From d4027bc95c7c31c9139858a461ca783533437faf Mon Sep 17 00:00:00 2001 From: Sivaram Mothiki Date: Tue, 12 Dec 2017 14:04:11 -0800 Subject: [PATCH] make insecureskipverify configurable (#40) * make inseucreskipverify configurable * add insecure and certspath to configs * add certs test * add config support for client key and cert --- examples/certs/client.cert | 22 +++++++ examples/certs/client.key | 28 +++++++++ examples/certs/server.crt | 18 ++++++ realis.go | 114 +++++++++++++++++++++++++++++-------- realis_e2e_test.go | 14 ++++- 5 files changed, 170 insertions(+), 26 deletions(-) create mode 100644 examples/certs/client.cert create mode 100644 examples/certs/client.key create mode 100644 examples/certs/server.crt diff --git a/examples/certs/client.cert b/examples/certs/client.cert new file mode 100644 index 0000000..67d2b91 --- /dev/null +++ b/examples/certs/client.cert @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDrTCCApWgAwIBAgIJAM+bKx50CY9JMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV +BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE +CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MQowCAYD +VQQDDAEqMB4XDTE3MTIwODIwNTMwMVoXDTI3MTIwNjIwNTMwMVowbTELMAkGA1UE +BhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRgwFgYDVQQK +DA9HbG9iYWwgU2VjdXJpdHkxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxCjAIBgNV +BAMMASowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhdN0KH80BF3Dk +RQqAARcf7F87uNhQM05HXK8ffpESvKhzrO9BHuDZ0yS3il0BK9XpTyTtHSLIbphk +rO3BOsmPj0zhaM20LsPtwy8GmMCym3hVNSYYyP5XCdjA3uZIYq2R8ruk+vZTe4Zr +F8GHV/xGYU4zKPMGzsQbICjZhj0yiYF9UQ2J+xw79nsqPTmo8+EdVuunLz39dt2o +SbDA01g/kPTIg9K2CAUH0mm4zegiqytwpn2JKVoemmgrDYECWnhLprWlvN9t/fX9 +IgprDAHN1BsMrzfmfQXZpVmbIlTriVSdYVeTwG8rT7Tg8soIHqBrnJ1ykTpY4VrO +6tc2z4kTAgMBAAGjUDBOMB0GA1UdDgQWBBSLvwax1Zd6ZiE7TjRklWYNPwgZ2zAf +BgNVHSMEGDAWgBSLvwax1Zd6ZiE7TjRklWYNPwgZ2zAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQCJY/EJxlyiSrnO82QcsWm9cT/ciU/G7Y4vX/tGs74C +tNxuBpc0vMfW4a9u6tmi3cW3EXD/KRvPwKZXxzTOhoQY9ZpbZLZ6VvCQ+aWQaXWT +664IS/mrEUZ/p3pgqTNtifdpPAZqVqNdS+Od8/B3/nWUn6JBkDZ4WaFQgfsSulxK +yzYN6UbwhLHfQUupFFhPfvYIVLH9ErGzcv5ZCHX9FornCc0W/8hL4EdjmpTW2ML2 +hM5aTKynMiR1GuGSdSpJ+BOeiUI7Go1jGwjV+H9Pw/kfmooq2wuuUGti5dr0Qq7h +CQx1a14BmDBwGoMIOdjFATRwnami5e188fAJozL++i+s +-----END CERTIFICATE----- diff --git a/examples/certs/client.key b/examples/certs/client.key new file mode 100644 index 0000000..7805b83 --- /dev/null +++ b/examples/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhdN0KH80BF3Dk +RQqAARcf7F87uNhQM05HXK8ffpESvKhzrO9BHuDZ0yS3il0BK9XpTyTtHSLIbphk +rO3BOsmPj0zhaM20LsPtwy8GmMCym3hVNSYYyP5XCdjA3uZIYq2R8ruk+vZTe4Zr +F8GHV/xGYU4zKPMGzsQbICjZhj0yiYF9UQ2J+xw79nsqPTmo8+EdVuunLz39dt2o +SbDA01g/kPTIg9K2CAUH0mm4zegiqytwpn2JKVoemmgrDYECWnhLprWlvN9t/fX9 +IgprDAHN1BsMrzfmfQXZpVmbIlTriVSdYVeTwG8rT7Tg8soIHqBrnJ1ykTpY4VrO +6tc2z4kTAgMBAAECggEBAMZL7SY8dikhnu+HMgcH7njrg4+ZsthHZ/AoOvcucRbT +zC2ByyWxrP6pUUAFeGvRTGHadJYA7FjxvSO/XZZ4yFN2LJ6NeW+jOjzjUXcx3zq4 +t4vqJUnjbqDLTlPFOTItaJBXuGcRPJqMqNuEl3kdEAwvBYLF34r7TUy2and4NFc/ +JziGljkiucoNBk62TCDrffnvxMJXht+ab6PMWO87PzMVs4xUFPe0ezv4O54btUcV +EJsU58013EHeCai8AnxjcIPlMlB+lg4Y3C4VXf0mJ//cBvbCp+kyWybMw/e+e222 +xq/98vnCOIqcy4u+9ENPLJQe7hXZ3Sqh38kf0GuOh8ECgYEA+VFvuuBP0OQHTxeE +dUizR3Iz/xkeGDUZ/8Ix4TCUmRRuhEXrV7ShwUmuanO3pNhChW6hXZ6qj/yuhfOC +D4V4upEnJDccz/cbH1PdBsfALhC8/C0WSGvnEWZMw/SggmY4KwReqWwN9aA8qjdq +kFTOJc2Js+dCHP9kn9J3U16A+oMCgYEA53+2lhckAI8bsrbCayWRZAVx7hUNPijt +MQvH+PCJ3QeZ0z801zk+4ny5WQ1BT0vRzwj8an4Byi2ZuTQU//N4oawDK0JVYi7q +rjKX/AhAx/puoGAgqiS1nDmuiUiplW06HqayCFbpJ1CoXz8+MwdRXiJ8dgioafVJ ++7wHZDVmMjECgYEAoULxd/ia58x2hcv6Wzo469+MjlYaxyGhvXJIfRXFJ/a1PU1U +Whh1/+W+sRBEGpXfARt7uGhmfle8Mtw8pfl5C4PTw3L6afG1U2AVOMt/HMyq0JoB +LbrNbM20nZLfNzkS35AmAoPny5ZnZtoNTWntJTp69SiB9OuklFO35u7bki0CgYAL +qQYkVzQMBylI/iWaygChvhh3+n15RQx1bPd8lXkMNgbMeiGKOaruM4QOdTl16ga+ +W+CC6KfkbBmTF4l7PuMzmXtrYWL1mBFgBtJa8nt41yddUpoyl7jCDrG43n0UNrU3 +uAO9ocsKnOhuK7xRS6wQhsIoG9WHyMAaOuVQadQk8QKBgQDVibcvOPXNcF1aRMG7 +V24nBb+YYz+00g/cLRkDnBX9/HORle0HSfeT70ctRhuFCoHHbHF4fnp/iAwDgxdB +dNufthftTZTtFGITUsJDN36fSXNjEvKzmKEAlEYkGAYijLlDwknPB+bf4NQ6T0R+ +AtnKQY6G4kFSfw9AKgWGy7ZKfg== +-----END PRIVATE KEY----- diff --git a/examples/certs/server.crt b/examples/certs/server.crt new file mode 100644 index 0000000..919c4ff --- /dev/null +++ b/examples/certs/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIJAMgY8gND5lFnMA0GCSqGSIb3DQEBCwUAMAwxCjAIBgNV +BAMMASowHhcNMTcxMjA4MjA1MTQyWhcNMjcxMjA2MjA1MTQyWjAMMQowCAYDVQQD +DAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwKcyyXg90wen25yh +QA17MDyzjzBsIL9+kznzRD1azoNqA3RShAAWXn5a81HeWvncpVL+TKPMU3UC02XT +I6GtX1U7xmdKstBLKiHQxGWX04DshSrVgcVzLUI6OHBG6feoL1mGAa8jB2UEE6ER +uXdgYgKbLUrvduSn4fBvPIhhXg9YL2n2TVujkaY9bPZ9M5tQ5K+g4wRwCAYgjTUN +55J82uzAsLCs+AQi9D4bLJmw0z2H7enRLkd9sRE2pArhXm4LLg/QlL8I5ZHv7vfl +RYdOoC3bjgKk+OVOmb2Fb/dWVlOMcnO8qeo9WyQbhAcjNK2W9Tqk5E5orGZ/bkw/ +iZc0MwIDAQABo1AwTjAdBgNVHQ4EFgQUA0xmNKQqxUQgaM9ceCzFyocn9jswHwYD +VR0jBBgwFoAUA0xmNKQqxUQgaM9ceCzFyocn9jswDAYDVR0TBAUwAwEB/zANBgkq +hkiG9w0BAQsFAAOCAQEAnL7VvBTcFyLeNeuTAWmM0bjlwWsuL9Va2LZitnATgzE7 +ACS+ZNURnpK/o3UHGc2ePDCFgPsF2mnh4Jmye2tl5uPxQS2zR96hp16ZGVi9N1gx +4aQyknKt6UFRP/cvWwgDN5N3pnRZQ7J0kaAWCPtAIldeGK7UDjOJ1DLDVLeByr7x +27TCt69ysisTtz6Tzr5vvVDEtu2yNIf/uGk3od+pe/0E1UXVCTItvwM30wvfcTPU +aMZXBYNmSrjnJ4k/9FSjZYNKPtK1c/JR+zUng1h+I3b7itY5VBGdzdq9fEk20PHm +Xdg1Ptbebtl6PJqWX+rydXuen6SUt8vFJE89MkbWSw== +-----END CERTIFICATE----- diff --git a/realis.go b/realis.go index bfa8e3f..d9177b6 100644 --- a/realis.go +++ b/realis.go @@ -17,14 +17,16 @@ package realis import ( "crypto/tls" + "crypto/x509" "encoding/base64" "fmt" + "io/ioutil" + "math/rand" "net/http" "net/http/cookiejar" + "path/filepath" "time" - "math/rand" - "git.apache.org/thrift.git/lib/go/thrift" "github.com/paypal/gorealis/gen-go/apache/aurora" "github.com/paypal/gorealis/response" @@ -82,6 +84,9 @@ type RealisConfig struct { transport thrift.TTransport protoFactory thrift.TProtocolFactory logger Logger + InsecureSkipVerify bool + certspath string + clientkey, clientcert string } type Backoff struct { @@ -156,6 +161,24 @@ func BackOff(b *Backoff) ClientOption { } } +func InsecureSkipVerify(InsecureSkipVerify bool) ClientOption { + return func(config *RealisConfig) { + config.InsecureSkipVerify = InsecureSkipVerify + } +} + +func Certspath(certspath string) ClientOption { + return func(config *RealisConfig) { + config.certspath = certspath + } +} + +func ClientCerts(clientKey, clientCert string) ClientOption { + return func(config *RealisConfig) { + config.clientkey, config.clientcert = clientKey, clientCert + } +} + // Using the word set to avoid name collision with Interface func SetLogger(l Logger) ClientOption { return func(config *RealisConfig) { @@ -163,8 +186,8 @@ func SetLogger(l Logger) ClientOption { } } -func newTJSONTransport(url string, timeout int) (thrift.TTransport, error) { - trans, err := defaultTTransport(url, timeout) +func newTJSONTransport(url string, timeout int, config *RealisConfig) (thrift.TTransport, error) { + trans, err := defaultTTransport(url, timeout, config) if err != nil { return nil, errors.Wrap(err, "Error creating realis") } @@ -174,8 +197,8 @@ func newTJSONTransport(url string, timeout int) (thrift.TTransport, error) { return trans, err } -func newTBinTransport(url string, timeout int) (thrift.TTransport, error) { - trans, err := defaultTTransport(url, timeout) +func newTBinTransport(url string, timeout int, config *RealisConfig) (thrift.TTransport, error) { + trans, err := defaultTTransport(url, timeout, config) if err != nil { return nil, errors.Wrap(err, "Error creating realis") } @@ -228,7 +251,7 @@ func NewRealisClient(options ...ClientOption) (Realis, error) { } if config.jsonTransport { - trans, err := newTJSONTransport(url, config.timeoutms) + trans, err := newTJSONTransport(url, config.timeoutms, config) if err != nil { return nil, errors.Wrap(err, "Error creating realis") } @@ -236,7 +259,7 @@ func NewRealisClient(options ...ClientOption) (Realis, error) { config.protoFactory = thrift.NewTJSONProtocolFactory() } else if config.binTransport { - trans, err := newTBinTransport(url, config.timeoutms) + trans, err := newTBinTransport(url, config.timeoutms, config) if err != nil { return nil, errors.Wrap(err, "Error creating realis") } @@ -283,17 +306,62 @@ func GetDefaultClusterFromZKUrl(zkurl string) *Cluster { } } +func Getcerts(certpath string) (*x509.CertPool, error) { + globalRootCAs := x509.NewCertPool() + caFiles, err := ioutil.ReadDir(certpath) + if err != nil { + return nil, err + } + for _, cert := range caFiles { + capathfile := filepath.Join(certpath, cert.Name()) + caCert, err := ioutil.ReadFile(capathfile) + if err != nil { + return nil, err + } + globalRootCAs.AppendCertsFromPEM(caCert) + } + return globalRootCAs, nil +} + // Creates a default Thrift Transport object for communications in gorealis using an HTTP Post Client -func defaultTTransport(urlstr string, timeoutms int) (thrift.TTransport, error) { +func defaultTTransport(urlstr string, timeoutms int, config *RealisConfig) (thrift.TTransport, error) { jar, err := cookiejar.New(nil) if err != nil { return &thrift.THttpClient{}, errors.Wrap(err, "Error creating Cookie Jar") } - transport := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + var transport http.Transport + if config != nil { + tlsConfig := &tls.Config{} + if config.InsecureSkipVerify { + tlsConfig.InsecureSkipVerify = true + } + if config.certspath != "" { + rootCAs, err := Getcerts("examples/certs") + if err != nil { + config.logger.Println("error occured couldn't fetch certs") + return nil, err + } + tlsConfig.RootCAs = rootCAs + } + if config.clientkey != "" && config.clientcert == "" { + return nil, fmt.Errorf("have to provide both client key,cert. Only client key provided ") + } + if config.clientkey == "" && config.clientcert != "" { + return nil, fmt.Errorf("have to provide both client key,cert. Only client cert provided ") + } + if config.clientkey != "" && config.clientcert != "" { + cert, err := tls.LoadX509KeyPair(config.clientcert, config.clientkey) + if err != nil { + config.logger.Println("error occured loading client certs and keys") + return nil, err + } + tlsConfig.Certificates = []tls.Certificate{cert} + } + transport.TLSClientConfig = tlsConfig } + trans, err := thrift.NewTHttpPostClientWithOptions(urlstr+"/api", - thrift.THttpClientOptions{Client: &http.Client{Timeout: time.Millisecond * time.Duration(timeoutms), Transport: transport, Jar: jar}}) + thrift.THttpClientOptions{Client: &http.Client{Timeout: time.Millisecond * time.Duration(timeoutms), Transport: &transport, Jar: jar}}) if err != nil { return &thrift.THttpClient{}, errors.Wrap(err, "Error creating transport") @@ -308,13 +376,13 @@ func defaultTTransport(urlstr string, timeoutms int) (thrift.TTransport, error) // Create a default configuration of the transport layer, requires a URL to test connection with. // Uses HTTP Post as transport layer and Thrift JSON as the wire protocol by default. -func newDefaultConfig(url string, timeoutms int) (*RealisConfig, error) { - return newTJSONConfig(url, timeoutms) +func newDefaultConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) { + return newTJSONConfig(url, timeoutms, config) } // Creates a realis config object using HTTP Post and Thrift JSON protocol to communicate with Aurora. -func newTJSONConfig(url string, timeoutms int) (*RealisConfig, error) { - trans, err := defaultTTransport(url, timeoutms) +func newTJSONConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) { + trans, err := defaultTTransport(url, timeoutms, config) if err != nil { return &RealisConfig{}, errors.Wrap(err, "Error creating realis config") } @@ -327,8 +395,8 @@ func newTJSONConfig(url string, timeoutms int) (*RealisConfig, error) { } // Creates a realis config config using HTTP Post and Thrift Binary protocol to communicate with Aurora. -func newTBinaryConfig(url string, timeoutms int) (*RealisConfig, error) { - trans, err := defaultTTransport(url, timeoutms) +func newTBinaryConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) { + trans, err := defaultTTransport(url, timeoutms, config) if err != nil { return &RealisConfig{}, errors.Wrap(err, "Error creating realis config") } @@ -370,18 +438,18 @@ func (r *realisClient) ReestablishConn() error { //Re-establish using cluster object. url, err = LeaderFromZK(*r.config.cluster) if err != nil { - fmt.Errorf("LeaderFromZK error: %+v\n ", err) + r.config.logger.Println("LeaderFromZK error: %+v\n ", err) } r.logger.Println("ReestablishConn url: ", url) if r.config.jsonTransport { - trans, err := newTJSONTransport(url, r.config.timeoutms) + trans, err := newTJSONTransport(url, r.config.timeoutms, r.config) if err != nil { return errors.Wrap(err, "Error creating realis") } r.config.transport = trans r.config.protoFactory = thrift.NewTJSONProtocolFactory() } else if r.config.binTransport { - trans, err := newTBinTransport(url, r.config.timeoutms) + trans, err := newTBinTransport(url, r.config.timeoutms, r.config) if err != nil { return errors.Wrap(err, "Error creating realis") } @@ -400,14 +468,14 @@ func (r *realisClient) ReestablishConn() error { //Re-establish using scheduler url. r.logger.Println("ReestablishConn url: ", r.config.url) if r.config.jsonTransport { - trans, err := newTJSONTransport(url, r.config.timeoutms) + trans, err := newTJSONTransport(url, r.config.timeoutms, r.config) if err != nil { return errors.Wrap(err, "Error creating realis") } r.config.transport = trans r.config.protoFactory = thrift.NewTJSONProtocolFactory() } else if r.config.binTransport { - trans, err := newTBinTransport(url, r.config.timeoutms) + trans, err := newTBinTransport(url, r.config.timeoutms, r.config) if err != nil { return errors.Wrap(err, "Error creating realis") } diff --git a/realis_e2e_test.go b/realis_e2e_test.go index 82b339a..30f42c9 100644 --- a/realis_e2e_test.go +++ b/realis_e2e_test.go @@ -16,13 +16,14 @@ package realis_test import ( "fmt" - "github.com/paypal/gorealis" - "github.com/paypal/gorealis/gen-go/apache/aurora" - "github.com/stretchr/testify/assert" "io/ioutil" "os" "testing" "time" + + "github.com/paypal/gorealis" + "github.com/paypal/gorealis/gen-go/apache/aurora" + "github.com/stretchr/testify/assert" ) var r realis.Realis @@ -63,6 +64,13 @@ func TestLeaderFromZK(t *testing.T) { assert.Equal(t, url, "http://aurora.local:8081") } +func TestGetCacerts(t *testing.T) { + certs, err := realis.Getcerts("./examples/certs") + assert.NoError(t, err) + assert.Equal(t, len(certs.Subjects()), 2) + +} + func TestRealisClient_CreateJob_Thermos(t *testing.T) { job := realis.NewJob().