From 9e9b32e673e34bc2d719ca998a314d4787034d84 Mon Sep 17 00:00:00 2001 From: Artem Zhmaka Date: Thu, 26 Jan 2023 17:06:02 +0000 Subject: [PATCH 1/3] zhars/renew_info_about_tls_http_api Added info about default true for http_api_tls_transport_enable flag --- cmd/acra-server/acra-server.go | 7 ++++--- configs/acra-server.yaml | 2 +- tests/test.py | 7 ++++++- tests/test_common.py | 1 + 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/cmd/acra-server/acra-server.go b/cmd/acra-server/acra-server.go index d23b2793..297e6dad 100644 --- a/cmd/acra-server/acra-server.go +++ b/cmd/acra-server/acra-server.go @@ -46,6 +46,9 @@ import ( "syscall" "time" + log "github.com/sirupsen/logrus" + bolt "go.etcd.io/bbolt" + "github.com/cossacklabs/acra/cmd" "github.com/cossacklabs/acra/cmd/acra-server/common" "github.com/cossacklabs/acra/crypto" @@ -67,8 +70,6 @@ import ( "github.com/cossacklabs/acra/pseudonymization/storage" "github.com/cossacklabs/acra/sqlparser" "github.com/cossacklabs/acra/utils" - log "github.com/sirupsen/logrus" - bolt "go.etcd.io/bbolt" ) var restartSignalsChannel chan os.Signal @@ -141,7 +142,7 @@ func realMain() error { scriptOnPoison := flag.String("poison_run_script_file", "", "On detecting poison record: log about poison record detection, execute script, return decrypted data") enableHTTPAPI := flag.Bool("http_api_enable", false, "Enable HTTP API. Use together with --http_api_tls_transport_enable whenever possible.") - httpAPIUseTLS := flag.Bool("http_api_tls_transport_enable", false, "Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy.") + httpAPIUseTLS := flag.Bool("http_api_tls_transport_enable", false, "Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. Starting from 0.96.0 the flag value will be true, by default.") network.RegisterTLSBaseArgs(flag.CommandLine) network.RegisterTLSArgsForService(flag.CommandLine, false, "", network.ClientNameConstructorFunc()) diff --git a/configs/acra-server.yaml b/configs/acra-server.yaml index f6faca0d..08a3a43a 100644 --- a/configs/acra-server.yaml +++ b/configs/acra-server.yaml @@ -95,7 +95,7 @@ generate_markdown_args_table: false # Enable HTTP API. Use together with --http_api_tls_transport_enable whenever possible. http_api_enable: false -# Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. +# Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. Starting from 0.96.0 the flag value will be true, by default. http_api_tls_transport_enable: false # Port for AcraServer for HTTP API diff --git a/tests/test.py b/tests/test.py index 669d99af..dfad4e14 100644 --- a/tests/test.py +++ b/tests/test.py @@ -657,7 +657,12 @@ def test_clearing(self): # execute any query for loading key by acra result = self.engine1.execute(sa.select([1]).limit(1)) result.fetchone() - with urlopen('http://localhost:{}/resetKeyStorage'.format(self.ACRASERVER_PORT + 1)) as response: + import ssl + + ctx = ssl.create_default_context(cafile=base.TEST_TLS_CA) + ctx.load_cert_chain(base.TEST_TLS_CLIENT_CERT, base.TEST_TLS_CLIENT_KEY) + + with urlopen('https://localhost:{}/resetKeyStorage'.format(self.ACRASERVER_PORT + 1), context=ctx) as response: self.assertEqual(response.status, 200) diff --git a/tests/test_common.py b/tests/test_common.py index dd9481b8..a9575dfb 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -261,6 +261,7 @@ def get_acra_cli_args(self, acra_kwargs): 'acrastruct_injectedcell_enable': 'false' if self.WHOLECELL_MODE else 'true', 'd': 'true' if self.DEBUG_LOG else 'false', 'http_api_enable': 'true', + 'http_api_tls_transport_enable': 'true', 'keystore_cache_on_start_enable': 'false', 'keys_dir': base.KEYS_FOLDER.name, } From 498a12a9762b56db498084b25c385812c015a522 Mon Sep 17 00:00:00 2001 From: Artem Zhmaka Date: Thu, 26 Jan 2023 17:11:01 +0000 Subject: [PATCH 2/3] zhars/renew_info_about_tls_http_api Fixed flag description --- cmd/acra-server/acra-server.go | 2 +- configs/acra-server.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/acra-server/acra-server.go b/cmd/acra-server/acra-server.go index 297e6dad..f4e14674 100644 --- a/cmd/acra-server/acra-server.go +++ b/cmd/acra-server/acra-server.go @@ -142,7 +142,7 @@ func realMain() error { scriptOnPoison := flag.String("poison_run_script_file", "", "On detecting poison record: log about poison record detection, execute script, return decrypted data") enableHTTPAPI := flag.Bool("http_api_enable", false, "Enable HTTP API. Use together with --http_api_tls_transport_enable whenever possible.") - httpAPIUseTLS := flag.Bool("http_api_tls_transport_enable", false, "Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. Starting from 0.96.0 the flag value will be true, by default.") + httpAPIUseTLS := flag.Bool("http_api_tls_transport_enable", false, "Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. Starting from 0.96.0 the flag value will be true by default.") network.RegisterTLSBaseArgs(flag.CommandLine) network.RegisterTLSArgsForService(flag.CommandLine, false, "", network.ClientNameConstructorFunc()) diff --git a/configs/acra-server.yaml b/configs/acra-server.yaml index 08a3a43a..6f804be3 100644 --- a/configs/acra-server.yaml +++ b/configs/acra-server.yaml @@ -95,7 +95,7 @@ generate_markdown_args_table: false # Enable HTTP API. Use together with --http_api_tls_transport_enable whenever possible. http_api_enable: false -# Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. Starting from 0.96.0 the flag value will be true, by default. +# Enable HTTPS support for the API. Use together with the --http_api_enable. TLS configuration is the same as in the Acra Proxy. Starting from 0.96.0 the flag value will be true by default. http_api_tls_transport_enable: false # Port for AcraServer for HTTP API From fa06f19e1fbb9f5072f71c5998fb0df91358e125 Mon Sep 17 00:00:00 2001 From: Artem Zhmaka Date: Fri, 27 Jan 2023 09:33:31 +0000 Subject: [PATCH 3/3] zhars/renew_info_about_tls_http_api Fixed after review --- tests/test.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/test.py b/tests/test.py index dfad4e14..84df719d 100644 --- a/tests/test.py +++ b/tests/test.py @@ -657,12 +657,11 @@ def test_clearing(self): # execute any query for loading key by acra result = self.engine1.execute(sa.select([1]).limit(1)) result.fetchone() - import ssl - ctx = ssl.create_default_context(cafile=base.TEST_TLS_CA) - ctx.load_cert_chain(base.TEST_TLS_CLIENT_CERT, base.TEST_TLS_CLIENT_KEY) - - with urlopen('https://localhost:{}/resetKeyStorage'.format(self.ACRASERVER_PORT + 1), context=ctx) as response: + ssl_context = ssl.create_default_context(cafile=base.TEST_TLS_CA) + ssl_context.load_cert_chain(base.TEST_TLS_CLIENT_CERT, base.TEST_TLS_CLIENT_KEY) + ssl_context.check_hostname = True + with urlopen('https://localhost:{}/resetKeyStorage'.format(self.ACRASERVER_PORT + 1), context=ssl_context) as response: self.assertEqual(response.status, 200)