make insecureskipverify configurable (#40)

* make inseucreskipverify configurable * add insecure and certspath to configs * add certs test * add config support for client key and cert
2017-12-12 14:04:11 -08:00 · 2017-12-12 14:04:11 -08:00 · d4027bc95c
commit d4027bc95c
parent dd804af0a8
5 changed files with 170 additions and 26 deletions
--- a/examples/certs/client.cert
+++ b/examples/certs/client.cert
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIJAM+bKx50CY9JMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE
+CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MQowCAYD
+VQQDDAEqMB4XDTE3MTIwODIwNTMwMVoXDTI3MTIwNjIwNTMwMVowbTELMAkGA1UE
+BhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRgwFgYDVQQK
+DA9HbG9iYWwgU2VjdXJpdHkxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxCjAIBgNV
+BAMMASowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhdN0KH80BF3Dk
+RQqAARcf7F87uNhQM05HXK8ffpESvKhzrO9BHuDZ0yS3il0BK9XpTyTtHSLIbphk
+rO3BOsmPj0zhaM20LsPtwy8GmMCym3hVNSYYyP5XCdjA3uZIYq2R8ruk+vZTe4Zr
+F8GHV/xGYU4zKPMGzsQbICjZhj0yiYF9UQ2J+xw79nsqPTmo8+EdVuunLz39dt2o
+SbDA01g/kPTIg9K2CAUH0mm4zegiqytwpn2JKVoemmgrDYECWnhLprWlvN9t/fX9
+IgprDAHN1BsMrzfmfQXZpVmbIlTriVSdYVeTwG8rT7Tg8soIHqBrnJ1ykTpY4VrO
+6tc2z4kTAgMBAAGjUDBOMB0GA1UdDgQWBBSLvwax1Zd6ZiE7TjRklWYNPwgZ2zAf
+BgNVHSMEGDAWgBSLvwax1Zd6ZiE7TjRklWYNPwgZ2zAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQCJY/EJxlyiSrnO82QcsWm9cT/ciU/G7Y4vX/tGs74C
+tNxuBpc0vMfW4a9u6tmi3cW3EXD/KRvPwKZXxzTOhoQY9ZpbZLZ6VvCQ+aWQaXWT
+664IS/mrEUZ/p3pgqTNtifdpPAZqVqNdS+Od8/B3/nWUn6JBkDZ4WaFQgfsSulxK
+yzYN6UbwhLHfQUupFFhPfvYIVLH9ErGzcv5ZCHX9FornCc0W/8hL4EdjmpTW2ML2
+hM5aTKynMiR1GuGSdSpJ+BOeiUI7Go1jGwjV+H9Pw/kfmooq2wuuUGti5dr0Qq7h
+CQx1a14BmDBwGoMIOdjFATRwnami5e188fAJozL++i+s
+-----END CERTIFICATE-----
--- a/examples/certs/client.key
+++ b/examples/certs/client.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhdN0KH80BF3Dk
+RQqAARcf7F87uNhQM05HXK8ffpESvKhzrO9BHuDZ0yS3il0BK9XpTyTtHSLIbphk
+rO3BOsmPj0zhaM20LsPtwy8GmMCym3hVNSYYyP5XCdjA3uZIYq2R8ruk+vZTe4Zr
+F8GHV/xGYU4zKPMGzsQbICjZhj0yiYF9UQ2J+xw79nsqPTmo8+EdVuunLz39dt2o
+SbDA01g/kPTIg9K2CAUH0mm4zegiqytwpn2JKVoemmgrDYECWnhLprWlvN9t/fX9
+IgprDAHN1BsMrzfmfQXZpVmbIlTriVSdYVeTwG8rT7Tg8soIHqBrnJ1ykTpY4VrO
+6tc2z4kTAgMBAAECggEBAMZL7SY8dikhnu+HMgcH7njrg4+ZsthHZ/AoOvcucRbT
+zC2ByyWxrP6pUUAFeGvRTGHadJYA7FjxvSO/XZZ4yFN2LJ6NeW+jOjzjUXcx3zq4
+t4vqJUnjbqDLTlPFOTItaJBXuGcRPJqMqNuEl3kdEAwvBYLF34r7TUy2and4NFc/
+JziGljkiucoNBk62TCDrffnvxMJXht+ab6PMWO87PzMVs4xUFPe0ezv4O54btUcV
+EJsU58013EHeCai8AnxjcIPlMlB+lg4Y3C4VXf0mJ//cBvbCp+kyWybMw/e+e222
+xq/98vnCOIqcy4u+9ENPLJQe7hXZ3Sqh38kf0GuOh8ECgYEA+VFvuuBP0OQHTxeE
+dUizR3Iz/xkeGDUZ/8Ix4TCUmRRuhEXrV7ShwUmuanO3pNhChW6hXZ6qj/yuhfOC
+D4V4upEnJDccz/cbH1PdBsfALhC8/C0WSGvnEWZMw/SggmY4KwReqWwN9aA8qjdq
+kFTOJc2Js+dCHP9kn9J3U16A+oMCgYEA53+2lhckAI8bsrbCayWRZAVx7hUNPijt
+MQvH+PCJ3QeZ0z801zk+4ny5WQ1BT0vRzwj8an4Byi2ZuTQU//N4oawDK0JVYi7q
+rjKX/AhAx/puoGAgqiS1nDmuiUiplW06HqayCFbpJ1CoXz8+MwdRXiJ8dgioafVJ
+7wHZDVmMjECgYEAoULxd/ia58x2hcv6Wzo469+MjlYaxyGhvXJIfRXFJ/a1PU1U
+Whh1/+W+sRBEGpXfARt7uGhmfle8Mtw8pfl5C4PTw3L6afG1U2AVOMt/HMyq0JoB
+LbrNbM20nZLfNzkS35AmAoPny5ZnZtoNTWntJTp69SiB9OuklFO35u7bki0CgYAL
+qQYkVzQMBylI/iWaygChvhh3+n15RQx1bPd8lXkMNgbMeiGKOaruM4QOdTl16ga+
+W+CC6KfkbBmTF4l7PuMzmXtrYWL1mBFgBtJa8nt41yddUpoyl7jCDrG43n0UNrU3
+uAO9ocsKnOhuK7xRS6wQhsIoG9WHyMAaOuVQadQk8QKBgQDVibcvOPXNcF1aRMG7
+V24nBb+YYz+00g/cLRkDnBX9/HORle0HSfeT70ctRhuFCoHHbHF4fnp/iAwDgxdB
+dNufthftTZTtFGITUsJDN36fSXNjEvKzmKEAlEYkGAYijLlDwknPB+bf4NQ6T0R+
+AtnKQY6G4kFSfw9AKgWGy7ZKfg==
+-----END PRIVATE KEY-----
--- a/examples/certs/server.crt
+++ b/examples/certs/server.crt
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIJAMgY8gND5lFnMA0GCSqGSIb3DQEBCwUAMAwxCjAIBgNV
+BAMMASowHhcNMTcxMjA4MjA1MTQyWhcNMjcxMjA2MjA1MTQyWjAMMQowCAYDVQQD
+DAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwKcyyXg90wen25yh
+QA17MDyzjzBsIL9+kznzRD1azoNqA3RShAAWXn5a81HeWvncpVL+TKPMU3UC02XT
+I6GtX1U7xmdKstBLKiHQxGWX04DshSrVgcVzLUI6OHBG6feoL1mGAa8jB2UEE6ER
+uXdgYgKbLUrvduSn4fBvPIhhXg9YL2n2TVujkaY9bPZ9M5tQ5K+g4wRwCAYgjTUN
+55J82uzAsLCs+AQi9D4bLJmw0z2H7enRLkd9sRE2pArhXm4LLg/QlL8I5ZHv7vfl
+RYdOoC3bjgKk+OVOmb2Fb/dWVlOMcnO8qeo9WyQbhAcjNK2W9Tqk5E5orGZ/bkw/
+iZc0MwIDAQABo1AwTjAdBgNVHQ4EFgQUA0xmNKQqxUQgaM9ceCzFyocn9jswHwYD
+VR0jBBgwFoAUA0xmNKQqxUQgaM9ceCzFyocn9jswDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAnL7VvBTcFyLeNeuTAWmM0bjlwWsuL9Va2LZitnATgzE7
+ACS+ZNURnpK/o3UHGc2ePDCFgPsF2mnh4Jmye2tl5uPxQS2zR96hp16ZGVi9N1gx
+4aQyknKt6UFRP/cvWwgDN5N3pnRZQ7J0kaAWCPtAIldeGK7UDjOJ1DLDVLeByr7x
+27TCt69ysisTtz6Tzr5vvVDEtu2yNIf/uGk3od+pe/0E1UXVCTItvwM30wvfcTPU
+aMZXBYNmSrjnJ4k/9FSjZYNKPtK1c/JR+zUng1h+I3b7itY5VBGdzdq9fEk20PHm
+Xdg1Ptbebtl6PJqWX+rydXuen6SUt8vFJE89MkbWSw==
+-----END CERTIFICATE-----
--- a/realis.go
+++ b/realis.go
@ -17,14 +17,16 @@ package realis

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"io/ioutil"
+	"math/rand"
 	"net/http"
 	"net/http/cookiejar"
+	"path/filepath"
 	"time"

-	"math/rand"
-
 	"git.apache.org/thrift.git/lib/go/thrift"
 	"github.com/paypal/gorealis/gen-go/apache/aurora"
 	"github.com/paypal/gorealis/response"
@ -82,6 +84,9 @@ type RealisConfig struct {
 	transport                   thrift.TTransport
 	protoFactory                thrift.TProtocolFactory
 	logger                      Logger
+	InsecureSkipVerify          bool
+	certspath                   string
+	clientkey, clientcert       string
 }

 type Backoff struct {
@ -156,6 +161,24 @@ func BackOff(b *Backoff) ClientOption {
 	}
 }

+func InsecureSkipVerify(InsecureSkipVerify bool) ClientOption {
+	return func(config *RealisConfig) {
+		config.InsecureSkipVerify = InsecureSkipVerify
+	}
+}
+
+func Certspath(certspath string) ClientOption {
+	return func(config *RealisConfig) {
+		config.certspath = certspath
+	}
+}
+
+func ClientCerts(clientKey, clientCert string) ClientOption {
+	return func(config *RealisConfig) {
+		config.clientkey, config.clientcert = clientKey, clientCert
+	}
+}
+
 // Using the word set to avoid name collision with Interface
 func SetLogger(l Logger) ClientOption {
 	return func(config *RealisConfig) {
@ -163,8 +186,8 @@ func SetLogger(l Logger) ClientOption {
 	}
 }

-func newTJSONTransport(url string, timeout int) (thrift.TTransport, error) {
-	trans, err := defaultTTransport(url, timeout)
+func newTJSONTransport(url string, timeout int, config *RealisConfig) (thrift.TTransport, error) {
+	trans, err := defaultTTransport(url, timeout, config)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error creating realis")
 	}
@ -174,8 +197,8 @@ func newTJSONTransport(url string, timeout int) (thrift.TTransport, error) {
 	return trans, err
 }

-func newTBinTransport(url string, timeout int) (thrift.TTransport, error) {
-	trans, err := defaultTTransport(url, timeout)
+func newTBinTransport(url string, timeout int, config *RealisConfig) (thrift.TTransport, error) {
+	trans, err := defaultTTransport(url, timeout, config)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error creating realis")
 	}
@ -228,7 +251,7 @@ func NewRealisClient(options ...ClientOption) (Realis, error) {
 	}

 	if config.jsonTransport {
-		trans, err := newTJSONTransport(url, config.timeoutms)
+		trans, err := newTJSONTransport(url, config.timeoutms, config)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error creating realis")
 		}
@ -236,7 +259,7 @@ func NewRealisClient(options ...ClientOption) (Realis, error) {
 		config.protoFactory = thrift.NewTJSONProtocolFactory()

 	} else if config.binTransport {
-		trans, err := newTBinTransport(url, config.timeoutms)
+		trans, err := newTBinTransport(url, config.timeoutms, config)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error creating realis")
 		}
@ -283,17 +306,62 @@ func GetDefaultClusterFromZKUrl(zkurl string) *Cluster {
 	}
 }

+func Getcerts(certpath string) (*x509.CertPool, error) {
+	globalRootCAs := x509.NewCertPool()
+	caFiles, err := ioutil.ReadDir(certpath)
+	if err != nil {
+		return nil, err
+	}
+	for _, cert := range caFiles {
+		capathfile := filepath.Join(certpath, cert.Name())
+		caCert, err := ioutil.ReadFile(capathfile)
+		if err != nil {
+			return nil, err
+		}
+		globalRootCAs.AppendCertsFromPEM(caCert)
+	}
+	return globalRootCAs, nil
+}
+
 // Creates a default Thrift Transport object for communications in gorealis using an HTTP Post Client
-func defaultTTransport(urlstr string, timeoutms int) (thrift.TTransport, error) {
+func defaultTTransport(urlstr string, timeoutms int, config *RealisConfig) (thrift.TTransport, error) {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
 		return &thrift.THttpClient{}, errors.Wrap(err, "Error creating Cookie Jar")
 	}
-	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	var transport http.Transport
+	if config != nil {
+		tlsConfig := &tls.Config{}
+		if config.InsecureSkipVerify {
+			tlsConfig.InsecureSkipVerify = true
+		}
+		if config.certspath != "" {
+			rootCAs, err := Getcerts("examples/certs")
+			if err != nil {
+				config.logger.Println("error occured couldn't fetch certs")
+				return nil, err
+			}
+			tlsConfig.RootCAs = rootCAs
+		}
+		if config.clientkey != "" && config.clientcert == "" {
+			return nil, fmt.Errorf("have to provide both client key,cert. Only client key provided ")
+		}
+		if config.clientkey == "" && config.clientcert != "" {
+			return nil, fmt.Errorf("have to provide both client key,cert. Only client cert provided ")
+		}
+		if config.clientkey != "" && config.clientcert != "" {
+			cert, err := tls.LoadX509KeyPair(config.clientcert, config.clientkey)
+			if err != nil {
+				config.logger.Println("error occured loading client certs and keys")
+				return nil, err
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+		transport.TLSClientConfig = tlsConfig
 	}
+
 	trans, err := thrift.NewTHttpPostClientWithOptions(urlstr+"/api",
-		thrift.THttpClientOptions{Client: &http.Client{Timeout: time.Millisecond * time.Duration(timeoutms), Transport: transport, Jar: jar}})
+		thrift.THttpClientOptions{Client: &http.Client{Timeout: time.Millisecond * time.Duration(timeoutms), Transport: &transport, Jar: jar}})

 	if err != nil {
 		return &thrift.THttpClient{}, errors.Wrap(err, "Error creating transport")
@ -308,13 +376,13 @@ func defaultTTransport(urlstr string, timeoutms int) (thrift.TTransport, error)

 // Create a default configuration of the transport layer, requires a URL to test connection with.
 // Uses HTTP Post as transport layer and Thrift JSON as the wire protocol by default.
-func newDefaultConfig(url string, timeoutms int) (*RealisConfig, error) {
-	return newTJSONConfig(url, timeoutms)
+func newDefaultConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) {
+	return newTJSONConfig(url, timeoutms, config)
 }

 // Creates a realis config object using HTTP Post and Thrift JSON protocol to communicate with Aurora.
-func newTJSONConfig(url string, timeoutms int) (*RealisConfig, error) {
-	trans, err := defaultTTransport(url, timeoutms)
+func newTJSONConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) {
+	trans, err := defaultTTransport(url, timeoutms, config)
 	if err != nil {
 		return &RealisConfig{}, errors.Wrap(err, "Error creating realis config")
 	}
@ -327,8 +395,8 @@ func newTJSONConfig(url string, timeoutms int) (*RealisConfig, error) {
 }

 // Creates a realis config config using HTTP Post and Thrift Binary protocol to communicate with Aurora.
-func newTBinaryConfig(url string, timeoutms int) (*RealisConfig, error) {
-	trans, err := defaultTTransport(url, timeoutms)
+func newTBinaryConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) {
+	trans, err := defaultTTransport(url, timeoutms, config)
 	if err != nil {
 		return &RealisConfig{}, errors.Wrap(err, "Error creating realis config")
 	}
@ -370,18 +438,18 @@ func (r *realisClient) ReestablishConn() error {
 		//Re-establish using cluster object.
 		url, err = LeaderFromZK(*r.config.cluster)
 		if err != nil {
-			fmt.Errorf("LeaderFromZK error: %+v\n ", err)
+			r.config.logger.Println("LeaderFromZK error: %+v\n ", err)
 		}
 		r.logger.Println("ReestablishConn url: ", url)
 		if r.config.jsonTransport {
-			trans, err := newTJSONTransport(url, r.config.timeoutms)
+			trans, err := newTJSONTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
 			r.config.transport = trans
 			r.config.protoFactory = thrift.NewTJSONProtocolFactory()
 		} else if r.config.binTransport {
-			trans, err := newTBinTransport(url, r.config.timeoutms)
+			trans, err := newTBinTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
@ -400,14 +468,14 @@ func (r *realisClient) ReestablishConn() error {
 		//Re-establish using scheduler url.
 		r.logger.Println("ReestablishConn url: ", r.config.url)
 		if r.config.jsonTransport {
-			trans, err := newTJSONTransport(url, r.config.timeoutms)
+			trans, err := newTJSONTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
 			r.config.transport = trans
 			r.config.protoFactory = thrift.NewTJSONProtocolFactory()
 		} else if r.config.binTransport {
-			trans, err := newTBinTransport(url, r.config.timeoutms)
+			trans, err := newTBinTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
--- a/realis_e2e_test.go
+++ b/realis_e2e_test.go
@ -16,13 +16,14 @@ package realis_test

 import (
 	"fmt"
-	"github.com/paypal/gorealis"
-	"github.com/paypal/gorealis/gen-go/apache/aurora"
-	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	"os"
 	"testing"
 	"time"
+
+	"github.com/paypal/gorealis"
+	"github.com/paypal/gorealis/gen-go/apache/aurora"
+	"github.com/stretchr/testify/assert"
 )

 var r realis.Realis
@ -63,6 +64,13 @@ func TestLeaderFromZK(t *testing.T) {
 	assert.Equal(t, url, "http://aurora.local:8081")
 }

+func TestGetCacerts(t *testing.T) {
+	certs, err := realis.Getcerts("./examples/certs")
+	assert.NoError(t, err)
+	assert.Equal(t, len(certs.Subjects()), 2)
+
+}
+
 func TestRealisClient_CreateJob_Thermos(t *testing.T) {

 	job := realis.NewJob().