story Points:1
-
Epic Link:
-
Sprint:Summer 3 2022 June 21, Summer 4 2022 July 4
Description
Situation: IGBTrustManager checkServerTrusted() currently presents the user with a modal when a certificate is invalid. However, this modal can cause issues if it appears during IGB startup.
Task: Remove the modal from checkServerTrusted(). Replace it with additional logging of the invalid certificate.
Attachments
Issue Links
- relates to
-
IGBF-3130 Investigate trust following certificate modal
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Epic Link | IGBF-1765 [ 17855 ] |
| Status | To-Do [ 10305 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | To-Do [ 10305 ] |
| Status | To-Do [ 10305 ] | In Progress [ 3 ] |
| Link | This issue relates to IGBF-3137 [ IGBF-3137 ] |
| Assignee | Karthik Raveendran [ karthik ] |
| Status | In Progress [ 3 ] | Needs 1st Level Review [ 10005 ] |
| Status | Needs 1st Level Review [ 10005 ] | First Level Review in Progress [ 10301 ] |
| Assignee | Nowlan Freese [ nfreese ] |
Testing:
Started IGB
In the Data Sources tab of the Preferences window:
Added https://bioviztest3.bioviz.org/quickload/example/ as an unsecure https quickload (has bad certs).
Added https://data.cyverse.org/dav-anon/iplant/home/shared/BioViz/rnaseq as a secure https quickload.
Opened the A_thaliana_Jun_2009 genome.
Log:
The untrusted certificate from bioviz.org:
11:30:49.304 INFO c.a.igb.util.IGBTrustManager - Untrusted certificate: CN=*.bioviz.org,O=Ann Loraine,L=Concord,ST=North Carolina,C=US; CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US;
The trusted certificates (there are two) from cyverse.org:
11:30:49.750 INFO c.a.igb.util.IGBTrustManager - Authenticated CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US,CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US,OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US,OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US, certificates using default trust store
11:30:50.518 INFO c.a.igb.util.IGBTrustManager - Authenticated CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US,CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US,OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US,OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US, certificates using default trust store
- The https://bioviztest3.bioviz.org/quickload/example/ quickload with the bad cert is showing as an untrusted certificate *.bioviz.org.
- The https://data.cyverse.org/dav-anon/iplant/home/shared/BioViz/rnaseq with the good cert is showing as authenticated through certs.godaddy.
- I was able to load data from both quickloads successfully (the bad cert did not stop IGB from loading the data).
- There was no modal popup.
My only thought would be, do we want to include the subject in the log when the authentication is successful?
| Status | First Level Review in Progress [ 10301 ] | Ready for Pull Request [ 10304 ] |
| Assignee | Nowlan Freese [ nfreese ] |
Change "Authenticated" to "Trusted certificate:"
Change from "issuer" to "subject" when the certificate is trusted.
Remove final semi colon ";".
| Status | Ready for Pull Request [ 10304 ] | Pull Request Submitted [ 10101 ] |
| Status | Pull Request Submitted [ 10101 ] | Reviewing Pull Request [ 10303 ] |
| Status | Reviewing Pull Request [ 10303 ] | To-Do [ 10305 ] |
| Assignee | Karthik Raveendran [ karthik ] |
| Status | To-Do [ 10305 ] | In Progress [ 3 ] |
Changes submitted. Commit
| Status | In Progress [ 3 ] | Needs 1st Level Review [ 10005 ] |
| Assignee | Karthik Raveendran [ karthik ] |
| Sprint | Summer 3 2022 June 21 [ 149 ] | Summer 3 2022 June 21, Summer 4 2022 July 4 [ 149, 150 ] |
| Rank | Ranked higher |
| Status | Needs 1st Level Review [ 10005 ] | First Level Review in Progress [ 10301 ] |
| Assignee | Nowlan Freese [ nfreese ] |
Ready for pull request.
Log now shows the following:
This is the untrusted certificate from test3.bioviz.org:
c.a.igb.util.IGBTrustManager - Untrusted Certificates: CN=*.bioviz.org,O=Ann Loraine,L=Concord,ST=North Carolina,C=US; CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
These are the two trusted certificates from Quickload hosted on CyVerse:
c.a.igb.util.IGBTrustManager - Trusted Certificates:CN=*.cyverse.org; CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US
c.a.igb.util.IGBTrustManager - Trusted Certificates:CN=*.cyverse.org; CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US
| Assignee | Nowlan Freese [ nfreese ] | Karthik Raveendran [ karthik ] |
| Status | First Level Review in Progress [ 10301 ] | Ready for Pull Request [ 10304 ] |
Pull request submitted https://bitbucket.org/lorainelab/integrated-genome-browser/pull-requests/899
| Status | Ready for Pull Request [ 10304 ] | Pull Request Submitted [ 10101 ] |
| Status | Pull Request Submitted [ 10101 ] | Reviewing Pull Request [ 10303 ] |
| Status | Reviewing Pull Request [ 10303 ] | Merged Needs Testing [ 10002 ] |
Above PR merged into master branch. Master branch installers built and ready for testing. See Downloads section of team repository.
Note: The Apple installer is not notarized, so your OS will probably show you the following error when you run it: "“Integrated Genome Browser Installer” can’t be opened because Apple cannot check it for malicious software." To run it, open a Finder window and navigate to the installer file. Holding the Control key, right-click the installer icon and choose "Open".
| Attachment | IGBF-3136-Fixed.png [ 17249 ] |
Installed new master branch and confirmed error message printed to "Log" tabbed panel upon adding Quickload data source with expired certificate.
Clicked "Copy All To Clipboard" in Log window, and pasted below :
10:50:53.346 INFO com.affymetrix.igb.Activator - IGB Started
10:50:53.379 [main] INFO com.affymetrix.main.OSGiHandler - Starting Bundle: org.tukaani.xz
10:50:53.380 [main] INFO com.affymetrix.main.OSGiHandler - OSGi is started with org.apache.felix.framework version 5.2.0
10:50:54.944 INFO o.l.i.appstore.IgbAppServerLauncher - Started REST endpoint.
10:51:05.512 INFO c.a.igb.view.load.GeneralLoadUtils - Loaded Araport in 379.5 ms
10:51:07.145 INFO c.a.igb.view.load.GeneralLoadUtils - Loaded Araport in 665.4 ms
10:52:52.643 INFO o.l.i.q.QuickloadDataProvider - Initializing Quickload Server https://bioviztest3.bioviz.org/quickload/bar/
10:52:52.958 WARN o.l.i.quickload.util.QuickloadUtils - Optional quickload synonyms.txt file could not be loaded from https://bioviztest3.bioviz.org/quickload/bar/synonyms.txt
10:52:53.063 WARN o.l.i.quickload.util.QuickloadUtils - Optional species.txt could not be loaded from: https://bioviztest3.bioviz.org/quickload/bar/species.txt
10:52:53.122 INFO c.a.igb.util.IGBTrustManager - Untrusted Certificates: CN=*.bioviz.org,O=Ann Loraine,L=Concord,ST=North Carolina,C=US; CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
| Attachment | OppositesInSequence.png [ 17250 ] |
| Assignee | Karthik Raveendran [ karthik ] |
| Attachment | OppositesInSequence.png [ 17250 ] |
| Status | Merged Needs Testing [ 10002 ] | Post-merge Testing In Progress [ 10003 ] |
| Assignee | Nowlan Freese [ nfreese ] |
Installed new master branch and followed testing in my previous comment.
Logs appeared correctly and I was able to load data from the Quickload with an untrusted certificate.
Closing ticket.
Logs:
17:01:06.592 INFO c.a.igb.util.IGBTrustManager - Untrusted Certificates: CN=*.bioviz.org,O=Ann Loraine,L=Concord,ST=North Carolina,C=US; CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
17:01:07.185 INFO c.a.igb.util.IGBTrustManager - Trusted Certificates:CN=*.cyverse.org; CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US
1
7:01:08.124 INFO c.a.igb.util.IGBTrustManager - Trusted Certificates:CN=*.cyverse.org; CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US; OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US
| Assignee | Nowlan Freese [ nfreese ] | Karthik Raveendran [ karthik ] |
| Resolution | Done [ 10000 ] | |
| Status | Post-merge Testing In Progress [ 10003 ] | Closed [ 6 ] |
| Fix Version/s | 9.1.10 Major Release [ 10700 ] |
| Issue Type | Task [ 3 ] | Improvement [ 4 ] |
The code changes has been pushed. See commit