Landscape Client

Merge lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert into lp:~landscape/landscape-client/trunk

  1. autoregistration-cacert-ignore-invalid-cert
  2. Merge into trunk
Proposed by Chad Smith
Status: Merged
Approved by: Mike Milner
Approved revision: 479
Merged at revision: 480
Proposed branch: lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert
Merge into: lp:~landscape/landscape-client/trunk
Diff against target: 114 lines (+30/-6)
4 files modified
landscape/configuration.py (+1/-1)
landscape/lib/fetch.py (+7/-1)
landscape/lib/tests/test_fetch.py (+18/-0)
landscape/tests/test_configuration.py (+4/-4)
To merge this branch: bzr merge lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert
Reviewer Review Type Date Requested Status
Mike Milner (community) Approve
Alberto Donato (community) Approve
Review via email: mp+96275@code.launchpad.net

Description of the change

dpb found issues during integration testing that client wget & prcurl redirects http://landscape.local/get-ca-cert -> https://landscape.local/get-ca-cert due to CA cert fail.

Since we can't put the cart before the horse:

   This branch adds pycurl.setopt(SSL_VERIFYPEER, False) during initial fetch attempt of cusotom CA-cert.
   This insecure fetch option is only used during auto-discovery/auto-registration to avoid https redirects or inital cert errors.

 Added a test to ensure the proper curl.setopt is called if fetch(insecure=True)

To post a comment you must log in.
Revision history for this message
Alberto Donato (ack) wrote :

Nice fix! +1

review: Approve
Revision history for this message
Mike Milner (milner) wrote :

Looks great +1!

[1]
20 def fetch(url, post=False, data="", headers={}, cainfo=None, curl=None,
21 - connect_timeout=30, total_timeout=600):
22 + connect_timeout=30, total_timeout=600, insecure=False):

Please add "insecure" to the docstring params.

review: Approve
lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert updated
480. By Chad Smith

add insecure parameter info to the docstring

481. By Chad Smith

typo fix

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'landscape/configuration.py'
--- landscape/configuration.py 2012-02-28 00:12:17 +0000
+++ landscape/configuration.py 2012-03-07 15:37:19 +0000
@@ -501,7 +501,7 @@
501 encoded_cert = ""501 encoded_cert = ""
502 ca_url = "http://%s/get-ca-cert" % hostname502 ca_url = "http://%s/get-ca-cert" % hostname
503 try:503 try:
504 content = fetch(ca_url)504 content = fetch(ca_url, insecure=True)
505 except HTTPCodeError, error:505 except HTTPCodeError, error:
506 on_error("Unable to fetch CA certificate from discovered server %s: "506 on_error("Unable to fetch CA certificate from discovered server %s: "
507 "Server does not support client auto-registation." % hostname)507 "Server does not support client auto-registation." % hostname)
508508
=== modified file 'landscape/lib/fetch.py'
--- landscape/lib/fetch.py 2011-01-20 19:25:15 +0000
+++ landscape/lib/fetch.py 2012-03-07 15:37:19 +0000
@@ -44,7 +44,7 @@
4444
4545
46def fetch(url, post=False, data="", headers={}, cainfo=None, curl=None,46def fetch(url, post=False, data="", headers={}, cainfo=None, curl=None,
47 connect_timeout=30, total_timeout=600):47 connect_timeout=30, total_timeout=600, insecure=False):
48 """Retrieve a URL and return the content.48 """Retrieve a URL and return the content.
4949
50 @param url: The url to be fetched.50 @param url: The url to be fetched.
@@ -53,6 +53,9 @@
53 @param headers: Dictionary of header => value entries to be used53 @param headers: Dictionary of header => value entries to be used
54 on the request.54 on the request.
55 @param cainfo: Path to the file with CA certificates.55 @param cainfo: Path to the file with CA certificates.
56 @param insecure: If true, perform curl using insecure option which will
57 not attempt to verify authenticity of the peer's
58 certificate. (Used during autodiscovery)
56 """59 """
57 import pycurl60 import pycurl
58 output = StringIO(data)61 output = StringIO(data)
@@ -75,6 +78,9 @@
75 curl.setopt(pycurl.HTTPHEADER,78 curl.setopt(pycurl.HTTPHEADER,
76 ["%s: %s" % pair for pair in sorted(headers.iteritems())])79 ["%s: %s" % pair for pair in sorted(headers.iteritems())])
7780
81 if insecure:
82 curl.setopt(pycurl.SSL_VERIFYPEER, False)
83
78 curl.setopt(pycurl.URL, str(url))84 curl.setopt(pycurl.URL, str(url))
79 curl.setopt(pycurl.FOLLOWLOCATION, True)85 curl.setopt(pycurl.FOLLOWLOCATION, True)
80 curl.setopt(pycurl.MAXREDIRS, 5)86 curl.setopt(pycurl.MAXREDIRS, 5)
8187
=== modified file 'landscape/lib/tests/test_fetch.py'
--- landscape/lib/tests/test_fetch.py 2011-12-16 14:44:24 +0000
+++ landscape/lib/tests/test_fetch.py 2012-03-07 15:37:19 +0000
@@ -231,6 +231,24 @@
231 else:231 else:
232 self.fail("PyCurlError not raised")232 self.fail("PyCurlError not raised")
233233
234 def test_pycurl_insecure(self):
235 curl = CurlStub("result")
236 result = fetch("http://example.com/get-ca-cert", curl=curl,
237 insecure=True)
238 self.assertEqual(result, "result")
239 self.assertEqual(curl.options,
240 {pycurl.URL: "http://example.com/get-ca-cert",
241 pycurl.FOLLOWLOCATION: True,
242 pycurl.MAXREDIRS: 5,
243 pycurl.CONNECTTIMEOUT: 30,
244 pycurl.LOW_SPEED_LIMIT: 1,
245 pycurl.LOW_SPEED_TIME: 600,
246 pycurl.NOSIGNAL: 1,
247 pycurl.WRITEFUNCTION: Any(),
248 pycurl.SSL_VERIFYPEER: False,
249 pycurl.DNS_CACHE_TIMEOUT: 0,
250 pycurl.ENCODING: "gzip,deflate"})
251
234 def test_pycurl_error_str(self):252 def test_pycurl_error_str(self):
235 self.assertEqual(str(PyCurlError(60, "pycurl error")),253 self.assertEqual(str(PyCurlError(60, "pycurl error")),
236 "Error 60: pycurl error")254 "Error 60: pycurl error")
237255
=== modified file 'landscape/tests/test_configuration.py'
--- landscape/tests/test_configuration.py 2012-03-05 14:11:42 +0000
+++ landscape/tests/test_configuration.py 2012-03-07 15:37:19 +0000
@@ -1991,7 +1991,7 @@
1991 """1991 """
1992 base64_cert = "base64: MTIzNDU2Nzg5MA==" # encoded woo hoo1992 base64_cert = "base64: MTIzNDU2Nzg5MA==" # encoded woo hoo
1993 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")1993 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
1994 fetch_mock("http://fakehost/get-ca-cert")1994 fetch_mock("http://fakehost/get-ca-cert", insecure=True)
1995 self.mocker.result(1995 self.mocker.result(
1996 "{\"custom_ca_cert\": \"%s\"}" % base64_cert)1996 "{\"custom_ca_cert\": \"%s\"}" % base64_cert)
1997 self.mocker.replay()1997 self.mocker.replay()
@@ -2012,7 +2012,7 @@
2012 if it exists, otherwise it should return an empty string.""2012 if it exists, otherwise it should return an empty string.""
2013 """2013 """
2014 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")2014 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
2015 fetch_mock("http://fakehost/get-ca-cert")2015 fetch_mock("http://fakehost/get-ca-cert", insecure=True)
2016 self.mocker.result("{}")2016 self.mocker.result("{}")
20172017
2018 print_text_mock = self.mocker.replace(print_text)2018 print_text_mock = self.mocker.replace(print_text)
@@ -2027,7 +2027,7 @@
20272027
2028 def test_fetch_base64_ssl_with_http_code_fetch_error(self):2028 def test_fetch_base64_ssl_with_http_code_fetch_error(self):
2029 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")2029 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
2030 fetch_mock("http://fakehost/get-ca-cert")2030 fetch_mock("http://fakehost/get-ca-cert", insecure=True)
2031 self.mocker.throw(HTTPCodeError(404, ""))2031 self.mocker.throw(HTTPCodeError(404, ""))
2032 print_text_mock = self.mocker.replace(print_text)2032 print_text_mock = self.mocker.replace(print_text)
2033 print_text_mock(2033 print_text_mock(
@@ -2047,7 +2047,7 @@
20472047
2048 def test_fetch_base64_ssl_with_pycurl_error(self):2048 def test_fetch_base64_ssl_with_pycurl_error(self):
2049 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")2049 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
2050 fetch_mock("http://fakehost/get-ca-cert")2050 fetch_mock("http://fakehost/get-ca-cert", insecure=True)
2051 self.mocker.throw(PyCurlError(60, "pycurl message"))2051 self.mocker.throw(PyCurlError(60, "pycurl message"))
2052 print_text_mock = self.mocker.replace(print_text)2052 print_text_mock = self.mocker.replace(print_text)
2053 print_text_mock(2053 print_text_mock(

Subscribers

People subscribed via source and target branches

to all changes: