618637a5bd
Custom SSL handling was introduced because disabling SSL layer compression provided an approximately five fold performance increase in some cases. Without SSL layer compression disabled the image transfer would be CPU bound -- with the CPU performing the DEFLATE algorithm. This would typically limit image transfers to < 20 MB/s. When --no-ssl-compression was specified the client would not negotiate any compression algorithm during the SSL handshake with the server which would remove the CPU bottleneck and transfers could approach wire speed. In order to support '--no-ssl-compression' two totally separate code paths exist depending on whether this is True or False. When SSL compression is disabled, rather than using the standard 'requests' library, we enter some custom code based on pyopenssl and httplib in order to disable compression. This patch/spec proposes removing the custom code because: * It is a burden to maintain Eg adding new code such as keystone session support is more complicated * It can introduce additional failure modes We have seen some bugs related to the 'custom' certificate checking * Newer Operating Systems disable SSL for us. Eg. While Debian 7 defaulted to compression 'on', Debian 8 has compression 'off'. This makes both servers and client less likely to have compression enabled. * Newer combinations of 'requests' and 'python' do this for us Requests disables compression when backed by a version of python which supports it (>= 2.7.9). This makes clients more likely to disable compression out-of-the-box. * It is (in principle) possible to do this on older versions too If pyopenssl, ndg-httpsclient and pyasn1 are installed on older operating system/python combinations, the requests library should disable SSL compression on the client side. * Systems that have SSL compression enabled may be vulnerable to the CRIME (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929) attack. Installations which are security conscious should be running the Glance server with SSL disabled. Full Spec: https://review.openstack.org/#/c/187674 Blueprint: remove-custom-client-ssl-handling Change-Id: I7e7761fc91b0d6da03939374eeedd809534f6edf
355 lines
14 KiB
Python
355 lines
14 KiB
Python
# Copyright 2012 OpenStack Foundation
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
import functools
|
|
import json
|
|
|
|
from keystoneclient.auth import token_endpoint
|
|
from keystoneclient import session
|
|
import mock
|
|
import requests
|
|
from requests_mock.contrib import fixture
|
|
import six
|
|
from six.moves.urllib import parse
|
|
from testscenarios import load_tests_apply_scenarios as load_tests # noqa
|
|
import testtools
|
|
from testtools import matchers
|
|
import types
|
|
|
|
import glanceclient
|
|
from glanceclient.common import http
|
|
from glanceclient.tests import utils
|
|
|
|
|
|
def original_only(f):
|
|
@functools.wraps(f)
|
|
def wrapper(self, *args, **kwargs):
|
|
if not hasattr(self.client, 'log_curl_request'):
|
|
self.skipTest('Skip logging tests for session client')
|
|
|
|
return f(self, *args, **kwargs)
|
|
|
|
|
|
class TestClient(testtools.TestCase):
|
|
|
|
scenarios = [
|
|
('httpclient', {'create_client': '_create_http_client'}),
|
|
('session', {'create_client': '_create_session_client'})
|
|
]
|
|
|
|
def _create_http_client(self):
|
|
return http.HTTPClient(self.endpoint, token=self.token)
|
|
|
|
def _create_session_client(self):
|
|
auth = token_endpoint.Token(self.endpoint, self.token)
|
|
sess = session.Session(auth=auth)
|
|
return http.SessionClient(sess)
|
|
|
|
def setUp(self):
|
|
super(TestClient, self).setUp()
|
|
self.mock = self.useFixture(fixture.Fixture())
|
|
|
|
self.endpoint = 'http://example.com:9292'
|
|
self.ssl_endpoint = 'https://example.com:9292'
|
|
self.token = u'abc123'
|
|
|
|
self.client = getattr(self, self.create_client)()
|
|
|
|
def test_identity_headers_and_token(self):
|
|
identity_headers = {
|
|
'X-Auth-Token': 'auth_token',
|
|
'X-User-Id': 'user',
|
|
'X-Tenant-Id': 'tenant',
|
|
'X-Roles': 'roles',
|
|
'X-Identity-Status': 'Confirmed',
|
|
'X-Service-Catalog': 'service_catalog',
|
|
}
|
|
# with token
|
|
kwargs = {'token': u'fake-token',
|
|
'identity_headers': identity_headers}
|
|
http_client_object = http.HTTPClient(self.endpoint, **kwargs)
|
|
self.assertEqual('auth_token', http_client_object.auth_token)
|
|
self.assertTrue(http_client_object.identity_headers.
|
|
get('X-Auth-Token') is None)
|
|
|
|
def test_identity_headers_and_no_token_in_header(self):
|
|
identity_headers = {
|
|
'X-User-Id': 'user',
|
|
'X-Tenant-Id': 'tenant',
|
|
'X-Roles': 'roles',
|
|
'X-Identity-Status': 'Confirmed',
|
|
'X-Service-Catalog': 'service_catalog',
|
|
}
|
|
# without X-Auth-Token in identity headers
|
|
kwargs = {'token': u'fake-token',
|
|
'identity_headers': identity_headers}
|
|
http_client_object = http.HTTPClient(self.endpoint, **kwargs)
|
|
self.assertEqual(u'fake-token', http_client_object.auth_token)
|
|
self.assertTrue(http_client_object.identity_headers.
|
|
get('X-Auth-Token') is None)
|
|
|
|
def test_identity_headers_and_no_token_in_session_header(self):
|
|
# Tests that if token or X-Auth-Token are not provided in the kwargs
|
|
# when creating the http client, the session headers don't contain
|
|
# the X-Auth-Token key.
|
|
identity_headers = {
|
|
'X-User-Id': 'user',
|
|
'X-Tenant-Id': 'tenant',
|
|
'X-Roles': 'roles',
|
|
'X-Identity-Status': 'Confirmed',
|
|
'X-Service-Catalog': 'service_catalog',
|
|
}
|
|
kwargs = {'identity_headers': identity_headers}
|
|
http_client_object = http.HTTPClient(self.endpoint, **kwargs)
|
|
self.assertIsNone(http_client_object.auth_token)
|
|
self.assertNotIn('X-Auth-Token', http_client_object.session.headers)
|
|
|
|
def test_identity_headers_are_passed(self):
|
|
# Tests that if token or X-Auth-Token are not provided in the kwargs
|
|
# when creating the http client, the session headers don't contain
|
|
# the X-Auth-Token key.
|
|
identity_headers = {
|
|
'X-User-Id': b'user',
|
|
'X-Tenant-Id': b'tenant',
|
|
'X-Roles': b'roles',
|
|
'X-Identity-Status': b'Confirmed',
|
|
'X-Service-Catalog': b'service_catalog',
|
|
}
|
|
kwargs = {'identity_headers': identity_headers}
|
|
http_client = http.HTTPClient(self.endpoint, **kwargs)
|
|
|
|
path = '/v1/images/my-image'
|
|
self.mock.get(self.endpoint + path)
|
|
http_client.get(path)
|
|
|
|
headers = self.mock.last_request.headers
|
|
for k, v in six.iteritems(identity_headers):
|
|
self.assertEqual(v, headers[k])
|
|
|
|
def test_connection_timeout(self):
|
|
"""Should receive an InvalidEndpoint if connection timeout."""
|
|
def cb(request, context):
|
|
raise requests.exceptions.Timeout
|
|
|
|
path = '/v1/images'
|
|
self.mock.get(self.endpoint + path, text=cb)
|
|
comm_err = self.assertRaises(glanceclient.exc.InvalidEndpoint,
|
|
self.client.get,
|
|
'/v1/images')
|
|
self.assertIn(self.endpoint, comm_err.message)
|
|
|
|
def test_connection_refused(self):
|
|
"""
|
|
|
|
Should receive a CommunicationError if connection refused.
|
|
And the error should list the host and port that refused the
|
|
connection
|
|
"""
|
|
def cb(request, context):
|
|
raise requests.exceptions.ConnectionError()
|
|
|
|
path = '/v1/images/detail?limit=20'
|
|
self.mock.get(self.endpoint + path, text=cb)
|
|
|
|
comm_err = self.assertRaises(glanceclient.exc.CommunicationError,
|
|
self.client.get,
|
|
'/v1/images/detail?limit=20')
|
|
|
|
self.assertIn(self.endpoint, comm_err.message)
|
|
|
|
def test_http_encoding(self):
|
|
path = '/v1/images/detail'
|
|
text = 'Ok'
|
|
self.mock.get(self.endpoint + path, text=text,
|
|
headers={"Content-Type": "text/plain"})
|
|
|
|
headers = {"test": u'ni\xf1o'}
|
|
resp, body = self.client.get(path, headers=headers)
|
|
self.assertEqual(text, resp.text)
|
|
|
|
def test_headers_encoding(self):
|
|
if not hasattr(self.client, 'encode_headers'):
|
|
self.skipTest('Cannot do header encoding check on SessionClient')
|
|
|
|
value = u'ni\xf1o'
|
|
headers = {"test": value, "none-val": None}
|
|
encoded = self.client.encode_headers(headers)
|
|
self.assertEqual(b"ni\xc3\xb1o", encoded[b"test"])
|
|
self.assertNotIn("none-val", encoded)
|
|
|
|
def test_raw_request(self):
|
|
"""Verify the path being used for HTTP requests reflects accurately."""
|
|
headers = {"Content-Type": "text/plain"}
|
|
text = 'Ok'
|
|
path = '/v1/images/detail'
|
|
|
|
self.mock.get(self.endpoint + path, text=text, headers=headers)
|
|
|
|
resp, body = self.client.get('/v1/images/detail', headers=headers)
|
|
self.assertEqual(headers, resp.headers)
|
|
self.assertEqual(text, resp.text)
|
|
|
|
def test_parse_endpoint(self):
|
|
endpoint = 'http://example.com:9292'
|
|
test_client = http.HTTPClient(endpoint, token=u'adc123')
|
|
actual = test_client.parse_endpoint(endpoint)
|
|
expected = parse.SplitResult(scheme='http',
|
|
netloc='example.com:9292', path='',
|
|
query='', fragment='')
|
|
self.assertEqual(expected, actual)
|
|
|
|
def test_get_connections_kwargs_http(self):
|
|
endpoint = 'http://example.com:9292'
|
|
test_client = http.HTTPClient(endpoint, token=u'adc123')
|
|
self.assertEqual(test_client.timeout, 600.0)
|
|
|
|
def test_http_chunked_request(self):
|
|
text = "Ok"
|
|
data = six.StringIO(text)
|
|
path = '/v1/images/'
|
|
self.mock.post(self.endpoint + path, text=text)
|
|
|
|
headers = {"test": u'chunked_request'}
|
|
resp, body = self.client.post(path, headers=headers, data=data)
|
|
self.assertIsInstance(self.mock.last_request.body, types.GeneratorType)
|
|
self.assertEqual(text, resp.text)
|
|
|
|
def test_http_json(self):
|
|
data = {"test": "json_request"}
|
|
path = '/v1/images'
|
|
text = 'OK'
|
|
self.mock.post(self.endpoint + path, text=text)
|
|
|
|
headers = {"test": u'chunked_request'}
|
|
resp, body = self.client.post(path, headers=headers, data=data)
|
|
|
|
self.assertEqual(text, resp.text)
|
|
self.assertIsInstance(self.mock.last_request.body, six.string_types)
|
|
self.assertEqual(data, json.loads(self.mock.last_request.body))
|
|
|
|
def test_http_chunked_response(self):
|
|
data = "TEST"
|
|
path = '/v1/images/'
|
|
self.mock.get(self.endpoint + path, body=six.StringIO(data),
|
|
headers={"Content-Type": "application/octet-stream"})
|
|
|
|
resp, body = self.client.get(path)
|
|
self.assertTrue(isinstance(body, types.GeneratorType))
|
|
self.assertEqual([data], list(body))
|
|
|
|
@original_only
|
|
def test_log_http_response_with_non_ascii_char(self):
|
|
try:
|
|
response = 'Ok'
|
|
headers = {"Content-Type": "text/plain",
|
|
"test": "value1\xa5\xa6"}
|
|
fake = utils.FakeResponse(headers, six.StringIO(response))
|
|
self.client.log_http_response(fake)
|
|
except UnicodeDecodeError as e:
|
|
self.fail("Unexpected UnicodeDecodeError exception '%s'" % e)
|
|
|
|
@original_only
|
|
def test_log_curl_request_with_non_ascii_char(self):
|
|
try:
|
|
headers = {'header1': 'value1\xa5\xa6'}
|
|
body = 'examplebody\xa5\xa6'
|
|
self.client.log_curl_request('GET', '/api/v1/\xa5', headers, body,
|
|
None)
|
|
except UnicodeDecodeError as e:
|
|
self.fail("Unexpected UnicodeDecodeError exception '%s'" % e)
|
|
|
|
@original_only
|
|
@mock.patch('glanceclient.common.http.LOG.debug')
|
|
def test_log_curl_request_with_body_and_header(self, mock_log):
|
|
hd_name = 'header1'
|
|
hd_val = 'value1'
|
|
headers = {hd_name: hd_val}
|
|
body = 'examplebody'
|
|
self.client.log_curl_request('GET', '/api/v1/', headers, body, None)
|
|
self.assertTrue(mock_log.called, 'LOG.debug never called')
|
|
self.assertTrue(mock_log.call_args[0],
|
|
'LOG.debug called with no arguments')
|
|
hd_regex = ".*\s-H\s+'\s*%s\s*:\s*%s\s*'.*" % (hd_name, hd_val)
|
|
self.assertThat(mock_log.call_args[0][0],
|
|
matchers.MatchesRegex(hd_regex),
|
|
'header not found in curl command')
|
|
body_regex = ".*\s-d\s+'%s'\s.*" % body
|
|
self.assertThat(mock_log.call_args[0][0],
|
|
matchers.MatchesRegex(body_regex),
|
|
'body not found in curl command')
|
|
|
|
def _test_log_curl_request_with_certs(self, mock_log, key, cert, cacert):
|
|
headers = {'header1': 'value1'}
|
|
http_client_object = http.HTTPClient(self.ssl_endpoint, key_file=key,
|
|
cert_file=cert, cacert=cacert,
|
|
token='fake-token')
|
|
http_client_object.log_curl_request('GET', '/api/v1/', headers, None,
|
|
None)
|
|
self.assertTrue(mock_log.called, 'LOG.debug never called')
|
|
self.assertTrue(mock_log.call_args[0],
|
|
'LOG.debug called with no arguments')
|
|
|
|
needles = {'key': key, 'cert': cert, 'cacert': cacert}
|
|
for option, value in six.iteritems(needles):
|
|
if value:
|
|
regex = ".*\s--%s\s+('%s'|%s).*" % (option, value, value)
|
|
self.assertThat(mock_log.call_args[0][0],
|
|
matchers.MatchesRegex(regex),
|
|
'no --%s option in curl command' % option)
|
|
else:
|
|
regex = ".*\s--%s\s+.*" % option
|
|
self.assertThat(mock_log.call_args[0][0],
|
|
matchers.Not(matchers.MatchesRegex(regex)),
|
|
'unexpected --%s option in curl command' %
|
|
option)
|
|
|
|
@mock.patch('glanceclient.common.http.LOG.debug')
|
|
def test_log_curl_request_with_all_certs(self, mock_log):
|
|
self._test_log_curl_request_with_certs(mock_log, 'key1', 'cert1',
|
|
'cacert2')
|
|
|
|
@mock.patch('glanceclient.common.http.LOG.debug')
|
|
def test_log_curl_request_with_some_certs(self, mock_log):
|
|
self._test_log_curl_request_with_certs(mock_log, 'key1', 'cert1', None)
|
|
|
|
@mock.patch('glanceclient.common.http.LOG.debug')
|
|
def test_log_curl_request_with_insecure_param(self, mock_log):
|
|
headers = {'header1': 'value1'}
|
|
http_client_object = http.HTTPClient(self.ssl_endpoint, insecure=True,
|
|
token='fake-token')
|
|
http_client_object.log_curl_request('GET', '/api/v1/', headers, None,
|
|
None)
|
|
self.assertTrue(mock_log.called, 'LOG.debug never called')
|
|
self.assertTrue(mock_log.call_args[0],
|
|
'LOG.debug called with no arguments')
|
|
self.assertThat(mock_log.call_args[0][0],
|
|
matchers.MatchesRegex('.*\s-k\s.*'),
|
|
'no -k option in curl command')
|
|
|
|
@mock.patch('glanceclient.common.http.LOG.debug')
|
|
def test_log_curl_request_with_token_header(self, mock_log):
|
|
fake_token = 'fake-token'
|
|
headers = {'X-Auth-Token': fake_token}
|
|
http_client_object = http.HTTPClient(self.endpoint,
|
|
identity_headers=headers)
|
|
http_client_object.log_curl_request('GET', '/api/v1/', headers, None,
|
|
None)
|
|
self.assertTrue(mock_log.called, 'LOG.debug never called')
|
|
self.assertTrue(mock_log.call_args[0],
|
|
'LOG.debug called with no arguments')
|
|
token_regex = '.*%s.*' % fake_token
|
|
self.assertThat(mock_log.call_args[0][0],
|
|
matchers.Not(matchers.MatchesRegex(token_regex)),
|
|
'token found in LOG.debug parameter')
|