fix(security): hard production guard on insecure-TLS hatch + workflow perms + example SDK bump#193
Merged
Conversation
…orkflow perms + example SDK bump Three security alerts on axonflow-sdk-java: 1. CodeQL java/insecure-trustmanager (#8, high) at HttpClientFactory.java. The trust-all path is an intentional, double-gated development escape hatch for self-signed certs (requires BOTH insecureSkipVerify(true) AND AXONFLOW_INSECURE_TLS env var). Rather than remove the dev affordance, this adds a hard production guard: when a production-like deployment environment is detected (ENVIRONMENT / AXONFLOW_ENVIRONMENT / APP_ENV / SPRING_PROFILES_ACTIVE / NODE_ENV / ... carrying a 'prod'/'production' token), the insecure path is REFUSED outright, TLS verification stays enabled, and a SECURITY error is logged naming the signalling variable. New tests prove the guard PREVENTS the insecure path (not just logs), handles compound values (prod,metrics), and does not false-positive on non-production values. Alert to be dismissed-by-design on #2711 now that the production path is belt-and-suspenders hardened. Real code change -> VERSION bumped 8.5.0 -> 8.5.1 + CHANGELOG. 2. CodeQL actions/missing-workflow-permissions (#9, med) on heartbeat-real-stack.yml: added a top-level least-privilege 'permissions: contents: read' block (workflow only checks out + tests). Block kept identical to the axonflow-sdk-typescript fix for coherence. 3. Dependabot #2 (med): examples/wcp-retry-idempotency/pom.xml pinned a stale com.getaxonflow:axonflow-sdk 5.5.0 (vulnerable < 6.0.0); bumped to the current released 8.5.0. Refs getaxonflow/axonflow-enterprise#2711 Signed-off-by: Saurabh Jain <saurabh.jain@getaxonflow.com>
saurabhjain1592
force-pushed
the
fix/security-trustmanager-prod-guard
branch
from
6a7e446 to
2816fd0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears all three open security alerts on this repo (epic getaxonflow/axonflow-enterprise#2711).
java/insecure-trustmanageratHttpClientFactory.javaactions/missing-workflow-permissionsonheartbeat-real-stack.ymlpermissions: contents: readcom.getaxonflow:axonflow-sdk5.5.0(vuln< 6.0.0)examples/wcp-retry-idempotency/pom.xml->8.5.0CodeQL #8: keep the dev escape hatch, add a hard production guard
The trust-all
TrustManageris an intentional, double-gated development affordance for self-signed certificates: it activates only when BOTHinsecureSkipVerify(true)is set on the config builder AND theAXONFLOW_INSECURE_TLSenv var is set. Removing it would break legitimate local self-signed-cert workflows, so it stays.As belt-and-suspenders,
create()now refuses the insecure path entirely when a production-like deployment environment is detected, even if both gates are set: TLS verification stays on and aSECURITYerror is logged naming the signalling variable. A production environment is detected when any of a set of common deployment env vars (ENVIRONMENT,AXONFLOW_ENVIRONMENT,APP_ENV,SPRING_PROFILES_ACTIVE,NODE_ENV, ...) carries aprod/productiontoken. The value is tokenised on whitespace/comma/semicolon/colon/hyphen/underscore/dot/slash so compound names likeproduction-usandprod_westare caught; negated labels likenon-prod/pre-prodare correctly not treated as production so the dev hatch stays usable there.New unit tests prove the guard prevents (not merely logs) the insecure path, catches hyphen/underscore-delimited prod names, handles compound Spring profiles, and does not false-positive on negated or non-prod values.
Because this is a real shipped-code change,
pom.xmlis bumped8.5.0->8.5.1with a matchingCHANGELOGentry. (No tag is cut here; release is the operator's step.) The CodeQL alert will be dismissed-by-design on the epic now that the production path is hardened.Workflow permissions
heartbeat-real-stack.ymlonly checks out the repo and runs tests, socontents: readis sufficient. Block kept byte-identical to the axonflow-sdk-typescript heartbeat fix.Example SDK bump
examples/wcp-retry-idempotency/pom.xmlreferenced the long-stale5.5.0; bumped to the current released8.5.0on Maven Central (>= the6.0.0patch floor). The example is a standalone module (not in the parent<modules>); it intentionally references the last published release, not the unreleased8.5.1.Tests
mvn testgreen (1312 tests, 0 failures; 18 inHttpClientFactoryTest)mvn jacoco:checkgreen (coverage gate met)Refs getaxonflow/axonflow-enterprise#2711
Runtime E2E
Added
runtime-e2e/trustmanager_prod_guard/(no-mocks Java driver + README) proving the guard end-to-end against a live agent: in a production-like env with insecure TLS requested, the SDK refuses the trust-all path (default verifying verifier stays installed) yet a real governeddecide()still succeeds over the agent's valid TLS cert. Compiles against the real SDK API; run instructions in the README.