Skip to content

Commit

Permalink
Fix: SSL Certificates not properly surfaced (#286)
Browse files Browse the repository at this point in the history
## Manual Testing
### Verify Bug
- Download landscape client and place self signed server certificate in
an unreadable directory by landscape
- Try to connect client to server using the following command
`landscape-config --account standalone --url
https://<server-ip>/message-system --ping-url https://server-ip/ping -k
ssl-cert-location `
- Code should fail and provide no information as to why it fails
### Verify Fix
- Repeat above steps but instead using this version
- Verify that warning message is provided by logs
  • Loading branch information
david-mclain authored Nov 27, 2024
1 parent 3e4d447 commit 1449b56
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
8 changes: 8 additions & 0 deletions landscape/lib/fetch.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
import os
import sys
from argparse import ArgumentParser
from logging import warning

from twisted.internet.defer import DeferredList
from twisted.internet.threads import deferToThread
Expand Down Expand Up @@ -94,6 +95,13 @@ def fetch(
curl.setopt(pycurl.READFUNCTION, output.read)

if cainfo and url.startswith("https:"):
if not os.access(cainfo, os.R_OK):
warning(
"SSL certificate provided is not accessible by landscape "
+ "client. Please place in directory that is readable such "
+ "as '/etc/ssl/certs'",
)
# log error here
curl.setopt(pycurl.CAINFO, networkString(cainfo))

if headers:
Expand Down
12 changes: 12 additions & 0 deletions landscape/lib/tests/test_fetch.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import os
import unittest
from threading import local
from unittest import mock

import pycurl
from twisted.internet.defer import FirstError
Expand Down Expand Up @@ -191,6 +192,17 @@ def test_cainfo_on_http(self):
self.assertEqual(result, b"result")
self.assertTrue(pycurl.CAINFO not in curl.options)

@mock.patch("landscape.lib.fetch.warning")
def test_cainfo_inaccessible_cert(self, logging):
curl = CurlStub(b"result")
result = fetch("https://example.com", cainfo="cainfo", curl=curl)
self.assertEqual(result, b"result")
logging.assert_called_once_with(
"SSL certificate provided is not accessible by landscape "
+ "client. Please place in directory that is readable such "
+ "as '/etc/ssl/certs'",
)

def test_headers(self):
curl = CurlStub(b"result")
result = fetch(
Expand Down

0 comments on commit 1449b56

Please sign in to comment.