def testAutoDiscoveryWithBadPemFile(self):
properties.VALUES.context_aware.use_client_certificate.Set(True)
with file_utils.TemporaryDirectory() as t:
pem = BAD_CERT_KEY_EMBEDDED_SECTION + PASSWORD_SECTION
self.ConfigureCertProvider(t, pem)
with self.assertRaises(context_aware.ConfigException):
context_aware.Config()
def __init__(
self, url, headers, ignore_certs, proxy_info, on_data, on_close):
self._on_data = on_data
self._on_close = on_close
self._proxy_info = proxy_info
self._receiving_thread = None
ca_certs = utils.CheckCACertsFile(ignore_certs)
self._sslopt = {'cert_reqs': ssl.CERT_REQUIRED,
'ca_certs': ca_certs}
if ignore_certs:
self._sslopt['cert_reqs'] = ssl.CERT_NONE
self._sslopt['check_hostname'] = False
caa_config = context_aware.Config()
if caa_config:
cert_path = caa_config.encrypted_client_cert_path
log.debug('Using client certificate %s', cert_path)
self._sslopt['certfile'] = cert_path
self._sslopt['password'] = caa_config.encrypted_client_cert_password
# Disable most of random logging in websocket library itself except in DEBUG
if log.GetVerbosity() != logging.DEBUG:
logging.getLogger('websocket').setLevel(logging.CRITICAL)
self._is_closed = False
self._error_msg = ''
self._websocket = websocket.WebSocketApp(
url, header=headers, on_close=self._OnClose, on_data=self._OnData,
on_error=self._OnError, subprotocols=[utils.SUBPROTOCOL_NAME])
def testAutoDiscovery(self):
properties.VALUES.context_aware.use_client_certificate.Set(True)
with file_utils.TemporaryDirectory() as t:
self.ConfigureCertProvider(t, CERT_KEY_SECTION + PASSWORD_SECTION)
cfg = context_aware.Config()
self.assertTrue(cfg.client_cert_path)
self.AssertFileEquals(CERT_KEY_SECTION, cfg.client_cert_path)
self.assertEqual(PASSWORD, cfg.client_cert_password)
def testAutoDiscoveryWithNoCertProvider(self):
properties.VALUES.context_aware.use_client_certificate.Set(True)
with file_utils.TemporaryDirectory() as t:
file_path = os.path.join(t, 'context_aware_metadata.json')
file_utils.WriteFileContents(file_path, '{}')
properties.VALUES.context_aware.auto_discovery_file_path.Set(
file_path)
with self.assertRaises(context_aware.ConfigException):
context_aware.Config()
def Session(timeout=None,
ca_certs=None,
disable_ssl_certificate_validation=False,
session=None):
"""Returns a requests.Session subclass.
Args:
timeout: float, Request timeout, in seconds.
ca_certs: str, absolute filename of a ca_certs file
disable_ssl_certificate_validation: bool, If true, disable ssl certificate
validation.
session: requests.Session instance. Otherwise, a new requests.Session will
be initialized.
Returns: A requests.Session subclass.
"""
session = session or requests.Session()
orig_request_method = session.request
def WrappedRequest(*args, **kwargs):
if 'timeout' not in kwargs:
kwargs['timeout'] = timeout
return orig_request_method(*args, **kwargs)
session.request = WrappedRequest
proxy_rdns = True
proxy_info = GetProxyInfo()
if proxy_info:
proxy_rdns = properties.VALUES.proxy.rdns.GetBool()
session.proxies = {
'http': proxy_info,
'https': proxy_info,
}
client_side_certificate = None
if properties.VALUES.context_aware.use_client_certificate.Get():
ca_config = context_aware.Config()
log.debug('Using client certificate %s', ca_config.client_cert_path)
client_side_certificate = ClientSideCertificate(
ca_config.client_cert_path, ca_config.client_cert_path,
ca_config.client_cert_password)
else:
client_side_certificate = None
adapter = HTTPAdapter(proxy_rdns, client_side_certificate)
if disable_ssl_certificate_validation:
session.verify = False
elif ca_certs:
session.verify = ca_certs
session.mount('https://', adapter)
return session
def __init__(self, args, project, zone, instance, interface, port):
self._project = project
self._zone = zone
self._instance = instance
self._interface = interface
self._port = port
self._iap_tunnel_url_override = args.iap_tunnel_url_override
self._ignore_certs = args.iap_tunnel_insecure_disable_websocket_cert_check
# Means that a ctrl-c was seen in server mode (never true in Stdin mode).
self._shutdown = False
self._caa_config = context_aware.Config()
def _AddContextAwareOptions(args):
"""Adds device certificate settings for mTLS."""
context_config = context_aware.Config()
# TODO(b/190102217) - Cleanup code that handles both version of context_config
use_client_certificate = (context_config and getattr(
context_config, 'use_client_certificate', True))
_MaybeAddBotoOption(args, 'Credentials', 'use_client_certificate',
use_client_certificate)
if context_config:
cert_provider_command = _GetCertProviderCommand(context_config)
# Don't need to pass mTLS data if gsutil shouldn't be using it.
_MaybeAddBotoOption(args, 'Credentials', 'cert_provider_command',
cert_provider_command)
def _CreateWebSocketUrl(endpoint, url_query_pieces, url_override):
"""Create URL for WebSocket connection."""
scheme = URL_SCHEME
use_mtls = bool(context_aware.Config())
hostname = MTLS_URL_HOST if use_mtls else URL_HOST
path_root = URL_PATH_ROOT
if url_override:
url_override_parts = parse.urlparse(url_override)
scheme, hostname, path_override = url_override_parts[:3]
if path_override and path_override != '/':
path_root = path_override
qs = parse.urlencode(url_query_pieces)
path = ('%s%s' %
(path_root, endpoint) if path_root.endswith('/') else '%s/%s' %
(path_root, endpoint))
return parse.urlunparse((scheme, hostname, path, '', qs, ''))
def HttpClient(timeout=None,
proxy_info=httplib2.proxy_info_from_environment,
ca_certs=httplib2.CA_CERTS,
disable_ssl_certificate_validation=False):
"""Returns a httplib2.Http subclass.
Args:
timeout: float, Request timeout, in seconds.
proxy_info: httplib2.ProxyInfo object or callable
ca_certs: str, absolute filename of a ca_certs file
disable_ssl_certificate_validation: bool, If true, disable ssl certificate
validation.
Returns: A httplib2.Http subclass
"""
if properties.VALUES.proxy.use_urllib3_via_shim.GetBool():
import httplib2shim # pylint:disable=g-import-not-at-top
http_class = httplib2shim.Http
else:
http_class = httplib2.Http
result = http_class(
timeout=timeout,
proxy_info=proxy_info,
ca_certs=ca_certs,
disable_ssl_certificate_validation=disable_ssl_certificate_validation)
ca_config = context_aware.Config()
if ca_config:
log.debug('Using client certificate %s',
ca_config.encrypted_client_cert_path)
result.add_certificate(
ca_config.encrypted_client_cert_path,
ca_config.encrypted_client_cert_path,
'',
password=ca_config.encrypted_client_cert_password)
return result
def GetSSLCredentials(mtls_enabled):
"""Returns SSL credentials."""
ca_certs_file = properties.VALUES.core.custom_ca_certs_file.Get()
certificate_chain = None
private_key = None
ca_config = context_aware.Config()
if mtls_enabled and ca_config:
log.debug('Using client certificate...')
certificate_chain, private_key = (ca_config.client_cert_bytes,
ca_config.client_key_bytes)
if ca_certs_file or certificate_chain or private_key:
if ca_certs_file:
ca_certs = files.ReadBinaryFileContents(ca_certs_file)
else:
ca_certs = None
return grpc.ssl_channel_credentials(
root_certificates=ca_certs,
certificate_chain=certificate_chain,
private_key=private_key)
return None
def Session(
timeout=None,
ca_certs=None,
disable_ssl_certificate_validation=False,
session=None,
client_certificate=None,
client_key=None):
"""Returns a requests.Session subclass.
Args:
timeout: float, Request timeout, in seconds.
ca_certs: str, absolute filename of a ca_certs file
disable_ssl_certificate_validation: bool, If true, disable ssl certificate
validation.
session: requests.Session instance. Otherwise, a new requests.Session will
be initialized.
client_certificate: str, absolute filename of a client_certificate file
client_key: str, absolute filename of a client_key file
Returns: A requests.Session subclass.
"""
session = session or requests.Session()
orig_request_method = session.request
def WrappedRequest(*args, **kwargs):
if 'timeout' not in kwargs:
kwargs['timeout'] = timeout
return orig_request_method(*args, **kwargs)
session.request = WrappedRequest
proxy_info = GetProxyInfo()
if proxy_info:
session.trust_env = False
session.proxies = {
'http': proxy_info,
'https': proxy_info,
}
client_side_certificate = None
if client_certificate is not None and client_key is not None and ca_certs is not None:
log.debug(
'Using provided server certificate %s, client certificate %s, client certificate key %s',
ca_certs, client_certificate, client_key)
client_side_certificate = ClientSideCertificate(
client_certificate, client_key)
else:
ca_config = context_aware.Config()
if ca_config:
log.debug('Using client certificate %s',
ca_config.encrypted_client_cert_path)
client_side_certificate = ClientSideCertificate(
ca_config.encrypted_client_cert_path,
ca_config.encrypted_client_cert_path,
ca_config.encrypted_client_cert_password)
else:
client_side_certificate = None
adapter = HTTPAdapter(client_side_certificate)
if disable_ssl_certificate_validation:
session.verify = False
elif ca_certs:
session.verify = ca_certs
session.mount('https://', adapter)
return session
def main():
"""Launches gsutil."""
args = []
project, account = bootstrapping.GetActiveProjectAndAccount()
pass_credentials = (
properties.VALUES.core.pass_credentials_to_gsutil.GetBool() and
not properties.VALUES.auth.disable_credentials.GetBool())
_MaybeAddBotoOption(args, 'GSUtil', 'default_project_id', project)
if pass_credentials:
# Allow gsutil to only check for the '1' string value, as is done
# with regard to the 'CLOUDSDK_WRAPPER' environment variable.
encoding.SetEncodedValue(
os.environ, 'CLOUDSDK_CORE_PASS_CREDENTIALS_TO_GSUTIL', '1')
if account in c_gce.Metadata().Accounts():
# Tell gsutil that it should obtain credentials from the GCE metadata
# server for the instance's configured service account.
_MaybeAddBotoOption(args, 'GoogleCompute', 'service_account', 'default')
# For auth'n debugging purposes, allow gsutil to reason about whether the
# configured service account was set in a boto file or passed from here.
encoding.SetEncodedValue(
os.environ, 'CLOUDSDK_PASSED_GCE_SERVICE_ACCOUNT_TO_GSUTIL', '1')
else:
legacy_config_path = config.Paths().LegacyCredentialsGSUtilPath(account)
# We construct a BOTO_PATH that tacks the config containing our
# credentials options onto the end of the list of config paths. We ensure
# the other credential options are loaded first so that ours will take
# precedence and overwrite them.
boto_config = encoding.GetEncodedValue(os.environ, 'BOTO_CONFIG', '')
boto_path = encoding.GetEncodedValue(os.environ, 'BOTO_PATH', '')
if boto_config:
boto_path = os.pathsep.join([boto_config, legacy_config_path])
elif boto_path:
boto_path = os.pathsep.join([boto_path, legacy_config_path])
else:
path_parts = ['/etc/boto.cfg',
os.path.expanduser(os.path.join('~', '.boto')),
legacy_config_path]
boto_path = os.pathsep.join(path_parts)
encoding.SetEncodedValue(os.environ, 'BOTO_CONFIG', None)
encoding.SetEncodedValue(os.environ, 'BOTO_PATH', boto_path)
# Tell gsutil whether gcloud analytics collection is enabled.
encoding.SetEncodedValue(
os.environ, 'GA_CID', metrics.GetCIDIfMetricsEnabled())
# Set proxy settings. Note that if these proxy settings are configured in a
# boto config file, the options here will be loaded afterward, overriding
# them.
proxy_params = properties.VALUES.proxy
proxy_address = proxy_params.address.Get()
if proxy_address:
_MaybeAddBotoOption(args, 'Boto', 'proxy', proxy_address)
_MaybeAddBotoOption(args, 'Boto', 'proxy_port', proxy_params.port.Get())
_MaybeAddBotoOption(args, 'Boto', 'proxy_rdns', proxy_params.rdns.GetBool())
_MaybeAddBotoOption(args, 'Boto', 'proxy_user', proxy_params.username.Get())
_MaybeAddBotoOption(args, 'Boto', 'proxy_pass', proxy_params.password.Get())
# Set SSL-related settings.
disable_ssl = properties.VALUES.auth.disable_ssl_validation.GetBool()
_MaybeAddBotoOption(args, 'Boto', 'https_validate_certificates',
None if disable_ssl is None else not disable_ssl)
_MaybeAddBotoOption(args, 'Boto', 'ca_certificates_file',
properties.VALUES.core.custom_ca_certs_file.Get())
# Sync device certificate settings for mTLS.
context_config = context_aware.Config()
_MaybeAddBotoOption(args, 'Credentials', 'use_client_certificate',
context_config.use_client_certificate)
if context_config.use_client_certificate:
# Don't need to pass mTLS data if gsutil shouldn't be using it.
_MaybeAddBotoOption(args, 'Credentials', 'cert_provider_command',
context_config.cert_provider_command)
# Note that the original args to gsutil will be appended after the args we've
# supplied here.
bootstrapping.ExecutePythonTool('platform/gsutil', 'gsutil', *args)
