!62 [cve-2021-33658] enable certificate authentication by default and modify file permissions

From: @gaoruoshu 
Reviewed-by: @hubin95 
Signed-off-by: @hubin95

add-FAQ-and-self-signature-certificate-manufacturing.patch

@@ -0,0 +1,185 @@
+From d14414365e8fa9590e46b63a29754fb29f81778c Mon Sep 17 00:00:00 2001
+From: gaoruoshu <gaoruoshu@huawei.com>
+Date: Wed, 16 Feb 2022 14:41:47 +0800
+Subject: [PATCH] add FAQ and self signature certificate manufacturing
+
+---
+ Documentation/UserGuide/A-Tune-User-Guide.md  | 70 ++++++++++++++++++
+ ...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++
+ 2 files changed, 142 insertions(+)
+
+diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md
+index cd99cd4..cbb9d66 100644
+--- a/Documentation/UserGuide/A-Tune-User-Guide.md
++++ b/Documentation/UserGuide/A-Tune-User-Guide.md
+@@ -1235,6 +1235,12 @@ Perform tuning.
+ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
+ ```
+ 
++**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.**
++
++**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS.
++
++**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2.
++
+ 
+ 
+ # 5 Appendixes
+@@ -1248,3 +1254,67 @@ Perform tuning.
+ | profile | Set of optimization items and optimal  parameter configuration. |
+ 
+  
++## 5.2 Self-signature Certificate Manufacturing Method
++
++### 5.2.1 Creating a Certificate Directory
++
++```shell
++CERT_PATH=demo
++mkdir $CERT_PATH
++```
++
++### 5.2.2 Generating the RSA Key Pair for the CA
++
++```shell
++openssl genrsa -out $CERT_PATH/ca.key 2048
++```
++
++### 5.2.3 Generating the CA Root Certificate
++
++```shell
++openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt
++```
++
++### 5.2.4 Generating the Server Certificate
++
++```shell
++# The IP address can be changed according to the actual situation.
++IP_ADDR=localhost
++openssl genrsa -out $CERT_PATH/server.key 2048
++cp /etc/pki/tls/openssl.cnf $CERT_PATH
++if test $IP_ADDR == localhost; then
++    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
++else
++    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
++fi
++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
++                -key $CERT_PATH/server.key -out $CERT_PATH/server.csr
++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
++                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt
++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
++```
++
++### 5.2.5 Generating the Client Certificate
++
++```shell
++# The IP address can be changed according to the actual situation.
++IP_ADDR=localhost
++openssl genrsa -out $CERT_PATH/client.key 2048
++cp /etc/pki/tls/openssl.cnf $CERT_PATH
++if test $IP_ADDR == localhost; then
++    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
++else
++    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
++fi
++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
++                -key $CERT_PATH/client.key -out $CERT_PATH/client.csr
++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
++                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt
++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
++```
++
++
+diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
+index 59b25e0..064708c 100644
+--- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
++++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
+@@ -1247,6 +1247,15 @@ evaluations :
+ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
+ ```
+ 
++**问题4：atuned或atune-engine服务无法启动，提示“Startup failed. Please provide the authentication certificate.”。**
++
++**原因：** atuned或atune-engine服务中的REST API默认通信协议为https，通信中缺少证书文件
++
++**解决方法：** 用户提供权威机构签发的证书文件并放入对应的配置目录下，其中atuned服务的默认证书>目录为/etc/atuned/rest_certs/，atune-engine服务的默认证书目录为/etc/atuned/engine_certs/，也可
++以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发
++调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。
++
++
+ # 5 附录
+ 
+ ## 5.1 术语和缩略语
+@@ -1258,3 +1267,66 @@ evaluations :
+ | profile | 优化项集合，最佳的参数配置 |
+ 
+  
++## 5.2 自签名证书制作方法
++
++### 5.2.1 证书目录创建
++
++```shell
++CERT_PATH=demo
++mkdir $CERT_PATH
++```
++
++### 5.2.2 生成CA的RSA密钥对
++
++```shell
++openssl genrsa -out $CERT_PATH/ca.key 2048
++```
++
++### 5.2.3 生成CA根证书
++
++```shell
++openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt
++```
++
++### 5.2.4 生成服务器证书
++
++```shell
++# ip地址可以根据实际情况修改
++IP_ADDR=localhost
++openssl genrsa -out $CERT_PATH/server.key 2048
++cp /etc/pki/tls/openssl.cnf $CERT_PATH
++if test $IP_ADDR == localhost; then
++    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
++else
++    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
++fi
++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
++                -key $CERT_PATH/server.key -out $CERT_PATH/server.csr
++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
++                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt
++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
++```
++
++### 5.2.5 生成客户端证书
++
++```shell
++# ip地址可以根据实际情况修改
++IP_ADDR=localhost
++openssl genrsa -out $CERT_PATH/client.key 2048
++cp /etc/pki/tls/openssl.cnf $CERT_PATH
++if test $IP_ADDR == localhost; then
++    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
++else
++    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
++    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
++fi
++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
++                -key $CERT_PATH/client.key -out $CERT_PATH/client.csr
++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
++                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt
++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
++```
++
+-- 
+2.30.0
+

atune.spec

@@ -3,15 +3,18 @@
 Summary: AI auto tuning system
 Name: atune
 Version: 1.0.0
-Release: 1
+Release: 2
 License: Mulan PSL v2
 URL: https://gitee.com/openeuler/A-Tune
 Source: https://gitee.com/openeuler/A-Tune/repository/archive/v%{version}.tar.gz
 
+Patch9000: check-whether-the-certificate-file-exists.patch
+Patch9001: add-FAQ-and-self-signature-certificate-manufacturing.patch
+
 BuildRequires: rpm-build golang-bin procps-ng
 BuildRequires: sqlite >= 3.24.0 openssl
 BuildRequires: python3-scikit-optimize python3-pandas python3-xgboost
-BuildRequires: python3-pyyaml python3-numpy
+BuildRequires: python3-pyyaml
 Requires: systemd
 Requires: atune-client
 Requires: atune-db
@@ -19,7 +22,6 @@ Requires: python3-dict2xml
 Requires: python3-flask-restful
 Requires: python3-pandas
 Requires: python3-pyyaml
-Requires: python3-numpy
 %ifarch aarch64
 Requires: prefetch_tuning
 %endif
@@ -56,7 +58,7 @@ Requires: python3-xgboost
 Requires: python3-flask-restful
 Requires: python3-pandas
 Requires: python3-lhsmdu
-Conflicts: atune < 0.3-0.3
+Conflicts: atune < 0.3-0.9
 
 %description engine
 atune engine tool for manage atuned AI tuning system.
@@ -65,9 +67,6 @@ atune engine tool for manage atuned AI tuning system.
 %autosetup -n A-Tune-v%{version} -p1
 
 %build
-sed -i "s/^rest_tls.*/rest_tls = false/" misc/atuned.cnf
-sed -i "s/^engine_tls.*/engine_tls = false/" misc/atuned.cnf
-sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf
 %make_build
 
 %install
@@ -77,55 +76,64 @@ sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf
 
 %files
 %license License/LICENSE
-%defattr(0640,root,root,-)
+%defattr(0640,root,root,0750)
-%attr(0640,root,root) /usr/lib/atuned/modules/daemon_profile_server.so
+%attr(0550,root,root) /usr/lib/atuned/modules/daemon_profile_server.so
 %attr(0640,root,root) %{_unitdir}/atuned.service
-%attr(0750,root,root) %{_bindir}/atuned
+%attr(0550,root,root) %{_bindir}/atuned
-%attr(0750,root,root) /usr/libexec/atuned/analysis/*
+%attr(0550,root,root) /usr/libexec/atuned/analysis/*
-%attr(0640,root,root) /usr/lib/atuned/profiles/*
+/usr/lib/atuned/profiles/*
 %exclude /usr/libexec/atuned/analysis/app_engine.py
 %exclude /usr/libexec/atuned/analysis/models/
 %exclude /usr/libexec/atuned/analysis/optimizer/
 %exclude /usr/libexec/atuned/analysis/engine/
 %exclude /usr/libexec/atuned/analysis/dataset/
 %attr(0750,root,root) %dir /usr/lib/atuned
-%attr(0750,root,root) %dir /usr/lib/atuned/modules
+%attr(0550,root,root) %dir /usr/lib/atuned/modules
 %attr(0750,root,root) %dir /usr/lib/atuned/profiles
 %attr(0750,root,root) %dir /usr/libexec/atuned
-%attr(0750,root,root) %dir /usr/libexec/atuned/analysis
+%attr(0550,root,root) %dir /usr/libexec/atuned/analysis
 %attr(0750,root,root) %dir /usr/share/atuned
 %attr(0750,root,root) %dir /etc/atuned
 %attr(0750,root,root) %dir /etc/atuned/rules
+%attr(0750,root,root) %dir /etc/atuned/tuning
 %attr(0750,root,root) %dir /var/atuned
 %attr(0640,root,root) /etc/atuned/atuned.cnf
+%attr(0700,root,root) %dir /etc/atuned/engine_certs
+%attr(0700,root,root) %dir /etc/atuned/rest_certs
 %exclude /etc/atuned/engine_certs/*
 %exclude /etc/atuned/rest_certs/*
 
+
 %files client
-%attr(0750,root,root) %{_bindir}/atune-adm
+%attr(0550,root,root) %{_bindir}/atune-adm
-%attr(0640,root,root) /usr/share/bash-completion/completions/atune-adm
+%attr(0550,root,root) /usr/share/bash-completion/completions/atune-adm
 
 %files db
 %attr(0750,root,root) %dir /var/lib/atuned
 %attr(0750,root,root) %dir /var/run/atuned
-%attr(0750,root,root) /var/lib/atuned/atuned.db
+%attr(0640,root,root) /var/lib/atuned/atuned.db
 %attr(0750,root,root) %dir /usr/libexec/atuned
+%attr(0550,root,root) %dir /usr/libexec/atuned/analysis
+%attr(0550,root,root) %dir /usr/libexec/atuned/analysis/models
+%attr(0550,root,root) /usr/libexec/atuned/analysis/models/*
 
 %files engine
 %license License/LICENSE
-%defattr(0640,root,root,-)
+%defattr(0640,root,root,0750)
 %attr(0640,root,root) %{_unitdir}/atune-engine.service
-%attr(0750,root,root) /usr/libexec/atuned/analysis/*
+%attr(0550,root,root) /usr/libexec/atuned/analysis/*
-%attr(0750,root,root) /etc/atuned/*
+/etc/atuned/*
 %exclude /usr/libexec/atuned/analysis/app_rest.py
 %exclude /usr/libexec/atuned/analysis/plugin/
 %exclude /usr/libexec/atuned/analysis/atuned/
-%attr(0750,root,root) %dir /usr/libexec/atuned/analysis
+%attr(0550,root,root) %dir /usr/libexec/atuned/analysis
 %attr(0750,root,root) %dir /etc/atuned
 %exclude /etc/atuned/atuned.cnf
 %exclude /etc/atuned/rules
+%exclude /etc/atuned/tuning
+%attr(0700,root,root) %dir /etc/atuned/engine_certs
 %exclude /etc/atuned/engine_certs/*
-%exclude /etc/atuned/rest_certs/*
+%exclude /etc/atuned/rest_certs
 
 %post
 %systemd_post atuned.service
@@ -137,6 +145,9 @@ sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf
 %systemd_postun_with_restart atuned.service
 
 %changelog
+* Fri Mar 04 2022 gaoruoshu <gaoruoshu@huawei.com> - 1.0.0-2
+- enable certificate authentication by default and modify file permissions
+
 * Tue Nov 16 2021 hanxinke <hanxinke@huawei.com> - 1.0.0-1
 - upgrade to v1.0.0
 
@@ -172,3 +183,4 @@ sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf
 
 * Tue Nov 12 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.1-0.1
 - Package init
+

check-whether-the-certificate-file-exists.patch

@@ -0,0 +1,34 @@
+From 8d7596125161bea13641644fca2384411e00a4e5 Mon Sep 17 00:00:00 2001
+From: gaoruoshu <gaoruoshu@huawei.com>
+Date: Tue, 15 Feb 2022 17:03:40 +0800
+Subject: [PATCH] check whether the certificate file exists
+
+---
+ analysis/app.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/analysis/app.py b/analysis/app.py
+index 31b5f51..b25e784 100644
+--- a/analysis/app.py
++++ b/analysis/app.py
+@@ -22,6 +22,8 @@ from logging.handlers import SysLogHandler
+ from flask import Flask
+ from flask_restful import Api
+
++LOGGER = logging.getLogger(__name__)
++
+
+ class App:
+     """flask application"""
+@@ -51,6 +51,9 @@ class App:
+ 
+     def startup_app(self, host, port, tls, cert_file, key_file, ca_file, log_level):
+         """start flask app"""
++        if not os.path.exists(cert_file) or not os.path.exists(key_file) or not os.path.exists(ca_file):
++            LOGGER.error("Startup failed. Please provide the authentication certificate.")
++            raise FileNotFoundError("Startup failed. Please provide the authentication certificate.")
+         level = logging.getLevelName(log_level.upper())
+         self.config_log(level)
+         self.add_resource()
+-- 
+2.30.0