make insecureskipverify configurable (#40)

* make inseucreskipverify configurable * add insecure and certspath to configs * add certs test * add config support for client key and cert
2017-12-12 14:04:11 -08:00 · 2017-12-12 14:04:11 -08:00 · d4027bc95c
commit d4027bc95c
parent dd804af0a8
5 changed files with 170 additions and 26 deletions
--- a/realis.go
+++ b/realis.go
@ -17,14 +17,16 @@ package realis

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"io/ioutil"
+	"math/rand"
 	"net/http"
 	"net/http/cookiejar"
+	"path/filepath"
 	"time"

-	"math/rand"
-
 	"git.apache.org/thrift.git/lib/go/thrift"
 	"github.com/paypal/gorealis/gen-go/apache/aurora"
 	"github.com/paypal/gorealis/response"
@ -82,6 +84,9 @@ type RealisConfig struct {
 	transport                   thrift.TTransport
 	protoFactory                thrift.TProtocolFactory
 	logger                      Logger
+	InsecureSkipVerify          bool
+	certspath                   string
+	clientkey, clientcert       string
 }

 type Backoff struct {
@ -156,6 +161,24 @@ func BackOff(b *Backoff) ClientOption {
 	}
 }

+func InsecureSkipVerify(InsecureSkipVerify bool) ClientOption {
+	return func(config *RealisConfig) {
+		config.InsecureSkipVerify = InsecureSkipVerify
+	}
+}
+
+func Certspath(certspath string) ClientOption {
+	return func(config *RealisConfig) {
+		config.certspath = certspath
+	}
+}
+
+func ClientCerts(clientKey, clientCert string) ClientOption {
+	return func(config *RealisConfig) {
+		config.clientkey, config.clientcert = clientKey, clientCert
+	}
+}
+
 // Using the word set to avoid name collision with Interface
 func SetLogger(l Logger) ClientOption {
 	return func(config *RealisConfig) {
@ -163,8 +186,8 @@ func SetLogger(l Logger) ClientOption {
 	}
 }

-func newTJSONTransport(url string, timeout int) (thrift.TTransport, error) {
-	trans, err := defaultTTransport(url, timeout)
+func newTJSONTransport(url string, timeout int, config *RealisConfig) (thrift.TTransport, error) {
+	trans, err := defaultTTransport(url, timeout, config)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error creating realis")
 	}
@ -174,8 +197,8 @@ func newTJSONTransport(url string, timeout int) (thrift.TTransport, error) {
 	return trans, err
 }

-func newTBinTransport(url string, timeout int) (thrift.TTransport, error) {
-	trans, err := defaultTTransport(url, timeout)
+func newTBinTransport(url string, timeout int, config *RealisConfig) (thrift.TTransport, error) {
+	trans, err := defaultTTransport(url, timeout, config)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error creating realis")
 	}
@ -228,7 +251,7 @@ func NewRealisClient(options ...ClientOption) (Realis, error) {
 	}

 	if config.jsonTransport {
-		trans, err := newTJSONTransport(url, config.timeoutms)
+		trans, err := newTJSONTransport(url, config.timeoutms, config)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error creating realis")
 		}
@ -236,7 +259,7 @@ func NewRealisClient(options ...ClientOption) (Realis, error) {
 		config.protoFactory = thrift.NewTJSONProtocolFactory()

 	} else if config.binTransport {
-		trans, err := newTBinTransport(url, config.timeoutms)
+		trans, err := newTBinTransport(url, config.timeoutms, config)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error creating realis")
 		}
@ -283,17 +306,62 @@ func GetDefaultClusterFromZKUrl(zkurl string) *Cluster {
 	}
 }

+func Getcerts(certpath string) (*x509.CertPool, error) {
+	globalRootCAs := x509.NewCertPool()
+	caFiles, err := ioutil.ReadDir(certpath)
+	if err != nil {
+		return nil, err
+	}
+	for _, cert := range caFiles {
+		capathfile := filepath.Join(certpath, cert.Name())
+		caCert, err := ioutil.ReadFile(capathfile)
+		if err != nil {
+			return nil, err
+		}
+		globalRootCAs.AppendCertsFromPEM(caCert)
+	}
+	return globalRootCAs, nil
+}
+
 // Creates a default Thrift Transport object for communications in gorealis using an HTTP Post Client
-func defaultTTransport(urlstr string, timeoutms int) (thrift.TTransport, error) {
+func defaultTTransport(urlstr string, timeoutms int, config *RealisConfig) (thrift.TTransport, error) {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
 		return &thrift.THttpClient{}, errors.Wrap(err, "Error creating Cookie Jar")
 	}
-	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	var transport http.Transport
+	if config != nil {
+		tlsConfig := &tls.Config{}
+		if config.InsecureSkipVerify {
+			tlsConfig.InsecureSkipVerify = true
+		}
+		if config.certspath != "" {
+			rootCAs, err := Getcerts("examples/certs")
+			if err != nil {
+				config.logger.Println("error occured couldn't fetch certs")
+				return nil, err
+			}
+			tlsConfig.RootCAs = rootCAs
+		}
+		if config.clientkey != "" && config.clientcert == "" {
+			return nil, fmt.Errorf("have to provide both client key,cert. Only client key provided ")
+		}
+		if config.clientkey == "" && config.clientcert != "" {
+			return nil, fmt.Errorf("have to provide both client key,cert. Only client cert provided ")
+		}
+		if config.clientkey != "" && config.clientcert != "" {
+			cert, err := tls.LoadX509KeyPair(config.clientcert, config.clientkey)
+			if err != nil {
+				config.logger.Println("error occured loading client certs and keys")
+				return nil, err
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+		transport.TLSClientConfig = tlsConfig
 	}
+
 	trans, err := thrift.NewTHttpPostClientWithOptions(urlstr+"/api",
-		thrift.THttpClientOptions{Client: &http.Client{Timeout: time.Millisecond * time.Duration(timeoutms), Transport: transport, Jar: jar}})
+		thrift.THttpClientOptions{Client: &http.Client{Timeout: time.Millisecond * time.Duration(timeoutms), Transport: &transport, Jar: jar}})

 	if err != nil {
 		return &thrift.THttpClient{}, errors.Wrap(err, "Error creating transport")
@ -308,13 +376,13 @@ func defaultTTransport(urlstr string, timeoutms int) (thrift.TTransport, error)

 // Create a default configuration of the transport layer, requires a URL to test connection with.
 // Uses HTTP Post as transport layer and Thrift JSON as the wire protocol by default.
-func newDefaultConfig(url string, timeoutms int) (*RealisConfig, error) {
-	return newTJSONConfig(url, timeoutms)
+func newDefaultConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) {
+	return newTJSONConfig(url, timeoutms, config)
 }

 // Creates a realis config object using HTTP Post and Thrift JSON protocol to communicate with Aurora.
-func newTJSONConfig(url string, timeoutms int) (*RealisConfig, error) {
-	trans, err := defaultTTransport(url, timeoutms)
+func newTJSONConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) {
+	trans, err := defaultTTransport(url, timeoutms, config)
 	if err != nil {
 		return &RealisConfig{}, errors.Wrap(err, "Error creating realis config")
 	}
@ -327,8 +395,8 @@ func newTJSONConfig(url string, timeoutms int) (*RealisConfig, error) {
 }

 // Creates a realis config config using HTTP Post and Thrift Binary protocol to communicate with Aurora.
-func newTBinaryConfig(url string, timeoutms int) (*RealisConfig, error) {
-	trans, err := defaultTTransport(url, timeoutms)
+func newTBinaryConfig(url string, timeoutms int, config *RealisConfig) (*RealisConfig, error) {
+	trans, err := defaultTTransport(url, timeoutms, config)
 	if err != nil {
 		return &RealisConfig{}, errors.Wrap(err, "Error creating realis config")
 	}
@ -370,18 +438,18 @@ func (r *realisClient) ReestablishConn() error {
 		//Re-establish using cluster object.
 		url, err = LeaderFromZK(*r.config.cluster)
 		if err != nil {
-			fmt.Errorf("LeaderFromZK error: %+v\n ", err)
+			r.config.logger.Println("LeaderFromZK error: %+v\n ", err)
 		}
 		r.logger.Println("ReestablishConn url: ", url)
 		if r.config.jsonTransport {
-			trans, err := newTJSONTransport(url, r.config.timeoutms)
+			trans, err := newTJSONTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
 			r.config.transport = trans
 			r.config.protoFactory = thrift.NewTJSONProtocolFactory()
 		} else if r.config.binTransport {
-			trans, err := newTBinTransport(url, r.config.timeoutms)
+			trans, err := newTBinTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
@ -400,14 +468,14 @@ func (r *realisClient) ReestablishConn() error {
 		//Re-establish using scheduler url.
 		r.logger.Println("ReestablishConn url: ", r.config.url)
 		if r.config.jsonTransport {
-			trans, err := newTJSONTransport(url, r.config.timeoutms)
+			trans, err := newTJSONTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}
 			r.config.transport = trans
 			r.config.protoFactory = thrift.NewTJSONProtocolFactory()
 		} else if r.config.binTransport {
-			trans, err := newTBinTransport(url, r.config.timeoutms)
+			trans, err := newTBinTransport(url, r.config.timeoutms, r.config)
 			if err != nil {
 				return errors.Wrap(err, "Error creating realis")
 			}