Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Client Side Cert for Livy #576

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Support Client Side Cert for Livy #576

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ad59be9
Support Client Side Cert for Livy
Oct 2, 2019
b941f98
fix broken unit test for configuration test
Oct 2, 2019
a81b6ce
fix remaining broken unit tests
Oct 2, 2019
f44b97b
Merge branch 'master' into support-client-cert
itamarst Jan 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions sparkmagic/sparkmagic/kernels/kernelmagics.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
from sparkmagic.utils.sparkevents import SparkEvents
from sparkmagic.utils.constants import LANGS_SUPPORTED
from sparkmagic.livyclientlib.command import Command
from sparkmagic.livyclientlib.endpoint import Endpoint
from sparkmagic.livyclientlib.endpoint import Endpoint, SSLInfo
from sparkmagic.magics.sparkmagicsbase import SparkMagicBase
from sparkmagic.livyclientlib.exceptions import handle_expected_exceptions, wrap_unexpected_exceptions, \
BadUserDataException
Expand Down Expand Up @@ -389,7 +389,12 @@ def matplot(self, line, cell="", local_ns=None):
def refresh_configuration(self):
credentials = getattr(conf, 'base64_kernel_' + self.language + '_credentials')()
(username, password, auth, url) = (credentials['username'], credentials['password'], credentials['auth'], credentials['url'])
self.endpoint = Endpoint(url, auth, username, password)
(ssl_client_cert, ssl_client_key, ssl_verify) = (credentials.get('ssl_client_cert'), credentials.get('ssl_client_key'), credentials.get('ssl_verify'),)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we say "TLS" instead of "SSL" everywhere? It's been TLS for 20 years now :)

if ssl_client_cert is None:
ssl_info = None
else:
ssl_info = SSLInfo(ssl_client_cert, ssl_client_key, ssl_verify)
self.endpoint = Endpoint(url, auth, username, password, ssl_info=ssl_info)

def get_session_settings(self, line, force):
line = line.strip()
Expand Down
31 changes: 28 additions & 3 deletions sparkmagic/sparkmagic/livyclientlib/endpoint.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@


class Endpoint(object):
def __init__(self, url, auth, username="", password="", implicitly_added=False):
def __init__(self, url, auth, username="", password="", implicitly_added=False, ssl_info=None):
if not url:
raise BadUserDataException(u"URL must not be empty")
if auth not in AUTHS_SUPPORTED:
Expand All @@ -13,6 +13,7 @@ def __init__(self, url, auth, username="", password="", implicitly_added=False):
self.username = username
self.password = password
self.auth = auth
self.ssl_info = ssl_info
# implicitly_added is set to True only if the endpoint wasn't configured manually by the user through
# a widget, but was instead implicitly defined as an endpoint to a wrapper kernel in the configuration
# JSON file.
Expand All @@ -21,13 +22,37 @@ def __init__(self, url, auth, username="", password="", implicitly_added=False):
def __eq__(self, other):
if type(other) is not Endpoint:
return False
return self.url == other.url and self.username == other.username and self.password == other.password and self.auth == other.auth
return self.url == other.url and self.username == other.username and self.password == other.password and self.auth == other.auth and self.ssl_info == other.ssl_info

def __hash__(self):
return hash((self.url, self.username, self.password, self.auth))
return hash((self.url, self.username, self.password, self.auth, self.ssl_info))

def __ne__(self, other):
return not self == other

def __str__(self):
return u"Endpoint({})".format(self.url)

class SSLInfo(object):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a docstring explain what this class does, and what the parameters are.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, this seems like a good place to start using attrs (http://www.attrs.org/en/stable/), it'll make this class much much shorter.

def __init__(self, client_cert, client_key, ssl_verify):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having two different places where youo set ssl_verify, this and the config, bothers me a little. Is there a reason to have it here and not just rely on the config?

self.client_cert = client_cert
self.client_key = client_key
self.ssl_verify = ssl_verify

@property
def cert(self):
return (self.client_cert, self.client_key, )

def __eq__(self, other):
if type(other) is not SSLInfo:
return False
return self.client_cert == other.client_cert and self.client_key == other.client_key and self.ssl_verify == other.ssl_verify

def __hash__(self):
return hash((self.client_cert, self.client_key, self.ssl_verify))

def __ne__(self, other):
return not self == other

def __str__(self):
return u"SSLInfo(client_cert={}, client_key={}, ssl_verify={})".format(self.client_cert, self.client_key, self.ssl_verify)
32 changes: 27 additions & 5 deletions sparkmagic/sparkmagic/livyclientlib/reliablehttpclient.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,37 @@ def _send_request_helper(self, url, accepted_status_codes, function, data, retry
try:
if self._endpoint.auth == constants.NO_AUTH:
if data is None:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now has a huge amount of duplicate paths and code, which makes me worry about errors. Can it be simplified? E.g.

if data is not None:
    data = json.dumps(data)

at the top would simplify it quite a lot, and so on.

r = function(url, headers=self._headers, verify=self.verify_ssl)
if self._endpoint.ssl_info is None:
r = function(url, headers=self._headers, verify=self.verify_ssl)
else:
r = function(url, headers=self._headers,
verify=self._endpoint.ssl_info.ssl_verify,
cert=self._endpoint.ssl_info.cert)
else:
r = function(url, headers=self._headers, data=json.dumps(data), verify=self.verify_ssl)
if self._endpoint.ssl_info is None:
r = function(url, headers=self._headers, data=json.dumps(data), verify=self.verify_ssl)
else:
r = function(url, headers=self._headers, data=json.dumps(data),
verify=self._endpoint.ssl_info.ssl_verify,
cert=self._endpoint.ssl_info.cert)
else:
if data is None:
r = function(url, headers=self._headers, auth=self._auth, verify=self.verify_ssl)
if self._endpoint.ssl_info is None:
r = function(url, headers=self._headers, auth=self._auth, verify=self.verify_ssl)
else:
r = function(url, headers=self._headers, auth=self._auth,
verify=self._endpoint.ssl_info.ssl_verify,
cert=self._endpoint.ssl_info.cert)
else:
r = function(url, headers=self._headers, auth=self._auth,
data=json.dumps(data), verify=self.verify_ssl)
if self._endpoint.ssl_info is None:
r = function(url, headers=self._headers, auth=self._auth,
data=json.dumps(data), verify=self.verify_ssl)
else:
r = function(url, headers=self._headers, auth=self._auth,
data=json.dumps(data),
verify=self._endpoint.ssl_info.ssl_verify,
cert=self._endpoint.ssl_info.cert)

except requests.exceptions.RequestException as e:
error = True
r = None
Expand Down
27 changes: 22 additions & 5 deletions sparkmagic/sparkmagic/tests/test_configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,28 +20,40 @@ def test_configuration_override_base64_password():
assert_equals(conf.d, { conf.kernel_python_credentials.__name__: kpc,
conf.livy_session_startup_timeout_seconds.__name__: 1 })
assert_equals(conf.livy_session_startup_timeout_seconds(), 1)
assert_equals(conf.base64_kernel_python_credentials(), { 'username': 'U', 'password': 'password', 'url': 'L', 'auth': AUTH_BASIC })
assert_equals(conf.base64_kernel_python_credentials(), {
'username': 'U', 'password': 'password', 'url': 'L', 'auth': AUTH_BASIC,
'ssl_client_cert': None, 'ssl_client_key': None, 'ssl_verify': None
})


@with_setup(_setup)
def test_configuration_auth_missing_basic_auth():
kpc = { 'username': 'U', 'password': 'P', 'url': 'L'}
overrides = { conf.kernel_python_credentials.__name__: kpc }
conf.override_all(overrides)
assert_equals(conf.base64_kernel_python_credentials(), { 'username': 'U', 'password': 'P', 'url': 'L', 'auth': AUTH_BASIC })
assert_equals(conf.base64_kernel_python_credentials(), {
'username': 'U', 'password': 'P', 'url': 'L', 'auth': AUTH_BASIC,
'ssl_client_cert': None, 'ssl_client_key': None, 'ssl_verify': None
})


@with_setup(_setup)
def test_configuration_auth_missing_no_auth():
kpc = { 'username': '', 'password': '', 'url': 'L'}
overrides = { conf.kernel_python_credentials.__name__: kpc }
conf.override_all(overrides)
assert_equals(conf.base64_kernel_python_credentials(), { 'username': '', 'password': '', 'url': 'L', 'auth': NO_AUTH })
assert_equals(conf.base64_kernel_python_credentials(), {
'username': '', 'password': '', 'url': 'L', 'auth': NO_AUTH,
'ssl_client_cert': None, 'ssl_client_key': None, 'ssl_verify': None
})


@with_setup(_setup)
def test_configuration_override_fallback_to_password():
kpc = { 'username': 'U', 'password': 'P', 'url': 'L', 'auth': NO_AUTH }
kpc = {
'username': 'U', 'password': 'P', 'url': 'L', 'auth': NO_AUTH,
'ssl_client_cert': None, 'ssl_client_key': None, 'ssl_verify': None
}
overrides = { conf.kernel_python_credentials.__name__: kpc }
conf.override_all(overrides)
conf.override(conf.livy_session_startup_timeout_seconds.__name__, 1)
Expand All @@ -60,7 +72,12 @@ def test_configuration_override_work_with_empty_password():
assert_equals(conf.d, { conf.kernel_python_credentials.__name__: kpc,
conf.livy_session_startup_timeout_seconds.__name__: 1 })
assert_equals(conf.livy_session_startup_timeout_seconds(), 1)
assert_equals(conf.base64_kernel_python_credentials(), { 'username': 'U', 'password': '', 'url': '', 'auth': AUTH_BASIC })
assert_equals(
conf.base64_kernel_python_credentials(), {
'username': 'U', 'password': '', 'url': '', 'auth': AUTH_BASIC,
'ssl_client_cert': None, 'ssl_client_key': None, 'ssl_verify': None
}
)


@raises(BadUserConfigurationException)
Expand Down
4 changes: 3 additions & 1 deletion sparkmagic/sparkmagic/utils/configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,9 @@ def _credentials_override(f):
If 'base64_password' is not set, it will fallback to 'password' in config.
"""
credentials = f()
base64_decoded_credentials = {k: credentials.get(k) for k in ('username', 'password', 'url', 'auth')}
base64_decoded_credentials = {k: credentials.get(k) for k in (
'username', 'password', 'url', 'auth', 'ssl_client_cert', 'ssl_client_key', 'ssl_verify'
)}
base64_password = credentials.get('base64_password')
if base64_password is not None:
try:
Expand Down