From 1db2e7eaf3f266bc6eeb13cb4d9752ebb48daa40 Mon Sep 17 00:00:00 2001 From: mpl Date: Tue, 7 Jan 2014 19:21:24 -0800 Subject: [PATCH] pkg/client: auth and (camtool) TLS fixes 1) disallow auth from env when not in dev mode or on android 2) allow insecureTLS with flag in debug mode 3) set transport so that insecureTLS or trustedCert modes work http://camlistore.org/issue/325 Change-Id: I6d8056bb75ffff5f002dfe9bd631ae996dc4e5ef --- cmd/camtool/index.go | 14 ++++++++++++-- cmd/camtool/sync.go | 35 +++++++++++++++++++++++++++++------ pkg/client/config.go | 24 ++++++++++++++---------- 3 files changed, 55 insertions(+), 18 deletions(-) diff --git a/cmd/camtool/index.go b/cmd/camtool/index.go index 9dc2b0249..829f0027e 100644 --- a/cmd/camtool/index.go +++ b/cmd/camtool/index.go @@ -19,15 +19,18 @@ package main import ( "flag" "fmt" + "net/http" "os" + "strconv" "camlistore.org/pkg/client" "camlistore.org/pkg/cmdmain" ) type indexCmd struct { - verbose bool - wipe bool + verbose bool + wipe bool + insecureTLS bool } func init() { @@ -35,6 +38,9 @@ func init() { cmd := new(indexCmd) flags.BoolVar(&cmd.verbose, "verbose", false, "Be verbose.") flags.BoolVar(&cmd.wipe, "wipe", false, "Erase and recreate all discovered indexes. NOOP for now.") + if debug, _ := strconv.ParseBool(os.Getenv("CAMLI_DEBUG")); debug { + flags.BoolVar(&cmd.insecureTLS, "insecure", false, "If set, when using TLS, the server's certificates verification is disabled, and they are not checked against the trustedCerts in the client configuration either.") + } return cmd }) } @@ -79,6 +85,10 @@ func (c *indexCmd) sync(from, to string) error { func (c *indexCmd) discoClient() *client.Client { var cl *client.Client cl = client.NewOrFail() + cl.InsecureTLS = c.insecureTLS + cl.SetHTTPClient(&http.Client{ + Transport: cl.TransportForConfig(nil), + }) cl.SetupAuth() return cl } diff --git a/cmd/camtool/sync.go b/cmd/camtool/sync.go index 2472c477e..961038675 100644 --- a/cmd/camtool/sync.go +++ b/cmd/camtool/sync.go @@ -21,7 +21,9 @@ import ( "flag" "fmt" "log" + "net/http" "os" + "strconv" "strings" "time" @@ -38,11 +40,12 @@ type syncCmd struct { dest string third string - loop bool - verbose bool - all bool - removeSrc bool - wipe bool + loop bool + verbose bool + all bool + removeSrc bool + wipe bool + insecureTLS bool logger *log.Logger } @@ -59,6 +62,10 @@ func init() { flags.BoolVar(&cmd.wipe, "wipe", false, "If dest is an index, drop it and repopulate it from scratch. NOOP for now.") flags.BoolVar(&cmd.all, "all", false, "Discover all sync destinations configured on the source server and run them.") flags.BoolVar(&cmd.removeSrc, "removesrc", false, "Remove each blob from the source after syncing to the destination; for queue processing.") + // TODO(mpl): maybe move this flag up to the client pkg as an AddFlag, as it can be used by all commands. + if debug, _ := strconv.ParseBool(os.Getenv("CAMLI_DEBUG")); debug { + flags.BoolVar(&cmd.insecureTLS, "insecure", false, "If set, when using TLS, the server's certificates verification is disabled, and they are not checked against the trustedCerts in the client configuration either.") + } return cmd }) @@ -163,7 +170,10 @@ func (c *syncCmd) storageFromParam(which storageType, val string) (blobserver.St return disk, nil } cl := client.New(val) - // TODO(mpl): probably needs the transport setup for trusted certs here. + cl.InsecureTLS = c.insecureTLS + cl.SetHTTPClient(&http.Client{ + Transport: cl.TransportForConfig(nil), + }) cl.SetupAuth() cl.SetLogger(c.logger) return cl, nil @@ -206,9 +216,17 @@ func (c *syncCmd) syncAll() error { for _, sh := range syncHandlers { from := client.New(sh.From) from.SetLogger(c.logger) + from.InsecureTLS = c.insecureTLS + from.SetHTTPClient(&http.Client{ + Transport: from.TransportForConfig(nil), + }) from.SetupAuth() to := client.New(sh.To) to.SetLogger(c.logger) + to.InsecureTLS = c.insecureTLS + to.SetHTTPClient(&http.Client{ + Transport: to.TransportForConfig(nil), + }) to.SetupAuth() if c.verbose { log.Printf("Now syncing: %v -> %v", sh.From, sh.To) @@ -235,6 +253,11 @@ func (c *syncCmd) discoClient() *client.Client { } else { cl = client.New(c.src) } + cl.SetLogger(c.logger) + cl.InsecureTLS = c.insecureTLS + cl.SetHTTPClient(&http.Client{ + Transport: cl.TransportForConfig(nil), + }) cl.SetupAuth() return cl } diff --git a/pkg/client/config.go b/pkg/client/config.go index 5a6164fb1..808d292b0 100644 --- a/pkg/client/config.go +++ b/pkg/client/config.go @@ -278,24 +278,28 @@ func (c *Client) useTLS() bool { return strings.HasPrefix(c.server, "https://") } -// SetupAuth sets the client's authMode from the client configuration file or from the environment. +// SetupAuth sets the client's authMode. It tries from the environment first if we're on android or in dev mode, and then from the client configuration. func (c *Client) SetupAuth() error { - // env var always takes precendence - authMode, err := auth.FromEnv() - if err == nil { - c.authMode = authMode - return nil - } - if err != auth.ErrNoAuth { - return fmt.Errorf("Could not set up auth from env var CAMLI_AUTH: %v", err) + // env var takes precedence, but only if we're in dev mode or on android. + // Too risky otherwise. + if android.OnAndroid() || os.Getenv("CAMLI_DEV_CAMLI_ROOT") != "" { + authMode, err := auth.FromEnv() + if err == nil { + c.authMode = authMode + return nil + } + if err != auth.ErrNoAuth { + return fmt.Errorf("Could not set up auth from env var CAMLI_AUTH: %v", err) + } } if c.server == "" { - return fmt.Errorf("CAMLI_AUTH not set and no server defined: can not set up auth.") + return fmt.Errorf("No server defined for this client: can not set up auth.") } authConf := serverAuth(c.server) if authConf == "" { return fmt.Errorf("Could not find auth key for server %q in config", c.server) } + var err error c.authMode, err = auth.FromConfig(authConf) return err }