Merge lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert into lp:landscape-client

Proposed by Chad Smith on 2012-03-07
Status: Merged
Approved by: Mike Milner on 2012-03-07
Approved revision: 479
Merged at revision: 480
Proposed branch: lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert
Merge into: lp:landscape-client
Diff against target: 114 lines (+30/-6) 4 files modified
To merge this branch: bzr merge lp:~chad.smith/landscape-client/autoregistration-cacert-ignore-invalid-cert
Reviewer Review Type Date Requested Status
Mike Milner (community) 2012-03-07 Approve on 2012-03-07
Alberto Donato 2012-03-07 Approve on 2012-03-07
Review via email: mp+96275@code.launchpad.net

Description of the Change

dpb found issues during integration testing that client wget & prcurl redirects http://landscape.local/get-ca-cert -> https://landscape.local/get-ca-cert due to CA cert fail.

Since we can't put the cart before the horse:

   This branch adds pycurl.setopt(SSL_VERIFYPEER, False) during initial fetch attempt of cusotom CA-cert.
   This insecure fetch option is only used during auto-discovery/auto-registration to avoid https redirects or inital cert errors.

 Added a test to ensure the proper curl.setopt is called if fetch(insecure=True)

To post a comment you must log in.
Alberto Donato (ack) wrote :

Nice fix! +1

review: Approve
Mike Milner (milner) wrote :

Looks great +1!

[1]
20 def fetch(url, post=False, data="", headers={}, cainfo=None, curl=None,
21 - connect_timeout=30, total_timeout=600):
22 + connect_timeout=30, total_timeout=600, insecure=False):

Please add "insecure" to the docstring params.

review: Approve
480. By Chad Smith on 2012-03-07

add insecure parameter info to the docstring

481. By Chad Smith on 2012-03-07

typo fix

Preview Diff

1=== modified file 'landscape/configuration.py'
2--- landscape/configuration.py 2012-02-28 00:12:17 +0000
3+++ landscape/configuration.py 2012-03-07 15:37:19 +0000
4@@ -501,7 +501,7 @@
5 encoded_cert = ""
6 ca_url = "http://%s/get-ca-cert" % hostname
7 try:
8- content = fetch(ca_url)
9+ content = fetch(ca_url, insecure=True)
10 except HTTPCodeError, error:
11 on_error("Unable to fetch CA certificate from discovered server %s: "
12 "Server does not support client auto-registation." % hostname)
13
14=== modified file 'landscape/lib/fetch.py'
15--- landscape/lib/fetch.py 2011-01-20 19:25:15 +0000
16+++ landscape/lib/fetch.py 2012-03-07 15:37:19 +0000
17@@ -44,7 +44,7 @@
18
19
20 def fetch(url, post=False, data="", headers={}, cainfo=None, curl=None,
21- connect_timeout=30, total_timeout=600):
22+ connect_timeout=30, total_timeout=600, insecure=False):
23 """Retrieve a URL and return the content.
24
25 @param url: The url to be fetched.
26@@ -53,6 +53,9 @@
27 @param headers: Dictionary of header => value entries to be used
28 on the request.
29 @param cainfo: Path to the file with CA certificates.
30+ @param insecure: If true, perform curl using insecure option which will
31+ not attempt to verify authenticity of the peer's
32+ certificate. (Used during autodiscovery)
33 """
34 import pycurl
35 output = StringIO(data)
36@@ -75,6 +78,9 @@
37 curl.setopt(pycurl.HTTPHEADER,
38 ["%s: %s" % pair for pair in sorted(headers.iteritems())])
39
40+ if insecure:
41+ curl.setopt(pycurl.SSL_VERIFYPEER, False)
42+
43 curl.setopt(pycurl.URL, str(url))
44 curl.setopt(pycurl.FOLLOWLOCATION, True)
45 curl.setopt(pycurl.MAXREDIRS, 5)
46
47=== modified file 'landscape/lib/tests/test_fetch.py'
48--- landscape/lib/tests/test_fetch.py 2011-12-16 14:44:24 +0000
49+++ landscape/lib/tests/test_fetch.py 2012-03-07 15:37:19 +0000
50@@ -231,6 +231,24 @@
51 else:
52 self.fail("PyCurlError not raised")
53
54+ def test_pycurl_insecure(self):
55+ curl = CurlStub("result")
56+ result = fetch("http://example.com/get-ca-cert", curl=curl,
57+ insecure=True)
58+ self.assertEqual(result, "result")
59+ self.assertEqual(curl.options,
60+ {pycurl.URL: "http://example.com/get-ca-cert",
61+ pycurl.FOLLOWLOCATION: True,
62+ pycurl.MAXREDIRS: 5,
63+ pycurl.CONNECTTIMEOUT: 30,
64+ pycurl.LOW_SPEED_LIMIT: 1,
65+ pycurl.LOW_SPEED_TIME: 600,
66+ pycurl.NOSIGNAL: 1,
67+ pycurl.WRITEFUNCTION: Any(),
68+ pycurl.SSL_VERIFYPEER: False,
69+ pycurl.DNS_CACHE_TIMEOUT: 0,
70+ pycurl.ENCODING: "gzip,deflate"})
71+
72 def test_pycurl_error_str(self):
73 self.assertEqual(str(PyCurlError(60, "pycurl error")),
74 "Error 60: pycurl error")
75
76=== modified file 'landscape/tests/test_configuration.py'
77--- landscape/tests/test_configuration.py 2012-03-05 14:11:42 +0000
78+++ landscape/tests/test_configuration.py 2012-03-07 15:37:19 +0000
79@@ -1991,7 +1991,7 @@
80 """
81 base64_cert = "base64: MTIzNDU2Nzg5MA==" # encoded woo hoo
82 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
83- fetch_mock("http://fakehost/get-ca-cert")
84+ fetch_mock("http://fakehost/get-ca-cert", insecure=True)
85 self.mocker.result(
86 "{\"custom_ca_cert\": \"%s\"}" % base64_cert)
87 self.mocker.replay()
88@@ -2012,7 +2012,7 @@
89 if it exists, otherwise it should return an empty string.""
90 """
91 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
92- fetch_mock("http://fakehost/get-ca-cert")
93+ fetch_mock("http://fakehost/get-ca-cert", insecure=True)
94 self.mocker.result("{}")
95
96 print_text_mock = self.mocker.replace(print_text)
97@@ -2027,7 +2027,7 @@
98
99 def test_fetch_base64_ssl_with_http_code_fetch_error(self):
100 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
101- fetch_mock("http://fakehost/get-ca-cert")
102+ fetch_mock("http://fakehost/get-ca-cert", insecure=True)
103 self.mocker.throw(HTTPCodeError(404, ""))
104 print_text_mock = self.mocker.replace(print_text)
105 print_text_mock(
106@@ -2047,7 +2047,7 @@
107
108 def test_fetch_base64_ssl_with_pycurl_error(self):
109 fetch_mock = self.mocker.replace("landscape.lib.fetch.fetch")
110- fetch_mock("http://fakehost/get-ca-cert")
111+ fetch_mock("http://fakehost/get-ca-cert", insecure=True)
112 self.mocker.throw(PyCurlError(60, "pycurl message"))
113 print_text_mock = self.mocker.replace(print_text)
114 print_text_mock(

Subscribers

People subscribed via source and target branches

to all changes: