Add option to config to allow requests to hosts with unverified certi…

…ficates (#969)
cs3org · Jul 13, 2020 · 933a236 · 933a236
1 parent a4f01d4
commit 933a236
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 22 deletions.
diff --git a/changelog/unreleased/insecure-option-ocm.md b/changelog/unreleased/insecure-option-ocm.md
@@ -0,0 +1,6 @@
+Enhancement: Add option to config to allow requests to hosts with unverified certificates
+
+Allow OCM to send requests to other mesh providers with the option of skipping
+certificate verification.
+
+https://github.com/cs3org/reva/pull/969
diff --git a/docs/content/en/docs/config/packages/user/manager/rest/_index.md b/docs/content/en/docs/config/packages/user/manager/rest/_index.md
@@ -9,63 +9,63 @@ description: >
 # _struct: config_
 
 {{% dir name="redis" type="string" default=":6379" %}}
-The port on which the redis server is running [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L67)
+The port on which the redis server is running [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L68)
 {{< highlight toml >}}
 [user.manager.rest]
 redis = ":6379"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="user_groups_cache_expiration" type="int" default=5 %}}
-The time in minutes for which the groups to which a user belongs would be cached [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L69)
+The time in minutes for which the groups to which a user belongs would be cached [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L70)
 {{< highlight toml >}}
 [user.manager.rest]
 user_groups_cache_expiration = 5
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="id_provider" type="string" default="http://cernbox.cern.ch" %}}
-The OIDC Provider [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L71)
+The OIDC Provider [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L72)
 {{< highlight toml >}}
 [user.manager.rest]
 id_provider = "http://cernbox.cern.ch"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="api_base_url" type="string" default="https://authorization-service-api-dev.web.cern.ch/api/v1.0" %}}
-Base API Endpoint [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L73)
+Base API Endpoint [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L74)
 {{< highlight toml >}}
 [user.manager.rest]
 api_base_url = "https://authorization-service-api-dev.web.cern.ch/api/v1.0"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="client_id" type="string" default="-" %}}
-Client ID needed to authenticate [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L75)
+Client ID needed to authenticate [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L76)
 {{< highlight toml >}}
 [user.manager.rest]
 client_id = "-"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="client_secret" type="string" default="-" %}}
-Client Secret [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L77)
+Client Secret [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L78)
 {{< highlight toml >}}
 [user.manager.rest]
 client_secret = "-"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="oidc_token_endpoint" type="string" default="https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token" %}}
-Endpoint to generate token to access the API [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L80)
+Endpoint to generate token to access the API [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L81)
 {{< highlight toml >}}
 [user.manager.rest]
 oidc_token_endpoint = "https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="target_api" type="string" default="authorization-service-api" %}}
-The target application for which token needs to be generated [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L82)
+The target application for which token needs to be generated [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L83)
 {{< highlight toml >}}
 [user.manager.rest]
 target_api = "authorization-service-api"

diff --git a/pkg/ocm/invite/manager/json/json.go b/pkg/ocm/invite/manager/json/json.go
@@ -26,6 +26,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -36,6 +37,7 @@ import (
 	"github.com/cs3org/reva/pkg/ocm/invite"
 	"github.com/cs3org/reva/pkg/ocm/invite/manager/registry"
 	"github.com/cs3org/reva/pkg/ocm/invite/token"
+	"github.com/cs3org/reva/pkg/rhttp"
 	"github.com/cs3org/reva/pkg/user"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
@@ -56,8 +58,9 @@ type manager struct {
 }
 
 type config struct {
-	File       string `mapstructure:"file"`
-	Expiration string `mapstructure:"expiration"`
+	File                string `mapstructure:"file"`
+	Expiration          string `mapstructure:"expiration"`
+	InsecureConnections bool   `mapstructure:"insecure_connections"`
 }
 
 func init() {
@@ -203,7 +206,15 @@ func (m *manager) ForwardInvite(ctx context.Context, invite *invitepb.InviteToke
 		return err
 	}
 
-	resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint), requestBody)
+	client := rhttp.GetHTTPClient(rhttp.Insecure(m.config.InsecureConnections))
+	recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint)
+	req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode()))
+	if err != nil {
+		return errors.Wrap(err, "json: error framing post request")
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
+
+	resp, err := client.Do(req)
 	if err != nil {
 		err = errors.Wrap(err, "json: error sending post request")
 		return err
@@ -213,11 +224,9 @@ func (m *manager) ForwardInvite(ctx context.Context, invite *invitepb.InviteToke
 	if resp.StatusCode != http.StatusOK {
 		respBody, e := ioutil.ReadAll(resp.Body)
 		if e != nil {
-			e = errors.Wrap(e, "json: error reading request body")
-			return e
+			return errors.Wrap(e, "json: error reading request body")
 		}
-		err = errors.Wrap(errors.New(fmt.Sprintf("%s: %s", resp.Status, string(respBody))), "json: error sending accept post request")
-		return err
+		return errors.Wrap(errors.New(fmt.Sprintf("%s: %s", resp.Status, string(respBody))), "json: error sending accept post request")
 	}
 
 	return nil

diff --git a/pkg/ocm/invite/manager/memory/memory.go b/pkg/ocm/invite/manager/memory/memory.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"sync"
 	"time"
 
@@ -35,6 +36,7 @@ import (
 	"github.com/cs3org/reva/pkg/ocm/invite"
 	"github.com/cs3org/reva/pkg/ocm/invite/manager/registry"
 	"github.com/cs3org/reva/pkg/ocm/invite/token"
+	"github.com/cs3org/reva/pkg/rhttp"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 )
@@ -74,7 +76,8 @@ type manager struct {
 }
 
 type config struct {
-	Expiration string `mapstructure:"expiration"`
+	Expiration          string `mapstructure:"expiration"`
+	InsecureConnections bool   `mapstructure:"insecure_connections"`
 }
 
 func (m *manager) GenerateToken(ctx context.Context) (*invitepb.InviteToken, error) {
@@ -104,7 +107,15 @@ func (m *manager) ForwardInvite(ctx context.Context, invite *invitepb.InviteToke
 		return err
 	}
 
-	resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint), requestBody)
+	client := rhttp.GetHTTPClient(rhttp.Insecure(m.Config.InsecureConnections))
+	recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint)
+	req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode()))
+	if err != nil {
+		return errors.Wrap(err, "json: error framing post request")
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
+
+	resp, err := client.Do(req)
 	if err != nil {
 		err = errors.Wrap(err, "memory: error sending post request")
 		return err

diff --git a/pkg/ocm/share/manager/json/json.go b/pkg/ocm/share/manager/json/json.go
@@ -27,6 +27,7 @@ import (
 	"net/url"
 	"os"
 	"reflect"
+	"strings"
 	"sync"
 	"time"
 
@@ -38,6 +39,7 @@ import (
 	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/ocm/share"
 	"github.com/cs3org/reva/pkg/ocm/share/manager/registry"
+	"github.com/cs3org/reva/pkg/rhttp"
 	"github.com/cs3org/reva/pkg/user"
 	"github.com/google/uuid"
 	"github.com/mitchellh/mapstructure"
@@ -118,7 +120,8 @@ type shareModel struct {
 }
 
 type config struct {
-	File string `mapstructure:"file"`
+	File                string `mapstructure:"file"`
+	InsecureConnections bool   `mapstructure:"insecure_connections"`
 }
 
 func (c *config) init() {
@@ -275,7 +278,15 @@ func (m *mgr) Share(ctx context.Context, md *provider.ResourceId, g *ocm.ShareGr
 			return nil, err
 		}
 
-		resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint), requestBody)
+		client := rhttp.GetHTTPClient(rhttp.Insecure(m.c.InsecureConnections))
+		recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint)
+		req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode()))
+		if err != nil {
+			return nil, errors.Wrap(err, "json: error framing post request")
+		}
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
+
+		resp, err := client.Do(req)
 		if err != nil {
 			err = errors.Wrap(err, "json: error sending post request")
 			return nil, err

diff --git a/pkg/ocm/share/manager/memory/memory.go b/pkg/ocm/share/manager/memory/memory.go
@@ -25,6 +25,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"sync"
 	"time"
 
@@ -35,8 +36,10 @@ import (
 	typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/ocm/share"
+	"github.com/cs3org/reva/pkg/rhttp"
 	"github.com/cs3org/reva/pkg/user"
 	"github.com/google/uuid"
+	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 )
 
@@ -49,19 +52,38 @@ func init() {
 
 // New returns a new memory manager.
 func New(m map[string]interface{}) (share.Manager, error) {
+	c, err := parseConfig(m)
+	if err != nil {
+		err = errors.Wrap(err, "error creating a new manager")
+		return nil, err
+	}
 
 	state := make(map[string]map[string]ocm.ShareState)
 	return &mgr{
+		c:      c,
 		shares: sync.Map{},
 		state:  state,
 	}, nil
 }
 
 type mgr struct {
+	c      *config
 	shares sync.Map
 	state  map[string]map[string]ocm.ShareState
 }
 
+type config struct {
+	InsecureConnections bool `mapstructure:"insecure_connections"`
+}
+
+func parseConfig(m map[string]interface{}) (*config, error) {
+	c := &config{}
+	if err := mapstructure.Decode(m, c); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
 func genID() string {
 	return uuid.New().String()
 }
@@ -167,7 +189,15 @@ func (m *mgr) Share(ctx context.Context, md *provider.ResourceId, g *ocm.ShareGr
 			return nil, err
 		}
 
-		resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint), requestBody)
+		client := rhttp.GetHTTPClient(rhttp.Insecure(m.c.InsecureConnections))
+		recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint)
+		req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode()))
+		if err != nil {
+			return nil, errors.Wrap(err, "json: error framing post request")
+		}
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
+
+		resp, err := client.Do(req)
 		if err != nil {
 			err = errors.Wrap(err, "memory: error sending post request")
 			return nil, err

diff --git a/pkg/user/manager/rest/rest.go b/pkg/user/manager/rest/rest.go
@@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"net/http"
 	"net/url"
 	"regexp"
 	"strings"
@@ -152,7 +153,7 @@ func (m *manager) getAPIToken(ctx context.Context) (string, time.Time, error) {
 	}
 
 	httpClient := rhttp.GetHTTPClient(rhttp.Context(ctx), rhttp.Timeout(10*time.Second), rhttp.Insecure(true))
-	httpReq, err := rhttp.NewRequest(ctx, "POST", m.conf.OIDCTokenEndpoint, strings.NewReader(params.Encode()))
+	httpReq, err := http.NewRequest("POST", m.conf.OIDCTokenEndpoint, strings.NewReader(params.Encode()))
 	if err != nil {
 		return "", time.Time{}, err
 	}
@@ -163,6 +164,7 @@ func (m *manager) getAPIToken(ctx context.Context) (string, time.Time, error) {
 	if err != nil {
 		return "", time.Time{}, err
 	}
+	defer httpRes.Body.Close()
 
 	body, err := ioutil.ReadAll(httpRes.Body)
 	if err != nil {
@@ -187,7 +189,7 @@ func (m *manager) sendAPIRequest(ctx context.Context, url string) ([]interface{}
 	}
 
 	httpClient := rhttp.GetHTTPClient(rhttp.Context(ctx), rhttp.Timeout(10*time.Second), rhttp.Insecure(true))
-	httpReq, err := rhttp.NewRequest(ctx, "GET", url, nil)
+	httpReq, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -201,6 +203,7 @@ func (m *manager) sendAPIRequest(ctx context.Context, url string) ([]interface{}
 	if err != nil {
 		return nil, err
 	}
+	defer httpRes.Body.Close()
 
 	body, err := ioutil.ReadAll(httpRes.Body)
 	if err != nil {