Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 disable ssl verify #131

Merged
merged 18 commits into from
Dec 10, 2020
Merged

S3 disable ssl verify #131

merged 18 commits into from
Dec 10, 2020

Conversation

kkellerlbl
Copy link
Member

@kkellerlbl kkellerlbl commented Dec 10, 2020
edited
Loading

Add a configuration option (default to false) that disables verification of the S3 SSL certificate (for example, if it is self-signed).

  • Add support for s3-disable-ssl-verify flag (default false)
  • Have minioClient constructor honor new flag
  • Have awscli constructor honor new flag
  • Have http.NewRequest honor new flag (will need to add option to NewS3FileStore constructor)
  • Add tests for self-signed cert flag
  • Test against a minio with a self-signed cert in a deploy env
  • Update version, documentation and release notes

@kkellerlbl
Add s3-disable-ssl-verify to deploy.cfg.example
43af738
@kkellerlbl
Update deploy.cfg.example
c8db282
@kkellerlbl
Update deploy.cfg.example
3c0abc1
@kkellerlbl
Add code for s3-disable-ssl-verify key
3d5d0f8
@kkellerlbl
Support for not verifying cert of minio client
498c49b
@kkellerlbl
Update build.go
c88336f
@kkellerlbl
Use same creds for minio as for aws
32811ed 
...and hope minio creds can use the AWS creds object
@kkellerlbl
Use old style minio.NewWithRegion call
90038ac 
NewWithRegion doesn't seem to like the (url, &minio.Options) call.  Try using the older (documented) style with this for setting a custom transport: minio/minio-go#1019
@kkellerlbl
Add tls
3a1b161 
Forgot import
@kkellerlbl
Update build.go
291f871
@kkellerlbl
Add custom client to awscli
0027c01 
Adapted from aws/aws-sdk-go#2404
@kkellerlbl
fix spacing
3c3c114
@kkellerlbl
Add disableSSLverify boolean to NewS3FileStore
d384205 
Still need to add flag to actual http.NewRequest call in StoreFile()
@kkellerlbl
Add S3DisableSSLVerify to NewS3FileStore call
266b120
@kkellerlbl
add disableSSLVerify false to calls to NewS3FileStore
4ac2e70 
NewS3FileStore() takes an additional boolean argument for disableSSLVerify.  Hardcode `false` to each of those calls in the test suite.
@kkellerlbl
Disable ssl verify in PUT
2202920 
For example, when using a self-signed certificate, disable verifying the cert in the PUT of a new object.
@kkellerlbl
Add import
7a0bed7 
Need crypto/tls to specify custom transport config.
@kkellerlbl
Use Client
3d4ff6f 
instead of DefaultClient (unsure what the real difference is if http.Client() just starts with a DefaultClient)
@codecov
Copy link

codecov bot commented Dec 10, 2020
edited
Loading

Codecov Report

Merging #131 (3d4ff6f) into s3-disable-ssl-verify (5db1e52) will increase coverage by 0.05%.
The diff coverage is 100.00%.

Impacted file tree graph

@@                    Coverage Diff                    @@
##           s3-disable-ssl-verify     #131      +/-   ##
=========================================================
+ Coverage                  91.14%   91.20%   +0.05%     
=========================================================
  Files                         14       14              
  Lines                       1412     1421       +9     
=========================================================
+ Hits                        1287     1296       +9     
  Misses                        92       92              
  Partials                      33       33
Impacted Files Coverage Δ
config/config.go 100.00% <100.00%> (ø)
filestore/s3.go 90.41% <100.00%> (+0.20%) ⬆️
service/build.go 62.74% <100.00%> (+3.17%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5db1e52...3d4ff6f. Read the comment docs.

@kkellerlbl kkellerlbl merged commit cd6ed76 into kbase:s3-disable-ssl-verify Dec 10, 2020
MrCreosote
MrCreosote reviewed Dec 10, 2020
View reviewed changes
Copy link
Member

@MrCreosote MrCreosote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a few smallish comments

deploy.cfg.example Show resolved Hide resolved
deploy.cfg.example Show resolved Hide resolved
filestore/s3.go
TLSClientConfig: &tls.Config{InsecureSkipVerify: fs.disableSSLverify},
}
// Timeout: time.Second * 10,
httpClient := &http.Client{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we're creating a new client for every request, vs. http.DefaultClient which reuses a client. Do the client docs have any advice about this? The Java client recommends you share one client per process, for example.

If we want to share a client, I'd just create the client in the build code and replace the disableSSLverify arg with the client.

filestore/s3_test.go
@@ -83,7 +83,7 @@ func (t *TestSuite) TestConstructWithGoodBucketNames() {
ls := b.String()
t.Equal(63, len(ls), "incorrect string length")
for _, bucket := range []string{"foo", ls} {
fstore, err := NewS3FileStore(cli, min, bucket)
fstore, err := NewS3FileStore(cli, min, bucket, false)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would disable ssl for one of the happy path tests so the code is exercised, if not tested completely, and add a note to the top of the test file to that effect.

service/build.go Show resolved Hide resolved
service/build.go
awscli := s3.New(sess, &aws.Config{
Credentials: creds,
Endpoint: &cfg.S3Host,
Region: &cfg.S3Region,
DisableSSL: &cfg.S3DisableSSL,
HTTPClient: customHTTPClient,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried here that we're blowing away any specific http client customizations the aws and minio clients do. Are there any docs about that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that I could find.

config/config.go
@@ -35,6 +35,10 @@ const (
// KeyS3DisableSSL is the configuration key that determines whether SSL is to be used.
// any value other than 'true' is treated as false.
KeyS3DisableSSL = "s3-disable-ssl"
// KeyS3DisableSSLVerify is the configuration key that determines whether to verify the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add tests for the new code here to https://github.com/kbase/blobstore/blob/master/config/config_test.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrCreosote MrCreosote MrCreosote left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kkellerlbl @MrCreosote