Trusting custom content in the Spotfire environment

Many Spotfire users want to extend the Spotfire environment in different ways. It has for a long time been possible to add scripts based on IronPython or JavaScript to analyses, to be executed through buttons in text areas or via actions based on clicks in certain visualizations. Further enhancements can be made using many different types of data functions that can either be created directly in an analysis file or saved as a separate entity in the Spotfire library. With Spotfire 11.0, it also became much easier to add custom visualizations, with the new concept of visualization mods, and in Spotfire 12.0, it became possible to configure actions that interact with external systems. Any custom item created by a malevolent person could potentially perform unexpected or undesired actions. Therefore, Spotfire uses different trust mechanisms to help you to keep your system safe.

Spotfire visualization mods and external actions

Spotfire visualization mods can be created and also uploaded to the Spotfire library by any user with sufficient privileges, and, similarly, an action that can potentially send data or interact with an external system can be configured by users with sufficient privileges. The license features for handling visualization mods or external actions are found under the Spotfire Extensions and Spotfire Analyst license. To ensure that only trusted developers are allowed to add and execute code, there are many things you can do as an administrator.

Sign items

Anyone who creates or adds a visualization mod or an external action to the Spotfire environment can sign it. The signing informs other people about the origin of the item and helps you to make informed decisions regarding whether the item can be trusted or not. Signed items make it possible to verify the authenticity, integrity and publisher of the code or action.

Signing of visualization mods can be done, either through certificates created by a certificate authority (CA), or automatically, using the Spotfire account of the person who loads a mod project to an analysis file. Use signing based on a CA certificate if you create mods that are intended to be shared with other organizations. External actions are tied to a specific analysis and are always signed with your Spotfire account.

Tip: You can configure a list of allowed URLs when it comes to certificate verification. See Configuring allowed issuers for code trust for more information.

When the Spotfire account is used to sign code, the Spotfire Server will act as a certificate authority and issue a certificate for the user (on demand only). The certificate will expire after a period of time, and then a new certificate will be issued, if the user still remains in the system. This means that a Spotfire account cannot be used to sign mods while offline. It also means that you might need to copy certificates from one system to another to keep user signatures valid, for example, if your company develops mods on one server and wants to use them on another server. See Moving certificates from one system to another for more information. See Spotfire Developer Documentation > Spotfire Package Builder for more information about signing mods while offline or with certificates from a CA.

Note: When using custom content that needs signing, it is important to specify a public address for the Spotfire Server, to be able to verify that certificates are valid. The public address is used for Online Certificate Status Protocol (OCSP) requests and, in production systems, it must be kept stable for a long time period to ensure that certificates remain valid. It is recommended to use a load balancer or reverse proxy to access the server. That way, you can easily add or replace server instances, while keeping the public address stable.

Note: If your organization has a root certificate authority (CA) of its own (which is not present in the default Java cacert) and certificates issued by this authority will be used when signing items such as mods, the root CA certificate must be imported to the Spotfire Server using the import-code-signing-certificate command. This is needed because input validation for uploaded certificates is done when making trust decisions (that is, when a trust decision is made, the certificate path of the signing certificate is verified on the server side).

This validation is done for error detection rather than for security reasons. If the certificate chain contains any intermediate certificates, the validation step requires that the Spotfire Server is running and connected to the internet, so that the intermediate certificates can be fetched and the certificate chain can be validated. If the root certificate is not imported to the Spotfire Server, this verification will fail, and it will not be possible to trust such items. However, it is possible to switch off the server-side verification by setting the configuration property security.code-trust.validate-uploaded-cert to false.

Trust mods, actions, or signers

The trusting may be performed on an individual level by end users who have permission to trust items and signers but, as an administrator, you can also predefine trusted signers for groups in the Spotfire environment. See Adding trusted signers to a group for more information.

For an end user, it is possible to either trust all items added by a certain person, that is, to trust the signer, or to trust specific items only. Signers and items that have been trusted by an end user with trusting privileges can be reviewed on each user's My account page on the server. It is reached by clicking the username at the bottom left while being in the library or on any other server administration page, or from one of the clients by clicking View all trusted signers in the Manage trust dialog. Users with trust permission can download certificates or remove previously added trust decisions they have made.

As an administrator, you can also view all trusted signers and items for each user, under Users.

If a specific mod is trusted, the mod will be seen as trusted in all analyses where it exists, however, re-trusting will be required if any changes are made to the mod at a later stage. If the signer is trusted, instead of a specific mod, then all future mods or new versions of a mod from that signer will automatically be trusted.

Untrusted mods

Attempts to add a mod that is not trusted to an analysis will lead to the question of whether or not it should be trusted (end users who do not have permission to trust cannot add untrusted mods at all). The more mods that have been pre-approved by the administrator, the fewer questions will be shown to the end users who try to add visualizations to their analyses.

Untrusted actions

If an external action is added to an analysis, and the configurator has not been added as a trusted signer by the administrator, clicking on the trigger for the action in a visualization (for example, a floating button or the pop-up menu) will ask the end user whether to trust the action and show which data will be affected by the action.

Note: By default, only valid signatures can be trusted. If required (in special cases), it is possible to relax this limitation by changing a preference in Administration Manager (Application > Trust > Require valid signature to allow trust).

Remove trusted signers

You can always withdraw a previous decision to trust a certificate or a Spotfire user signature. See Removing trusted signers from a group for more information.

Invalidate signatures and revoke certificates

If a user account has been used to sign items that the user does not wish to be responsible for, each user can invalidate their own signatures from a specific time and up until now. This is done from the My account page of the user (if any signatures are available).

As an administrator, you can invalidate another user's signatures using the revoke-code-signing-certificate command in the CLI. If a user is suspected to try to add malicious mods on purpose, then you might also want to remove the user from the system. A previously imported root certificate, issued by a certificate authority (CA), can be removed using the command remove-code-signing-root-certificate.

Other users will be informed that the item is signed by an invalid signature.

Block certificates, users or custom items

It is also possible to block certificates, users or specific items from being used at all. See Blocking certificates, users or custom items for more information.

CLI commands

For a complete list of the commands available for handling trust, see Code trust commands.

Script and Data Function Trust

Currently, there is no way to sign scripts or data functions. This means that all such entities will be seen as unsigned in all the user interfaces.

Instead, Spotfire uses a trust mechanism, where users called Script Authors, verified by licenses and group membership, are the only ones that can make a script trusted for anyone in the organization. See System groups and Spotfire extensions for more information.

End users who have access can still review and trust unsigned entities from the File > Manage trust dialog in the Spotfire installed client.

Data Functions written in R

Spotfire has its own implementation of the R language, Spotfire® Enterprise Runtime for R (a/k/a TERR™), which is included in Spotfire applications. Spotfire Enterprise Runtime for R comes with a restricted mode which is built to provide a secure environment when working with data functions. If the data function is trusted, then it can be executed without any restrictions. If a TERR-based data function is not trusted, Spotfire makes an attempt to run the data function in the restricted mode. If the script uses statements that are not available in the restricted mode, then the data function is prevented from running until it has been trusted.