add verify tls_opts only when we open connection

for other requests tesla will add tls_opts
This commit is contained in:
Alexander Strizhakov 2020-03-10 15:54:11 +03:00
parent 426f5ee48a
commit f39e1b9eff
No known key found for this signature in database
GPG Key ID: 022896A53AEF1381
5 changed files with 66 additions and 60 deletions

View File

@ -45,6 +45,7 @@ def open(%URI{} = uri, name, opts) do
|> Map.put_new(:retry, pool_opts[:retry] || 1) |> Map.put_new(:retry, pool_opts[:retry] || 1)
|> Map.put_new(:retry_timeout, pool_opts[:retry_timeout] || 1000) |> Map.put_new(:retry_timeout, pool_opts[:retry_timeout] || 1000)
|> Map.put_new(:await_up_timeout, pool_opts[:await_up_timeout] || 5_000) |> Map.put_new(:await_up_timeout, pool_opts[:await_up_timeout] || 5_000)
|> maybe_add_tls_opts(uri)
key = "#{uri.scheme}:#{uri.host}:#{uri.port}" key = "#{uri.scheme}:#{uri.host}:#{uri.port}"
@ -70,6 +71,29 @@ def open(%URI{} = uri, name, opts) do
end end
end end
defp maybe_add_tls_opts(opts, %URI{scheme: "http"}), do: opts
defp maybe_add_tls_opts(opts, %URI{scheme: "https", host: host}) do
tls_opts = [
verify: :verify_peer,
cacertfile: CAStore.file_path(),
depth: 20,
reuse_sessions: false,
verify_fun:
{&:ssl_verify_hostname.verify_fun/3,
[check_hostname: Pleroma.HTTP.Connection.format_host(host)]}
]
tls_opts =
if Keyword.keyword?(opts[:tls_opts]) do
Keyword.merge(tls_opts, opts[:tls_opts])
else
tls_opts
end
Map.put(opts, :tls_opts, tls_opts)
end
defp do_open(uri, %{proxy: {proxy_host, proxy_port}} = opts) do defp do_open(uri, %{proxy: {proxy_host, proxy_port}} = opts) do
connect_opts = connect_opts =
uri uri

View File

@ -45,21 +45,11 @@ def after_request(opts) do
defp add_scheme_opts(opts, %URI{scheme: "http"}), do: opts defp add_scheme_opts(opts, %URI{scheme: "http"}), do: opts
defp add_scheme_opts(opts, %URI{scheme: "https", host: host}) do defp add_scheme_opts(opts, %URI{scheme: "https"}) do
adapter_opts = [ opts
certificates_verification: true, |> Keyword.put(:certificates_verification, true)
transport: :tls, |> Keyword.put(:transport, :tls)
tls_opts: [ |> Keyword.put(:tls_opts, log_level: :warning)
verify: :verify_peer,
cacertfile: CAStore.file_path(),
depth: 20,
reuse_sessions: false,
verify_fun: {&:ssl_verify_hostname.verify_fun/3, [check_hostname: format_host(host)]},
log_level: :warning
]
]
Keyword.merge(opts, adapter_opts)
end end
defp maybe_get_conn(adapter_opts, uri, connection_opts) do defp maybe_get_conn(adapter_opts, uri, connection_opts) do
@ -93,17 +83,4 @@ defp try_to_get_conn(uri, opts) do
|> Keyword.put(:close_conn, false) |> Keyword.put(:close_conn, false)
end end
end end
@spec format_host(String.t()) :: charlist()
def format_host(host) do
host_charlist = to_charlist(host)
case :inet.parse_address(host_charlist) do
{:error, :einval} ->
:idna.encode(host_charlist)
{:ok, _ip} ->
host_charlist
end
end
end end

View File

@ -106,4 +106,17 @@ def parse_host(host) when is_binary(host) do
{:ok, ip} -> ip {:ok, ip} -> ip
end end
end end
@spec format_host(String.t()) :: charlist()
def format_host(host) do
host_charlist = to_charlist(host)
case :inet.parse_address(host_charlist) do
{:error, :einval} ->
:idna.encode(host_charlist)
{:ok, _ip} ->
host_charlist
end
end
end end

View File

@ -38,31 +38,23 @@ test "https url with default port" do
opts = Gun.options([receive_conn: false], uri) opts = Gun.options([receive_conn: false], uri)
assert opts[:certificates_verification] assert opts[:certificates_verification]
refute opts[:tls_opts] == [] assert opts[:tls_opts][:log_level] == :warning
assert opts[:tls_opts][:verify_fun] ==
{&:ssl_verify_hostname.verify_fun/3, [check_hostname: 'example.com']}
assert File.exists?(opts[:tls_opts][:cacertfile])
end end
test "https ipv4 with default port" do test "https ipv4 with default port" do
uri = URI.parse("https://127.0.0.1") uri = URI.parse("https://127.0.0.1")
opts = Gun.options([receive_conn: false], uri) opts = Gun.options([receive_conn: false], uri)
assert opts[:certificates_verification]
assert opts[:tls_opts][:verify_fun] == assert opts[:tls_opts][:log_level] == :warning
{&:ssl_verify_hostname.verify_fun/3, [check_hostname: '127.0.0.1']}
end end
test "https ipv6 with default port" do test "https ipv6 with default port" do
uri = URI.parse("https://[2a03:2880:f10c:83:face:b00c:0:25de]") uri = URI.parse("https://[2a03:2880:f10c:83:face:b00c:0:25de]")
opts = Gun.options([receive_conn: false], uri) opts = Gun.options([receive_conn: false], uri)
assert opts[:certificates_verification]
assert opts[:tls_opts][:verify_fun] == assert opts[:tls_opts][:log_level] == :warning
{&:ssl_verify_hostname.verify_fun/3,
[check_hostname: '2a03:2880:f10c:83:face:b00c:0:25de']}
end end
test "https url with non standart port" do test "https url with non standart port" do
@ -269,23 +261,4 @@ test "with ipv6" do
} = Connections.get_state(:gun_connections) } = Connections.get_state(:gun_connections)
end end
end end
describe "format_host/1" do
test "with domain" do
assert Gun.format_host("example.com") == 'example.com'
end
test "with idna domain" do
assert Gun.format_host("ですexample.com") == 'xn--example-183fne.com'
end
test "with ipv4" do
assert Gun.format_host("127.0.0.1") == '127.0.0.1'
end
test "with ipv6" do
assert Gun.format_host("2a03:2880:f10c:83:face:b00c:0:25de") ==
'2a03:2880:f10c:83:face:b00c:0:25de'
end
end
end end

View File

@ -113,4 +113,23 @@ test "passed opts have more weight than defaults" do
assert opts[:proxy] == {'example.com', 4321} assert opts[:proxy] == {'example.com', 4321}
end end
end end
describe "format_host/1" do
test "with domain" do
assert Connection.format_host("example.com") == 'example.com'
end
test "with idna domain" do
assert Connection.format_host("ですexample.com") == 'xn--example-183fne.com'
end
test "with ipv4" do
assert Connection.format_host("127.0.0.1") == '127.0.0.1'
end
test "with ipv6" do
assert Connection.format_host("2a03:2880:f10c:83:face:b00c:0:25de") ==
'2a03:2880:f10c:83:face:b00c:0:25de'
end
end
end end