def testAutoDiscoveryWithBadPemFile(self): properties.VALUES.context_aware.use_client_certificate.Set(True) with file_utils.TemporaryDirectory() as t: pem = BAD_CERT_KEY_EMBEDDED_SECTION + PASSWORD_SECTION self.ConfigureCertProvider(t, pem) with self.assertRaises(context_aware.ConfigException): context_aware.Config()
def __init__( self, url, headers, ignore_certs, proxy_info, on_data, on_close): self._on_data = on_data self._on_close = on_close self._proxy_info = proxy_info self._receiving_thread = None ca_certs = utils.CheckCACertsFile(ignore_certs) self._sslopt = {'cert_reqs': ssl.CERT_REQUIRED, 'ca_certs': ca_certs} if ignore_certs: self._sslopt['cert_reqs'] = ssl.CERT_NONE self._sslopt['check_hostname'] = False caa_config = context_aware.Config() if caa_config: cert_path = caa_config.encrypted_client_cert_path log.debug('Using client certificate %s', cert_path) self._sslopt['certfile'] = cert_path self._sslopt['password'] = caa_config.encrypted_client_cert_password # Disable most of random logging in websocket library itself except in DEBUG if log.GetVerbosity() != logging.DEBUG: logging.getLogger('websocket').setLevel(logging.CRITICAL) self._is_closed = False self._error_msg = '' self._websocket = websocket.WebSocketApp( url, header=headers, on_close=self._OnClose, on_data=self._OnData, on_error=self._OnError, subprotocols=[utils.SUBPROTOCOL_NAME])
def testAutoDiscovery(self): properties.VALUES.context_aware.use_client_certificate.Set(True) with file_utils.TemporaryDirectory() as t: self.ConfigureCertProvider(t, CERT_KEY_SECTION + PASSWORD_SECTION) cfg = context_aware.Config() self.assertTrue(cfg.client_cert_path) self.AssertFileEquals(CERT_KEY_SECTION, cfg.client_cert_path) self.assertEqual(PASSWORD, cfg.client_cert_password)
def testAutoDiscoveryWithNoCertProvider(self): properties.VALUES.context_aware.use_client_certificate.Set(True) with file_utils.TemporaryDirectory() as t: file_path = os.path.join(t, 'context_aware_metadata.json') file_utils.WriteFileContents(file_path, '{}') properties.VALUES.context_aware.auto_discovery_file_path.Set( file_path) with self.assertRaises(context_aware.ConfigException): context_aware.Config()
def Session(timeout=None, ca_certs=None, disable_ssl_certificate_validation=False, session=None): """Returns a requests.Session subclass. Args: timeout: float, Request timeout, in seconds. ca_certs: str, absolute filename of a ca_certs file disable_ssl_certificate_validation: bool, If true, disable ssl certificate validation. session: requests.Session instance. Otherwise, a new requests.Session will be initialized. Returns: A requests.Session subclass. """ session = session or requests.Session() orig_request_method = session.request def WrappedRequest(*args, **kwargs): if 'timeout' not in kwargs: kwargs['timeout'] = timeout return orig_request_method(*args, **kwargs) session.request = WrappedRequest proxy_rdns = True proxy_info = GetProxyInfo() if proxy_info: proxy_rdns = properties.VALUES.proxy.rdns.GetBool() session.proxies = { 'http': proxy_info, 'https': proxy_info, } client_side_certificate = None if properties.VALUES.context_aware.use_client_certificate.Get(): ca_config = context_aware.Config() log.debug('Using client certificate %s', ca_config.client_cert_path) client_side_certificate = ClientSideCertificate( ca_config.client_cert_path, ca_config.client_cert_path, ca_config.client_cert_password) else: client_side_certificate = None adapter = HTTPAdapter(proxy_rdns, client_side_certificate) if disable_ssl_certificate_validation: session.verify = False elif ca_certs: session.verify = ca_certs session.mount('https://', adapter) return session
def __init__(self, args, project, zone, instance, interface, port): self._project = project self._zone = zone self._instance = instance self._interface = interface self._port = port self._iap_tunnel_url_override = args.iap_tunnel_url_override self._ignore_certs = args.iap_tunnel_insecure_disable_websocket_cert_check # Means that a ctrl-c was seen in server mode (never true in Stdin mode). self._shutdown = False self._caa_config = context_aware.Config()
def _AddContextAwareOptions(args): """Adds device certificate settings for mTLS.""" context_config = context_aware.Config() # TODO(b/190102217) - Cleanup code that handles both version of context_config use_client_certificate = (context_config and getattr( context_config, 'use_client_certificate', True)) _MaybeAddBotoOption(args, 'Credentials', 'use_client_certificate', use_client_certificate) if context_config: cert_provider_command = _GetCertProviderCommand(context_config) # Don't need to pass mTLS data if gsutil shouldn't be using it. _MaybeAddBotoOption(args, 'Credentials', 'cert_provider_command', cert_provider_command)
def _CreateWebSocketUrl(endpoint, url_query_pieces, url_override): """Create URL for WebSocket connection.""" scheme = URL_SCHEME use_mtls = bool(context_aware.Config()) hostname = MTLS_URL_HOST if use_mtls else URL_HOST path_root = URL_PATH_ROOT if url_override: url_override_parts = parse.urlparse(url_override) scheme, hostname, path_override = url_override_parts[:3] if path_override and path_override != '/': path_root = path_override qs = parse.urlencode(url_query_pieces) path = ('%s%s' % (path_root, endpoint) if path_root.endswith('/') else '%s/%s' % (path_root, endpoint)) return parse.urlunparse((scheme, hostname, path, '', qs, ''))
def HttpClient(timeout=None, proxy_info=httplib2.proxy_info_from_environment, ca_certs=httplib2.CA_CERTS, disable_ssl_certificate_validation=False): """Returns a httplib2.Http subclass. Args: timeout: float, Request timeout, in seconds. proxy_info: httplib2.ProxyInfo object or callable ca_certs: str, absolute filename of a ca_certs file disable_ssl_certificate_validation: bool, If true, disable ssl certificate validation. Returns: A httplib2.Http subclass """ if properties.VALUES.proxy.use_urllib3_via_shim.GetBool(): import httplib2shim # pylint:disable=g-import-not-at-top http_class = httplib2shim.Http else: http_class = httplib2.Http result = http_class( timeout=timeout, proxy_info=proxy_info, ca_certs=ca_certs, disable_ssl_certificate_validation=disable_ssl_certificate_validation) ca_config = context_aware.Config() if ca_config: log.debug('Using client certificate %s', ca_config.encrypted_client_cert_path) result.add_certificate( ca_config.encrypted_client_cert_path, ca_config.encrypted_client_cert_path, '', password=ca_config.encrypted_client_cert_password) return result
def GetSSLCredentials(mtls_enabled): """Returns SSL credentials.""" ca_certs_file = properties.VALUES.core.custom_ca_certs_file.Get() certificate_chain = None private_key = None ca_config = context_aware.Config() if mtls_enabled and ca_config: log.debug('Using client certificate...') certificate_chain, private_key = (ca_config.client_cert_bytes, ca_config.client_key_bytes) if ca_certs_file or certificate_chain or private_key: if ca_certs_file: ca_certs = files.ReadBinaryFileContents(ca_certs_file) else: ca_certs = None return grpc.ssl_channel_credentials( root_certificates=ca_certs, certificate_chain=certificate_chain, private_key=private_key) return None
def Session( timeout=None, ca_certs=None, disable_ssl_certificate_validation=False, session=None, client_certificate=None, client_key=None): """Returns a requests.Session subclass. Args: timeout: float, Request timeout, in seconds. ca_certs: str, absolute filename of a ca_certs file disable_ssl_certificate_validation: bool, If true, disable ssl certificate validation. session: requests.Session instance. Otherwise, a new requests.Session will be initialized. client_certificate: str, absolute filename of a client_certificate file client_key: str, absolute filename of a client_key file Returns: A requests.Session subclass. """ session = session or requests.Session() orig_request_method = session.request def WrappedRequest(*args, **kwargs): if 'timeout' not in kwargs: kwargs['timeout'] = timeout return orig_request_method(*args, **kwargs) session.request = WrappedRequest proxy_info = GetProxyInfo() if proxy_info: session.trust_env = False session.proxies = { 'http': proxy_info, 'https': proxy_info, } client_side_certificate = None if client_certificate is not None and client_key is not None and ca_certs is not None: log.debug( 'Using provided server certificate %s, client certificate %s, client certificate key %s', ca_certs, client_certificate, client_key) client_side_certificate = ClientSideCertificate( client_certificate, client_key) else: ca_config = context_aware.Config() if ca_config: log.debug('Using client certificate %s', ca_config.encrypted_client_cert_path) client_side_certificate = ClientSideCertificate( ca_config.encrypted_client_cert_path, ca_config.encrypted_client_cert_path, ca_config.encrypted_client_cert_password) else: client_side_certificate = None adapter = HTTPAdapter(client_side_certificate) if disable_ssl_certificate_validation: session.verify = False elif ca_certs: session.verify = ca_certs session.mount('https://', adapter) return session
def main(): """Launches gsutil.""" args = [] project, account = bootstrapping.GetActiveProjectAndAccount() pass_credentials = ( properties.VALUES.core.pass_credentials_to_gsutil.GetBool() and not properties.VALUES.auth.disable_credentials.GetBool()) _MaybeAddBotoOption(args, 'GSUtil', 'default_project_id', project) if pass_credentials: # Allow gsutil to only check for the '1' string value, as is done # with regard to the 'CLOUDSDK_WRAPPER' environment variable. encoding.SetEncodedValue( os.environ, 'CLOUDSDK_CORE_PASS_CREDENTIALS_TO_GSUTIL', '1') if account in c_gce.Metadata().Accounts(): # Tell gsutil that it should obtain credentials from the GCE metadata # server for the instance's configured service account. _MaybeAddBotoOption(args, 'GoogleCompute', 'service_account', 'default') # For auth'n debugging purposes, allow gsutil to reason about whether the # configured service account was set in a boto file or passed from here. encoding.SetEncodedValue( os.environ, 'CLOUDSDK_PASSED_GCE_SERVICE_ACCOUNT_TO_GSUTIL', '1') else: legacy_config_path = config.Paths().LegacyCredentialsGSUtilPath(account) # We construct a BOTO_PATH that tacks the config containing our # credentials options onto the end of the list of config paths. We ensure # the other credential options are loaded first so that ours will take # precedence and overwrite them. boto_config = encoding.GetEncodedValue(os.environ, 'BOTO_CONFIG', '') boto_path = encoding.GetEncodedValue(os.environ, 'BOTO_PATH', '') if boto_config: boto_path = os.pathsep.join([boto_config, legacy_config_path]) elif boto_path: boto_path = os.pathsep.join([boto_path, legacy_config_path]) else: path_parts = ['/etc/boto.cfg', os.path.expanduser(os.path.join('~', '.boto')), legacy_config_path] boto_path = os.pathsep.join(path_parts) encoding.SetEncodedValue(os.environ, 'BOTO_CONFIG', None) encoding.SetEncodedValue(os.environ, 'BOTO_PATH', boto_path) # Tell gsutil whether gcloud analytics collection is enabled. encoding.SetEncodedValue( os.environ, 'GA_CID', metrics.GetCIDIfMetricsEnabled()) # Set proxy settings. Note that if these proxy settings are configured in a # boto config file, the options here will be loaded afterward, overriding # them. proxy_params = properties.VALUES.proxy proxy_address = proxy_params.address.Get() if proxy_address: _MaybeAddBotoOption(args, 'Boto', 'proxy', proxy_address) _MaybeAddBotoOption(args, 'Boto', 'proxy_port', proxy_params.port.Get()) _MaybeAddBotoOption(args, 'Boto', 'proxy_rdns', proxy_params.rdns.GetBool()) _MaybeAddBotoOption(args, 'Boto', 'proxy_user', proxy_params.username.Get()) _MaybeAddBotoOption(args, 'Boto', 'proxy_pass', proxy_params.password.Get()) # Set SSL-related settings. disable_ssl = properties.VALUES.auth.disable_ssl_validation.GetBool() _MaybeAddBotoOption(args, 'Boto', 'https_validate_certificates', None if disable_ssl is None else not disable_ssl) _MaybeAddBotoOption(args, 'Boto', 'ca_certificates_file', properties.VALUES.core.custom_ca_certs_file.Get()) # Sync device certificate settings for mTLS. context_config = context_aware.Config() _MaybeAddBotoOption(args, 'Credentials', 'use_client_certificate', context_config.use_client_certificate) if context_config.use_client_certificate: # Don't need to pass mTLS data if gsutil shouldn't be using it. _MaybeAddBotoOption(args, 'Credentials', 'cert_provider_command', context_config.cert_provider_command) # Note that the original args to gsutil will be appended after the args we've # supplied here. bootstrapping.ExecutePythonTool('platform/gsutil', 'gsutil', *args)