From 45542bfd67d8b55afcaf65530ddabb77caeecd46 Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Thu, 27 Aug 2020 13:23:24 -0400 Subject: [PATCH] Avoid verifying SSL on local connections Since these will almost always connect to an IP rather than a "real" hostname, don't verify the SSL cert (if applicable). Also allow the overriding of SSL verification via an environment variable. As a consequence, to reduce spam, SSL warnings are disabled for urllib3. Instead, we warn in the "Using cluster" output whenever verification is disabled. --- client-cli/cli_lib/common.py | 17 ++++++++++++----- client-cli/pvc.py | 11 ++++++++++- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/client-cli/cli_lib/common.py b/client-cli/cli_lib/common.py index 9ce3b956..78a13653 100644 --- a/client-cli/cli_lib/common.py +++ b/client-cli/cli_lib/common.py @@ -26,6 +26,7 @@ import math import time import requests import click +from urllib3 import disable_warnings def format_bytes(size_bytes): byte_unit_matrix = { @@ -125,13 +126,15 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None, headers['X-Api-Key'] = config['api_key'] # Determine the request type and hit the API + disable_warnings() try: if operation == 'get': response = requests.get( uri, headers=headers, params=params, - data=data + data=data, + verify=config['verify_ssl'] ) if operation == 'post': response = requests.post( @@ -139,7 +142,8 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None, headers=headers, params=params, data=data, - files=files + files=files, + verify=config['verify_ssl'] ) if operation == 'put': response = requests.put( @@ -147,21 +151,24 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None, headers=headers, params=params, data=data, - files=files + files=files, + verify=config['verify_ssl'] ) if operation == 'patch': response = requests.patch( uri, headers=headers, params=params, - data=data + data=data, + verify=config['verify_ssl'] ) if operation == 'delete': response = requests.delete( uri, headers=headers, params=params, - data=data + data=data, + verify=config['verify_ssl'] ) except Exception as e: message = 'Failed to connect to the API: {}'.format(e) diff --git a/client-cli/pvc.py b/client-cli/pvc.py index da7252b4..b236dcf7 100755 --- a/client-cli/pvc.py +++ b/client-cli/pvc.py @@ -106,6 +106,10 @@ def get_config(store_data, cluster=None): config['api_scheme'] = scheme config['api_key'] = api_key config['api_prefix'] = prefix + if cluster == 'local': + config['verify_ssl'] = False + else: + config['verify_ssl'] = bool(strtobool(os.environ.get('PVC_CLIENT_VERIFY_SSL', 'True'))) return config @@ -3626,11 +3630,16 @@ def cli(_cluster, _debug, _quiet): config['debug'] = _debug if not _quiet: + if config['api_scheme'] == 'https' and not config['verify_ssl']: + ssl_unverified_msg=' (unverified)' + else: + ssl_unverified_msg='' click.echo( - 'Using cluster "{}" - Host: "{}" Scheme: "{}" Prefix: "{}"'.format( + 'Using cluster "{}" - Host: "{}" Scheme: "{}{}" Prefix: "{}"'.format( config['cluster'], config['api_host'], config['api_scheme'], + ssl_unverified_msg, config['api_prefix'] ), err=True