MAAS

Merge ~adam-collard/maas:3.3-vault-proxy into maas:3.3

Proposed by Adam Collard on 2023-01-11

Status:

Merged

Approved by:

Adam Collard on 2023-01-11

Approved revision:

9443e8dd4396d4fbadf7ac9efe9ee7ee6e071078

Merge reported by:

MAAS Lander

Merged at revision:

not available

Proposed branch:

~adam-collard/maas:3.3-vault-proxy

Merge into:

maas:3.3

Diff against target:

131 lines (+54/-27)

3 files modified

src/maasserver/bootsources.py (+1/-0)
src/maasserver/pytest_tests/test_vault.py (+47/-19)
src/maasserver/vault.py (+6/-8)

Critical

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Adam Collard (community)			Approve on 2023-01-11
Review via email: mp+435596@code.launchpad.net

Commit message

LP:2002111 explicitly set proxies for hvac.Client

Cherry-pick 79bc358e2

Revision history for this message

Adam Collard (adam-collard) wrote on 2023-01-11:

self-approve backport

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adam Collard

MAAS Committers

Matvej Jurbin

Shane Holloman

 diff --git a/src/maasserver/bootsources.py b/src/maasserver/bootsources.py
 index 58c6cb7..5c2b081 100644
 --- a/src/maasserver/bootsources.py
 +++ b/src/maasserver/bootsources.py
@@ -378,6 +378,7 @@ def cache_boot_sources():
      # FIXME: This modifies the environment of the entire process, which is Not
      # Cool. We should integrate with simplestreams in a more Pythonic manner.
++    # See maasserver.vault._create_hvac_client - LP:2002111
      pristine_env = yield deferToDatabase(set_simplestreams_env)
      errors = []
 diff --git a/src/maasserver/pytest_tests/test_vault.py b/src/maasserver/pytest_tests/test_vault.py
 index 7277dbb..94db5ff 100644
 --- a/src/maasserver/pytest_tests/test_vault.py
 +++ b/src/maasserver/pytest_tests/test_vault.py
@@ -1,10 +1,11 @@
++from contextlib import suppress
  from datetime import datetime, timedelta, timezone
--from os import environ
  from unittest.mock import ANY, MagicMock
  from django.core.exceptions import ImproperlyConfigured
  from hvac.exceptions import VaultError as HVACVaultError
  import pytest
++from requests.adapters import HTTPAdapter
  from maasserver import vault
  from maasserver.models import Config
@@ -143,25 +144,52 @@ class TestVaultClient:
          ensure_auth.assert_called_once()
++@pytest.mark.parametrize("scheme", ["http", "https"])
  class TestNoProxySettingForHVAC:
--    def test_no_proxy_set(self, monkeypatch):
--        url = "http://url.to.vault:8200"
--        monkeypatch.delenv("no_proxy", raising=False)
--        _create_hvac_client(url)
--        assert environ.get("no_proxy") == url
--
--    def test_no_proxy_appended(self, monkeypatch):
--        url = "http://url.to.vault:8200"
--        monkeypatch.setenv("no_proxy", "localhost,127.0.0.1")
--        _create_hvac_client(url)
--        assert environ.get("no_proxy") == f"localhost,127.0.0.1,{url}"
--
--    def test_idempotency(self, monkeypatch):
--        url = "http://url.to.vault:8200"
--        monkeypatch.delenv("no_proxy", raising=False)
--        _create_hvac_client(url)
--        _create_hvac_client(url)
--        assert environ.get("no_proxy") == url
++    def test_proxy_for_vault_scheme_set_to_None(self, scheme):
++        """HVAC client should be configured to not use a proxy."""
++        hvac_client = _create_hvac_client(f"{scheme}://url.to.vault:8200")
++        assert hvac_client.session.proxies == {scheme: None}
++
++    def test_proxy_for_with_env(self, scheme, monkeypatch):
++        """HVAC client should ignore standard proxy environment variables."""
++        monkeypatch.setenv("http_proxy", "http://squid.proxy:3128")
++        monkeypatch.setenv("https_proxy", "http://squid.proxy:3128")
++        monkeypatch.setenv("no_proxy", "127.0.0.1.localhost")
++
++        hvac_client = _create_hvac_client(f"{scheme}://url.to.vault:8200")
++        assert hvac_client.session.proxies == {scheme: None}
++
++    def test_request_honours_proxies(self, scheme, monkeypatch):
++        """Verify that the request made by requests follows the rules."""
++        monkeypatch.setenv("http_proxy", "http://squid.proxy:3128")
++        monkeypatch.setenv("https_proxy", "http://squid.proxy:3128")
++        monkeypatch.setenv("no_proxy", "127.0.0.1.localhost")
++        hvac_client = _create_hvac_client(f"{scheme}://url.to.vault:8200")
++
++        class ProxyRecordingAdapter(HTTPAdapter):
++            """
++            A basic subclass of the HTTPAdapter that records the arguments used to
++            ``send``.
++            """
++
++            def __init__(self2, *args, **kwargs):
++                super().__init__(*args, **kwargs)
++                self2.proxies = []
++
++            def send(self2, request, **kwargs):
++                self2.proxies.append(kwargs.get("proxies"))
++                return
++
++        adapter = ProxyRecordingAdapter()
++        hvac_client.session.mount(f"{scheme}://", adapter)
++
++        # Since we return None from ProxyRecordingAdapter.send, it throws
++        # AttributeErrors, we just want to see the request that was
++        # attempted
++        with suppress(AttributeError):
++            hvac_client.seal_status
++        assert scheme not in adapter.proxies[0]
  class TestGetRegionVaultClient:
 diff --git a/src/maasserver/vault.py b/src/maasserver/vault.py
 index 9ff213f..2b28a3d 100644
 --- a/src/maasserver/vault.py
 +++ b/src/maasserver/vault.py
@@ -1,8 +1,8 @@
  from datetime import datetime, timedelta, timezone
  from functools import cache, wraps
  import logging
--import os
  from typing import Any, Callable, NamedTuple, Optional
++from urllib.parse import urlparse
  from dateutil.parser import isoparse
  from django.core.exceptions import ImproperlyConfigured
@@ -48,13 +48,11 @@ def wrap_errors(func: Callable) -> Callable:
  def _create_hvac_client(url: str, **kwargs) -> hvac.Client:
      """Create HVAC client for the given URL, with no proxies set."""
--    # This is gross, and unfortunately necessary due to bootsources.get_simplestreams_env
--    # and https://github.com/psf/requests/issues/2018
--    if no_proxy := os.environ.get("no_proxy"):
--        if url not in no_proxy.split(","):
--            os.environ["no_proxy"] = f"{no_proxy},{url}"
--    else:
--        os.environ["no_proxy"] = url
++    # FIXME: This is gross, and unfortunately necessary due to
++    # bootsources.get_simplestreams_env and
++    # https://github.com/psf/requests/issues/2018
++    # LP:2002528
++    kwargs["proxies"] = {urlparse(url).scheme: None}
      return hvac.Client(url=url, **kwargs)

MAAS

Merge ~adam-collard/maas:3.3-vault-proxy into maas:3.3

Commit message

Description of the change

Preview Diff

Subscribers