Merge into trunk : no-ssl-public : Code : Go OpenStack Exchange

Status:	Merged
Approved by:	John A Meinel on 2013-09-10
Approved revision:	106
Merged at revision:	107
Proposed branch:	lp:~jameinel/goose/no-ssl-public
Merge into:	lp:goose
Diff against target:	55 lines (+37/-0) 2 files modified client/client.go (+8/-0) client/local_test.go (+29/-0)
To merge this branch:	bzr merge lp:~jameinel/goose/no-ssl-public
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Juju Engineering		2013-09-09	Pending
Review via email: mp+184517@code.launchpad.net

Commit message

client.NewNonValidatingPublicClient: new API

While working on the juju-core side of the code, I discovered another path
where we try to connect to the HTTPS server (reading public buckets). So we
need a way to disable ssl validation there as well.

https://codereview.appspot.com/13396048/

Description of the change

client.NewNonValidatingPublicClient: new API

While working on the juju-core side of the code, I discovered another path
where we try to connect to the HTTPS server (reading public buckets). So we
need a way to disable ssl validation there as well.

https://codereview.appspot.com/13396048/

Revision history for this message

John A Meinel (jameinel) wrote on 2013-09-09:

#

Reviewers: mp+184517_code.launchpad.net,

Message:
Please take a look.

Description:
client.NewNonValidatingPublicClient: new API

While working on the juju-core side of the code, I discovered another
path
where we try to connect to the HTTPS server (reading public buckets). So
we
need a way to disable ssl validation there as well.

https://code.launchpad.net/~jameinel/goose/no-ssl-public/+merge/184517

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/13396048/

Affected files (+39, -0 lines):
   A [revision details]
   M client/client.go
   M client/local_test.go

Index: [revision details]
=== added file '[revision details]'
--- [revision details] 2012-01-01 00:00:00 +0000
+++ [revision details] 2012-01-01 00:00:00 +0000
@@ -0,0 +1,2 @@
+Old revision: tarmac-20130906034601-83yd6irnaucxwul4
+New revision: <email address hidden>

Index: client/client.go
=== modified file 'client/client.go'
--- client/client.go 2013-09-04 10:35:49 +0000
+++ client/client.go 2013-09-09 08:24:27 +0000
@@ -89,6 +89,14 @@
return &client
}

+func NewNonValidatingPublicClient(baseURL string, logger *log.Logger)
Client {
+ return &client{
+ baseURL: baseURL,
+ logger: logger,
+ httpClient: goosehttp.NewNonSSLValidating(),
+ }
+}
+
var defaultRequiredServiceTypes = []string{"compute", "object-store"}

func newClient(creds *identity.Credentials, auth_method identity.AuthMode,
httpClient *goosehttp.Client, logger *log.Logger) AuthenticatingClient {

Index: client/local_test.go
=== modified file 'client/local_test.go'
--- client/local_test.go 2013-09-04 10:35:49 +0000
+++ client/local_test.go 2013-09-09 08:24:27 +0000
@@ -396,3 +396,32 @@
   c.Assert(err, IsNil)
   c.Check(contents, DeepEquals, []swift.ContainerContents{})
  }
+
+func (s *localHTTPSSuite) setupPublicContainer(c *C) string {
+ // First set up a container that can be read publically
+ authClient := client.NewNonValidatingClient(s.cred,
identity.AuthUserPass, nil)
+ authSwift := swift.New(authClient)
+ err := authSwift.CreateContainer("test_container", swift.PublicRead)
+ c.Assert(err, IsNil)
+
+ baseURL, err := authClient.MakeServiceURL("object-store", nil)
+ c.Assert(err, IsNil)
+ c.Assert(baseURL[:8], Equals, "https://")
+ return baseURL
+}
+
+func (s *localHTTPSSuite) TestDefaultPublicClientRefusesSelfSigned(c *C) {
+ baseURL := s.setupPublicContainer(c)
+ swiftClient := swift.New(client.NewPublicClient(baseURL, nil))
+ contents, err := swiftClient.List("test_container", "", "", "", 0)
+ c.Assert(err, ErrorMatches, "(.|\n)*x509: certificate signed by unknown
authority")
+ c.Assert(contents, DeepEquals, []swift.ContainerContents(nil))
+}
+
+func (s *localHTTPSSuite) TestNonValidatingPublicClientAcceptsSelfSigned(c
*C) {
+ baseURL := s.setupPublicContainer(c)
+ swiftClient := swift.New(client.NewNonValidatingPublicClient(baseURL,
nil))
+ contents, err := swiftClient.List("test_container", "", "", "", 0)
+ c.Assert(err, IsNil)
+ c.Assert(contents, DeepEquals, []swift.ContainerContents{})
+}

Reviewers: mp+184517_code.launchpad.net,

Message:
Please take a look.

Description:
client.NewNonValidatingPublicClient: new API

While working on the juju-core side of the code, I discovered another
path
where we try to connect to the HTTPS server (reading public buckets). So
we
need a way to disable ssl validation there as well.

https://code.launchpad.net/~jameinel/goose/no-ssl-public/+merge/184517

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/13396048/

Affected files (+39, -0 lines):
   A [revision details]
   M client/client.go
   M client/local_test.go

Index: [revision details]
=== added file '[revision details]'
--- [revision details]	2012-01-01 00:00:00 +0000
+++ [revision details]	2012-01-01 00:00:00 +0000
@@ -0,0 +1,2 @@
+Old revision: tarmac-20130906034601-83yd6irnaucxwul4
+New revision: john@arbash-meinel.com-20130909082427-jeu2usmhwxdyq91v

Index: client/client.go
=== modified file 'client/client.go'
--- client/client.go	2013-09-04 10:35:49 +0000
+++ client/client.go	2013-09-09 08:24:27 +0000
@@ -89,6 +89,14 @@
  	return &client
  }

+func NewNonValidatingPublicClient(baseURL string, logger *log.Logger)  
Client {
+	return &client{
+		baseURL:    baseURL,
+		logger:     logger,
+		httpClient: goosehttp.NewNonSSLValidating(),
+	}
+}
+
  var defaultRequiredServiceTypes = []string{"compute", "object-store"}

func newClient(creds *identity.Credentials, auth_method identity.AuthMode,  
httpClient *goosehttp.Client, logger *log.Logger) AuthenticatingClient {

Index: client/local_test.go
=== modified file 'client/local_test.go'
--- client/local_test.go	2013-09-04 10:35:49 +0000
+++ client/local_test.go	2013-09-09 08:24:27 +0000
@@ -396,3 +396,32 @@
  	c.Assert(err, IsNil)
  	c.Check(contents, DeepEquals, []swift.ContainerContents{})
  }
+
+func (s *localHTTPSSuite) setupPublicContainer(c *C) string {
+	// First set up a container that can be read publically
+	authClient := client.NewNonValidatingClient(s.cred,  
identity.AuthUserPass, nil)
+	authSwift := swift.New(authClient)
+	err := authSwift.CreateContainer("test_container", swift.PublicRead)
+	c.Assert(err, IsNil)
+
+	baseURL, err := authClient.MakeServiceURL("object-store", nil)
+	c.Assert(err, IsNil)
+	c.Assert(baseURL[:8], Equals, "https://")
+	return baseURL
+}
+
+func (s *localHTTPSSuite) TestDefaultPublicClientRefusesSelfSigned(c *C) {
+	baseURL := s.setupPublicContainer(c)
+	swiftClient := swift.New(client.NewPublicClient(baseURL, nil))
+	contents, err := swiftClient.List("test_container", "", "", "", 0)
+	c.Assert(err, ErrorMatches, "(.|\n)*x509: certificate signed by unknown  
authority")
+	c.Assert(contents, DeepEquals, []swift.ContainerContents(nil))
+}
+
+func (s *localHTTPSSuite) TestNonValidatingPublicClientAcceptsSelfSigned(c  
*C) {
+	baseURL := s.setupPublicContainer(c)
+	swiftClient := swift.New(client.NewNonValidatingPublicClient(baseURL,  
nil))
+	contents, err := swiftClient.List("test_container", "", "", "", 0)
+	c.Assert(err, IsNil)
+	c.Assert(contents, DeepEquals, []swift.ContainerContents{})
+}

Revision history for this message

Frank Mueller (themue) wrote on 2013-09-10:

#

LGTM, this cert validation stuff goes deeper than thought in the
beginning.

https://codereview.appspot.com/13396048/

Go OpenStack Exchange

Merge lp:~jameinel/goose/no-ssl-public into lp:goose

Commit message

Description of the change

Preview Diff

Subscribers

 === modified file 'client/client.go'
 --- client/client.go	2013-09-04 10:35:49 +0000
 +++ client/client.go	2013-09-09 08:38:34 +0000
@@ -89,6 +89,14 @@
  	return &client
+ }
++func NewNonValidatingPublicClient(baseURL string, logger *log.Logger) Client {
++	return &client{
++		baseURL:    baseURL,
++		logger:     logger,
++		httpClient: goosehttp.NewNonSSLValidating(),
++	}
++}
++
  var defaultRequiredServiceTypes = []string{"compute", "object-store"}
  func newClient(creds *identity.Credentials, auth_method identity.AuthMode, httpClient *goosehttp.Client, logger *log.Logger) AuthenticatingClient {
 === modified file 'client/local_test.go'
 --- client/local_test.go	2013-09-04 10:35:49 +0000
 +++ client/local_test.go	2013-09-09 08:38:34 +0000
@@ -396,3 +396,32 @@
  	c.Assert(err, IsNil)
  	c.Check(contents, DeepEquals, []swift.ContainerContents{})
+ }
++
++func (s *localHTTPSSuite) setupPublicContainer(c *C) string {
++	// First set up a container that can be read publically
++	authClient := client.NewNonValidatingClient(s.cred, identity.AuthUserPass, nil)
++	authSwift := swift.New(authClient)
++	err := authSwift.CreateContainer("test_container", swift.PublicRead)
++	c.Assert(err, IsNil)
++
++	baseURL, err := authClient.MakeServiceURL("object-store", nil)
++	c.Assert(err, IsNil)
++	c.Assert(baseURL[:8], Equals, "https://")
++	return baseURL
++}
++
++func (s *localHTTPSSuite) TestDefaultPublicClientRefusesSelfSigned(c *C) {
++	baseURL := s.setupPublicContainer(c)
++	swiftClient := swift.New(client.NewPublicClient(baseURL, nil))
++	contents, err := swiftClient.List("test_container", "", "", "", 0)
++	c.Assert(err, ErrorMatches, "(.|\n)*x509: certificate signed by unknown authority")
++	c.Assert(contents, DeepEquals, []swift.ContainerContents(nil))
++}
++
++func (s *localHTTPSSuite) TestNonValidatingPublicClientAcceptsSelfSigned(c *C) {
++	baseURL := s.setupPublicContainer(c)
++	swiftClient := swift.New(client.NewNonValidatingPublicClient(baseURL, nil))
++	contents, err := swiftClient.List("test_container", "", "", "", 0)
++	c.Assert(err, IsNil)
++	c.Assert(contents, DeepEquals, []swift.ContainerContents{})
++}