Trusting custom content in the Spotfire environment
Many Spotfire users want to extend the Spotfire environment in different ways. It has for a long time been possible to add scripts based on IronPython or JavaScript to analyses, to be executed through buttons in text areas or via actions based on clicks in certain visualizations. Further enhancements can be made using many different types of data functions that can either be created directly in an analysis file or saved as a separate entity in the Spotfire library. With Spotfire 11.0, it also became much easier to add custom visualizations, with the new concept of visualization mods. Any custom item created by a malevolent person could potentially perform unexpected or undesired actions. Therefore, Spotfire uses different trust mechanisms to help you to keep your system safe.
Spotfire Visualization Mods
Spotfire visualization mods can be created and also uploaded to the Spotfire library by any user with sufficient privileges. The license features for handling visualization mods are found under TIBCO Spotfire Extensions. To ensure that only trusted developers are allowed to add and execute code, there are many things you can do as an administrator.
Sign mods
Anyone who creates or adds a visualization mod to the Spotfire environment can sign it. The signing informs other people about the origin of the mod and helps you to make informed decisions regarding whether the mod can be trusted or not. Signed mods make it possible to verify the authenticity, integrity and publisher of the code.
Signing can be done, either through certificates created by a certificate authority (CA), or using the Spotfire account of the person who loads a mod project to an analysis file. When the Spotfire account is used to sign code, the Spotfire Server will act as a certificate authority and issue a certificate for the user (on demand only). The certificate will expire after a period of time, and then a new certificate will be issued, if the user still remains in the system. This means that a Spotfire account cannot be used to sign mods while offline. It also means that you might need to copy certificates from one system to another to keep user signatures valid, if your company develops mods on one server and wants to use them on another server. See Moving certificates from one system to another for more information. See Spotfire Developer Documentation > TIBCO Spotfire Package Builder for more information about signing mods while offline or with certificates from a CA.
security.code-trust.validate-uploaded-cert
to false.
Trust mods or signers
The trusting may be performed on an individual level by end users who have permission to trust mods but, as an administrator, you can also predefine trusted signers for groups in the Spotfire environment. See Adding trusted signers to a group for more information.
For an end user, it is possible to either trust all mods added by a certain person, that is, to trust the signer, or to trust specific mods only. Signers and mods that have been trusted by an end user with trusting privileges can be reviewed on each user's My account page on the server. It is reached by clicking the username at the top right while being in the library or on any other server administration page. Users with trust permission can download certificates or remove previously added trust decisions they have made. As an administrator, you can also view all trusted signers and items for each user, under Users & Groups.
If a specific mod is trusted, the mod will be seen as trusted in all analyses where it exists, however, re-trusting will be required if any changes are made to the mod at a later stage. If the signer is trusted, instead of a specific mod, then all future mods or new versions of a mod from that signer will automatically be trusted.
Untrusted mods
Attempts to add a mod that is not trusted to an analysis will lead to the question of whether or not it should be trusted (end users who do not have permission to trust cannot add untrusted mods at all). The more mods that have been pre-approved by the administrator, the fewer questions will be shown to the end users who try to add visualizations to their analyses.
Remove trusted signers
You can always withdraw a previous decision to trust a certificate or a Spotfire user signature. See Removing trusted signers from a group for more information.
Invalidate signatures and revoke certificates
If a user account has been used to sign items that the user does not wish to be responsible for, each user can invalidate their own signatures from a specific time and up until now. This is done from the My account page of the user (if any signatures are available).
As an administrator, you can
invalidate another user's signatures using the
revoke-code-signing-certificate
command in the CLI. If
a user is suspected to try to add malicious mods on purpose, then you might
also want to remove the user from the system.
Other users will be informed that the mod is signed by an invalid signature.
Block certificates, users or custom items
It is also possible to block certificates, users or specific mods from being used at all. See Blocking certificates, users or custom items for more information.
CLI commands
For a complete list of the commands available for handling visualization mod trust, see Code trust commands.
Script and Data Function Trust
Currently, there is no way to sign scripts or data functions. This means that all such entities will be seen as unsigned in all the user interfaces.
Instead, Spotfire uses a trust mechanism, where users called Script Authors, verified by licenses and group membership, are the only ones that can make a script trusted for anyone in the organization. See System groups and Spotfire extensions for more information.
End users who have access can still review and trust unsigned entities from the
dialog in the Spotfire installed client.Data Functions written in R
TIBCO has its own implementation of the R language, TIBCO Enterprise Runtime for R (TERR), which is included in Spotfire applications. TERR comes with a restricted mode which is built to provide a secure environment when working with data functions. If the data function is trusted, then it can be executed without any restrictions. If a TERR-based data function is not trusted, Spotfire will make an attempt to run the data function in the restricted mode. If the script uses statements that are not available in the restricted mode, then the data function will be prevented from running until it has been trusted.
- Adding trusted signers to a group
Developers who create custom items (visualization mods) can sign their code, either with their Spotfire account when logged in to a server, or with a certificate from a certificate authority (CA). You can add both users and certificates as trusted signers for a group, as described in this topic, to make the workflows for end users of the custom items easier. In most cases, it is preferred to add the trusted signers as high up in the group hierarchy as possible, to avoid duplicated work. - Removing trusted signers from a group
As an administrator, you can remove trusted signers from a group at any time. - Revoking a server certificate
If there are suspicions that a user on the Spotfire Server has signed unsafe mods, it is possible to revoke the user's certificates, which renders signatures invalid. This prevents other users from making a trust decision based on false premises. As an administrator, you have the option to revoke a specific certificate for a user or for all certificates from that user, from a certain point in time. - Blocking certificates, users or custom items
Certificates issued from a certificate authority cannot be revoked in the same way as user certificates based on the username from the server. To prevent users on your system from being able to trust and use specific custom items or items signed by a specific certificate or user, it is possible to add the item, certificate or user to the blocked list. This is done using theblock-code-trust
command. Blocked items or custom items signed by a blocked certificate or user will never be executed. - Moving certificates from one system to another
If your company is developing and testing new custom functionality, such as visualization mods, in one system and want to keep signed items valid when moving them from test to production, you can do this by using theexport-code-signing-root-certificate
andimport-code-signing-certificate
commands. This way, the signatures made on another server will be treated as if they were signed with a certificate from a trusted certificate authority (CA).