Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Aug 14, 2020. It is now read-only.

discovery: add insecureTls flag to skip TLS checks #551

Merged
merged 2 commits into from
Dec 5, 2015
Merged

discovery: add insecureTls flag to skip TLS checks #551

merged 2 commits into from
Dec 5, 2015

Conversation

@alban
Copy link
Member

@alban alban commented Dec 2, 2015

The "insecure" was previously used to allow http. This is now split into
two flags "insecureHttp" and "insecureTls".

Related to #545

/cc @krnowak

I will need this for tests in rkt, see rkt/rkt#1822.

@alban alban force-pushed the alban/discovery-insecure branch from 7600119 to fe1d9d1 Compare December 2, 2015 16:55
@jonboulle
Copy link
Contributor

Should we use bit flags rather than separate bools or are we pretty confident these are the only two there'll ever be?

@krnowak
Copy link
Member

krnowak commented Dec 3, 2015

@jonboulle: As stated in #545 by @alban - we will likely need three flags - one for allowing connections over unencrypted HTTP, one for skipping TLS certificates verification and one for allowing credentials passing over insecure connections (either HTTP or HTTPS with unverified TLS certificates).

So I guess it would be better to have bit flags.

Another solution, quicker and less dirty than 3 bools, would be separate bool-like, self-documenting types (like in https://github.com/coreos/rkt/blob/master/rkt/pubkey/pubkey.go#L42)

krnowak
krnowak reviewed Dec 3, 2015
View reviewed changes
discovery/http.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could probably do a shallow copy of http.DefaultTransport and modify the TLSClientConfig field.

tInsecureTls := *http.DefaultTransport
tInsecureTls.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
ClientInsecureTls = &http.Client{
    Transport: &tInsecureTls,
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

@krnowak
Copy link
Member

krnowak commented Dec 3, 2015

This PR doesn't allow to skip sending credentials over HTTP.

@alban alban force-pushed the alban/discovery-insecure branch from fe1d9d1 to 29bafaa Compare December 3, 2015 10:50
@alban
Copy link
Member Author

alban commented Dec 3, 2015

Updated with a bit field for discovery.InsecureOption.

This PR doesn't allow to skip sending credentials over HTTP

Can this be done separately? Now that it is a bitfield, it should be possible to add after without changing the function prototype.

alban added a commit to kinvolk/rkt that referenced this pull request Dec 3, 2015
@alban
Godeps: cherry-picking appc/spec#551 (discovery InsecureOption)
a9f1cea 
Based on appc/spec#551
@alban alban mentioned this pull request Dec 3, 2015
Merged
krnowak
krnowak reviewed Dec 3, 2015
View reviewed changes
actool/discover.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about insecure := discovery.InsecureNone?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated.

@krnowak
Copy link
Member

krnowak commented Dec 3, 2015

Looks fine, but the testing is not sufficient.

@alban alban force-pushed the alban/discovery-insecure branch from 29bafaa to 296ac04 Compare December 3, 2015 12:03
@alban
discovery: add insecure flags for http and tls
dec3590 
The "insecure" bool was previously used to allow http. This is now
changed to a bit field with "InsecureHttp" and "InsecureTls".

Related to appc#545
@alban alban force-pushed the alban/discovery-insecure branch from 296ac04 to dec3590 Compare December 3, 2015 15:33
@alban
Copy link
Member Author

alban commented Dec 3, 2015

@krnowak ready for another review :)

krnowak
krnowak reviewed Dec 3, 2015
View reviewed changes
discovery/discovery_test.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we handle the case when err == nil and tt.expectDiscoverySuccess == false?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, fixed in a separate commit.

@krnowak
Copy link
Member

krnowak commented Dec 3, 2015

One question, but otherwise LFAD. But won't merge it anyway, I have no power here.

@alban
discovery: tests: check expected failure condition
7378de0 
The test cases where a failure was expected was not tested correctly.
@alban
Copy link
Member Author

alban commented Dec 4, 2015

Branch updated.

alban added a commit to kinvolk/rkt that referenced this pull request Dec 4, 2015
@alban
Godeps: cherry-picking appc/spec#551 (discovery InsecureOption)
c67b4c8 
Based on appc/spec#551
@alban
Copy link
Member Author

alban commented Dec 4, 2015

@jonboulle can you review this? :)

@jonboulle
Copy link
Contributor

thanks!

jonboulle added a commit that referenced this pull request Dec 5, 2015
@jonboulle
Merge pull request #551 from kinvolk/alban/discovery-insecure
f4a6203 
discovery: add insecureTls flag to skip TLS checks
@jonboulle jonboulle merged commit f4a6203 into appc:master Dec 5, 2015
alban added a commit to kinvolk/rkt that referenced this pull request Dec 5, 2015
@alban
Godeps: cherry-picking appc/spec#551 (discovery InsecureOption)
c676c89 
Based on appc/spec#551
alban added a commit to kinvolk/rkt that referenced this pull request Dec 8, 2015
@alban
Godeps: cherry-picking appc/spec#551 (discovery InsecureOption)
7a5d9b6 
Based on appc/spec#551
@iaguis iaguis mentioned this pull request Jan 19, 2016
Open
@alban
Copy link
Member Author

alban commented Jan 19, 2016

For the record, this is in v0.7.4

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

component/discovery component/tooling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alban @jonboulle @krnowak