Merge "Add option to check fingergw hostnames"

2021-08-01 09:21:04 +00:00 · 2021-08-01 09:21:04 +00:00 · 91df64517f
parent 1c62da06a7 51ef833eb4
commit 91df64517f
4 changed files with 14 additions and 2 deletions
--- a/doc/source/discussion/components.rst
+++ b/doc/source/discussion/components.rst
@ -1370,6 +1370,13 @@ sections of ``zuul.conf`` are used by the finger gateway:

      The path to the PEM encoded CA certificate file.

+   .. attr:: tls_verify_hostnames
+      :default: true
+
+      In the case of a private CA it may be both safe and convenient
+      to disable hostname checks.  However, if the certificates are
+      issued by a public CA, hostname verification should be enabled.
+
   .. attr:: tls_client_only
      :default: false

--- a/tests/unit/test_streaming.py
+++ b/tests/unit/test_streaming.py
@ -195,6 +195,7 @@ class TestStreamingBase(tests.base.AnsibleZuulTestCase):
                       os.path.join(FIXTURE_DIR, 'fingergw/fingergw.pem'))
            config.set('fingergw', 'tls_key',
                       os.path.join(FIXTURE_DIR, 'fingergw/fingergw.key'))
+            config.set('fingergw', 'tls_verify_hostnames', 'False')

        gateway = FingerGateway(
            config,
--- a/zuul/lib/fingergw.py
+++ b/zuul/lib/fingergw.py
@ -55,7 +55,7 @@ class RequestHandler(streamer_utils.BaseFingerRequestHandler):
            if use_ssl:
                context = ssl.SSLContext(ssl.PROTOCOL_TLS)
                context.verify_mode = ssl.CERT_REQUIRED
-                context.check_hostname = False
+                context.check_hostname = self.fingergw.tls_verify_hostnames
                context.load_cert_chain(self.fingergw.tls_cert,
                                        self.fingergw.tls_key)
                context.load_verify_locations(self.fingergw.tls_ca)
@ -170,6 +170,8 @@ class FingerGateway(object):
        self.tls_key = get_default(config, 'fingergw', 'tls_key')
        self.tls_cert = get_default(config, 'fingergw', 'tls_cert')
        self.tls_ca = get_default(config, 'fingergw', 'tls_ca')
+        self.tls_verify_hostnames = get_default(
+            config, 'fingergw', 'tls_verify_hostnames', default=True)
        client_only = get_default(config, 'fingergw', 'tls_client_only',
                                  default=False)
        if (all([self.tls_key, self.tls_cert, self.tls_ca])
--- a/zuul/web/init.py
+++ b/zuul/web/init.py
@ -196,7 +196,7 @@ class LogStreamer(object):
        if use_ssl:
            context = ssl.SSLContext(ssl.PROTOCOL_TLS)
            context.verify_mode = ssl.CERT_REQUIRED
-            context.check_hostname = False
+            context.check_hostname = self.zuulweb.finger_tls_verify_hostnames
            context.load_cert_chain(
                self.zuulweb.finger_tls_cert, self.zuulweb.finger_tls_key)
            context.load_verify_locations(self.zuulweb.finger_tls_ca)
@ -1309,6 +1309,8 @@ class ZuulWeb(object):
            self.config, 'fingergw', 'tls_cert')
        self.finger_tls_ca = get_default(
            self.config, 'fingergw', 'tls_ca')
+        self.finger_tls_verify_hostnames = get_default(
+            self.config, 'fingergw', 'tls_verify_hostnames', default=True)

        route_map = cherrypy.dispatch.RoutesDispatcher()
        api = ZuulWebAPI(self)