Avoid verifying SSL on local connections

Since these will almost always connect to an IP rather than a "real" hostname, don't verify the SSL cert (if applicable). Also allow the overriding of SSL verification via an environment variable. As a consequence, to reduce spam, SSL warnings are disabled for urllib3. Instead, we warn in the "Using cluster" output whenever verification is disabled.
2020-08-27 13:23:24 -04:00 · 2020-08-27 13:23:24 -04:00 · 45542bfd67
parent 7bf91b1003
commit 45542bfd67
2 changed files with 22 additions and 6 deletions
--- a/client-cli/cli_lib/common.py
+++ b/client-cli/cli_lib/common.py
@ -26,6 +26,7 @@ import math
 import time
 import requests
 import click
+from urllib3 import disable_warnings

 def format_bytes(size_bytes):
    byte_unit_matrix = {
@ -125,13 +126,15 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None,
        headers['X-Api-Key'] = config['api_key']

    # Determine the request type and hit the API
+    disable_warnings()
    try:
        if operation == 'get':
            response = requests.get(
                uri,
                headers=headers,
                params=params,
-                data=data
+                data=data,
+                verify=config['verify_ssl']
            )
        if operation == 'post':
            response = requests.post(
@ -139,7 +142,8 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None,
                headers=headers,
                params=params,
                data=data,
-                files=files
+                files=files,
+                verify=config['verify_ssl']
            )
        if operation == 'put':
            response = requests.put(
@ -147,21 +151,24 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None,
                headers=headers,
                params=params,
                data=data,
-                files=files
+                files=files,
+                verify=config['verify_ssl']
            )
        if operation == 'patch':
            response = requests.patch(
                uri,
                headers=headers,
                params=params,
-                data=data
+                data=data,
+                verify=config['verify_ssl']
            )
        if operation == 'delete':
            response = requests.delete(
                uri,
                headers=headers,
                params=params,
-                data=data
+                data=data,
+                verify=config['verify_ssl']
            )
    except Exception as e:
        message = 'Failed to connect to the API: {}'.format(e)
--- a/client-cli/pvc.py
+++ b/client-cli/pvc.py
@ -106,6 +106,10 @@ def get_config(store_data, cluster=None):
    config['api_scheme'] = scheme
    config['api_key'] = api_key
    config['api_prefix'] = prefix
+    if cluster == 'local':
+        config['verify_ssl'] = False
+    else:
+        config['verify_ssl'] = bool(strtobool(os.environ.get('PVC_CLIENT_VERIFY_SSL', 'True')))

    return config

@ -3626,11 +3630,16 @@ def cli(_cluster, _debug, _quiet):
        config['debug'] = _debug

        if not _quiet:
+            if config['api_scheme'] == 'https' and not config['verify_ssl']:
+                ssl_unverified_msg=' (unverified)'
+            else:
+                ssl_unverified_msg=''
            click.echo(
-                'Using cluster "{}" - Host: "{}"  Scheme: "{}"  Prefix: "{}"'.format(
+                'Using cluster "{}" - Host: "{}"  Scheme: "{}{}"  Prefix: "{}"'.format(
                    config['cluster'],
                    config['api_host'],
                    config['api_scheme'],
+                    ssl_unverified_msg,
                    config['api_prefix']
                ),
                err=True