def test_custom_tls_certs() -> None:
with run_test_server(("127.0.0.1", 12345),
cert=UNTRUSTED_CERT,
key=UNTRUSTED_KEY) as untrusted_url:
with open(UNTRUSTED_CERT) as f:
untrusted_pem = f.read()
for kwargs, raises in [
({
"noverify": True
}, False),
({
"noverify": False
}, True),
({
"cert_pem": untrusted_pem
}, False),
({}, True),
]:
assert isinstance(kwargs, dict)
cert = certs.Cert(**kwargs)
# Trusted domains should always work.
request.get(TRUSTED_DOMAIN, "", authenticated=False, cert=cert)
with contextlib.ExitStack() as ctx:
if raises:
ctx.enter_context(
pytest.raises(requests.exceptions.SSLError))
request.get(untrusted_url, "", authenticated=False, cert=cert)
def wait_for_master(self, timeout: int = 5 * 60) -> None:
cert = None
if self.parameters[constants.cloudformation.MASTER_TLS_CERT]:
cert = certs.Cert(noverify=True)
master_url = self._get_master_url()
return healthcheck.wait_for_master_url(master_url,
timeout=timeout,
cert=cert)
def _wait_for_master(address: str) -> None:
print("Checking for master at", address)
cert = certs.Cert(noverify=True)
for _ in range(150):
try:
r = api.get(address, "info", authenticated=False, cert=cert)
if r.status_code == requests.codes.ok:
return
except api.errors.MasterNotFoundException:
pass
print("Waiting for master to be available...")
time.sleep(2)
raise ConnectionError("Timed out connecting to Master")
def main(args: List[str] = sys.argv[1:], ) -> None:
# TODO: we lazily import "det deploy" but in the future we'd want to lazily import everything.
parser = make_parser()
full_cmd, aliases = generate_aliases(deploy_cmd.name)
is_deploy_cmd = len(args) > 0 and any(args[0] == alias
for alias in [*aliases, full_cmd])
if is_deploy_cmd:
from determined.deploy.cli import args_description as deploy_args_description
add_args(parser, [deploy_args_description])
else:
add_args(parser, all_args_description)
try:
argcomplete.autocomplete(parser)
parsed_args = parser.parse_args(args)
def die(message: str, always_print_traceback: bool = False) -> None:
if always_print_traceback or debug_mode():
import traceback
traceback.print_exc(file=sys.stderr)
parser.exit(1, colored(message + "\n", "red"))
v = vars(parsed_args)
if not v.get("func"):
parser.print_usage()
parser.exit(2, "{}: no subcommand specified\n".format(parser.prog))
try:
# For `det deploy`, skip interaction with master.
if is_deploy_cmd:
parsed_args.func(parsed_args)
return
# Configure the CLI's Cert singleton.
certs.cli_cert = certs.default_load(parsed_args.master)
try:
check_version(parsed_args)
except requests.exceptions.SSLError:
# An SSLError usually means that we queried a master over HTTPS and got an untrusted
# cert, so allow the user to store and trust the current cert. (It could also mean
# that we tried to talk HTTPS on the HTTP port, but distinguishing that based on the
# exception is annoying, and we'll figure that out in the next step anyway.)
addr = api.parse_master_address(parsed_args.master)
check_not_none(addr.hostname)
check_not_none(addr.port)
try:
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
conn = SSL.Connection(ctx, socket.socket())
conn.set_tlsext_host_name(
cast(str, addr.hostname).encode())
conn.connect(
cast(Sequence[Union[str, int]],
(addr.hostname, addr.port)))
conn.do_handshake()
cert_pem_data = "".join(
crypto.dump_certificate(crypto.FILETYPE_PEM,
cert).decode()
for cert in conn.get_peer_cert_chain())
except crypto.Error:
die("Tried to connect over HTTPS but couldn't get a certificate from the "
"master; consider using HTTP")
cert_hash = hashlib.sha256(
ssl.PEM_cert_to_DER_cert(cert_pem_data)).hexdigest()
cert_fingerprint = ":".join(chunks(cert_hash, 2))
if not render.yes_or_no(
"The master sent an untrusted certificate chain with this SHA256 fingerprint:\n"
"{}\nDo you want to trust this certificate from now on?"
.format(cert_fingerprint)):
die("Unable to verify master certificate")
certs.CertStore(certs.default_store()).set_cert(
parsed_args.master, cert_pem_data)
# Reconfigure the CLI's Cert singleton, but preserve the certificate name.
old_cert_name = certs.cli_cert.name
certs.cli_cert = certs.Cert(cert_pem=cert_pem_data,
name=old_cert_name)
check_version(parsed_args)
parsed_args.func(parsed_args)
except KeyboardInterrupt as e:
raise e
except (api.errors.BadRequestException,
api.errors.BadResponseException) as e:
die("Failed to {}: {}".format(parsed_args.func.__name__, e))
except api.errors.CorruptTokenCacheException:
die("Failed to login: Attempted to read a corrupted token cache. "
"The store has been deleted; please try again.")
except EnterpriseOnlyError as e:
die(f"Determined Enterprise Edition is required for this functionality: {e}"
)
except Exception:
die("Failed to {}".format(parsed_args.func.__name__),
always_print_traceback=True)
except KeyboardInterrupt:
# die() may not be defined yet.
if debug_mode():
import traceback
traceback.print_exc(file=sys.stderr)
print(colored("Interrupting...\n", "red"), file=sys.stderr)
exit(3)