Add ssl_verify to manage selfsigned certificate

[heurtematte]

Allow to param ssl_verify in configuration, allow to request https localhost homeserver with self signed certificate.

~/.config/synadm.yaml

ssl_verify: False

Signed-off-by: sebastien.heurtematte sebastien.heurtematte@eclipse-foundation.org

[JOJ0]

Hi @heurtematte, thanks for the submission, I'm sure this is a very useful features for a lot of other synadm users as well! Nice!

One thing that comes up in a first and unthorough review is that you define boolean as for the new verify flag on cli level but at some point in the code it is changed / has a default value of None which not really is boolean. Is there a reason for that or could we change it to stay True/False everywhere?

Also, some tiny formatting issues are detected by our linter (flake8) in the CI.

Thanks again and speak soon!

[heurtematte]

Is there a reason for that or could we change it to stay True/False everywhere?

I wanted to keep the method query in the same state, and offer the possibility to override the value programmatically if really necessary over configuration setting, and testing None is easire than a boolean value.

def query(self, method, urlpart, params=None, data=None, token=None,
              base_url_override=None, verify=None):

Tell me if you want me to change this behavior.

I'll check the linter.

[JOJ0]

Sorry for being picky but we are partly changing something very fundamental here and need to make sure synadm behaves correctly in all use cases. Thanks for your patience and further refinement.

In the end these things count most IMO:

• What will happen if a user updates synadm to this new version and thus, does not have this new option in the config already? I guess the configurator will pop up automatically on any run AFAIR . That still the case?
• The default for new synadm users in the auto-configurator should still be "SSL verification is enabled."
• It should be clear to the user on installation and upgrade what the state of the setting SSL verification currently is.

It would help me reviewing if you post some cli outputs of the configurator and other related cli calls. I'm always concerened with the user experience and --help the most :-)))

[JOJ0]

The backslash and the indentation is not required in Python. See other help variables using triple double quotes a little further above. Thanks :-)

Although I feel it's sufficient here to leave the False... part out entirely. Most people/admins will be aware of what ssl_verify option means. It's kind of self-descriptive int that context.

[Ascurius]

Please note that we have currently not defined the default values of the other config variables explicitly in the help string. Because if you run the configurator the current value (by default is set to the values defined in APIHelper.CONFIG) is presented behind each prompt within brackets, so the user exactly knows which value the corresponding config variable is currently set to. For example it looks like Synapse base URL [http://localhost:8008].
Therefore I don't think that there is a need to explicitly state the default value within the help string

[heurtematte]

sounds good!

[JOJ0]

I'd prefer the wording: ....using this argument.

[heurtematte]

ok

[JOJ0]

Youwould like to see whatexactly is wrong? Value missing or empty string for example? Or other reason why you added value to be displayed?

You are now only checking for None. The if not value would have also catched empty strings which also often would cause errors. Not sure but did you test thorougly with setting other values in the config to weird things and made sure things will be catched?

Also note: The usual default of things we get from a Click-defined options is actually None if not specified otherwise. But please doublecheck all possible things that might go wrong here even if a user edits config.yaml manually (without the configurator)

[heurtematte]

Good catch. I roll back my modification.

[heurtematte]

I remember why now.

If I set false to the ssl_verify configuration. I have this message

ERROR Config entry missing: ssl_verify, False

So I must deal with string value and boolean value.

[JOJ0]

I understand!

[JOJ0]

I'd prefer the wording: ....using this argument.

Also, is the type now still bool?

[heurtematte]

Good question! I'll check

[heurtematte]

We can keep bool type

[JOJ0]

Default true can be specified by Click's show_default=True flag. Use that and I think we could then rephares this help text to something like: "Whether or not SSL certificates should be verified. Set to False to allow self-signed certifcates." or maybe even shorter because ssl_verify tells it all to a regular Matrix user/admin already:

Set to False to allow self-signed certifcates. Also of I recall correctly, in yaml true needs to be spelled in non capital letters! Other than in Python! I wonder if that example should already use that spelling? Oooor - I didn't check - if the configurator would handle this lower-casing automatically.... Please doulbe check!

[heurtematte]

Yaml seems to support different case: |true|True|TRUE|false|False|FALSE
According to https://yaml.org/type/bool.html

[JOJ0]

Hi @heurtematte can I assist with anything else?

There are some things to fix. No hurry in doing that right away. Take your time, the merge of this new feature can wait. I just would like to know if you're still on it.

In the meantime I did some testing and another thing comes up. It seems the actual value set in the config is not displayed in the interactive configurator. This is misleading. Have a look how other config settings do it. Any non-sensitive information should be printed while the user reconfigures.

(synadm38) ~/git/heurtematte_synadm (master) $ grep verify ~/.config/synadm.yaml 
ssl_verify: 'false'
(synadm38) ~/git/heurtematte_synadm (master) $ 
(synadm38) ~/git/heurtematte_synadm (master) $ 
(synadm38) ~/git/heurtematte_synadm (master) $ 
(synadm38) ~/git/heurtematte_synadm (master) $ synadm config 
Running configurator...
Synapse admin user name [admin]: 
Synapse admin user token [REDACTED]: 
Synapse base URL [https://example.org]: 
Synapse admin API path [/_synapse/admin]: 
Matrix API path [/_matrix]: 
Default output format (yaml, json, human, pprint) [yaml]: 
Default http timeout [3600]: 
Homeserver name (auto-retrieval or matrix.DOMAIN) [auto-retrieval]: 
Verify certificate (Default True, False allow to manage                 selfsigned certificate) [True]: 

Also we see that the (text in brackets) is rather long and contains a line break. I've mentionend that above already but now I'm sure that it would be sufficient here to make this prompt look like this:

Verify certificate [true]: 

Cert verification (or not) is a logical thing for any admin, no further visual distraction required.

[heurtematte]

sorry a bit busy! I'll take a look by the end of the week.

[JOJ0]

Hi @heurtematte, thanks for your changes last week. We've been busy with other things in the project but I think around next week might be able to conintue work here. We'd like to do some testing and tiny changes to finalize this. Do you mind if we take over your branch to incorporate said finalization? Thanks!

[JOJ0]

Hi @JacksonChen666, I've added a couple of formatting but also functional fixes to make a real boolean value in the config work.

Please could you possibly try this in your testing environment:

• What happens if the config is missing at all? For example if a user had used synadm before and now upgrades withouth taking care of the config. -> Should be just ignored and the default of "True" is used.
• What happens if the user issues synadm config for the first time after an upgrade (withouth the option)
• What happens if rubbish is written into the config? E.g ssl_verify: bollocks text

Thanks a lot!

[JacksonChen666]

Please could you possibly try this in your testing environment:
* What happens if rubbish is written into the config? E.g ssl_verify: bollocks text

default value is used regardless of config values, even if configured with False in synadm config it will default to True (very likely not intended behavior).

I have made a comment in the place where I think the issue is, plus something else I noticed.

[JacksonChen666]

test? "Modify test synadm's configuration" doesn't make sense language-wise

[JOJ0]

Oh, that seems to be a leftover of some debugging by the OP or something. Corrected.

[JacksonChen666]

default=True is odd in this case, as defaults aren't set in any options above but instead below in the click.prompt things.

this makes for a UI inconsistency where all other configs use the default value of whatever is set (in synadm config) in the options except for --ssl-verify.

[JOJ0]

Yes! You are absolutely right, we don't handle defaults that way! Defaults should always be handled via APIHelper.CONFIG and the click.prompt things as you noticed! Good catch! I fixed this.

I think now the behaviour is quite fine. Can you please give it another testrun?

To me it looks like this:

• We silently default to true if the option is missing.
• We display an error when the option is manually set wrongly to some non-boolean string.
  but we don't quit synadm and continue with subsequent errors. This is good, since otherwhise the configurator could not be run. For example:

(synadm38) ~/git/heurtematte_synadm (master) $ synadm -vv user details testuser2
DEBUG Config entry read. user: admin
DEBUG Config entry read. token: REDACTED
DEBUG Config entry read. base_url: https://peek-a-boo.at
DEBUG Config entry read. admin_path: /_synapse/admin
DEBUG Config entry read. matrix_path: /_matrix
DEBUG Config entry read. timeout: 3600
DEBUG Config entry read. server_discovery: well-known
DEBUG Config entry read. homeserver: peek-a-boo.at
ERROR Config value error: ssl_verify, crap must be boolean
DEBUG Config entry read. ssl_verify: crap
DEBUG Config entry read. format: yaml
DEBUG Formatter in use: yaml - <function dump at 0x7f69b9e70e18>
DEBUG A proper localpart was passed, generating MXID for local homeserver.
INFO  Querying get on https://peek-a-boo.at/_synapse/admin/v2/users/@testuser2:peek-a-boo.at
ERROR OSError while querying Synapse: Could not find a suitable TLS CA certificate bundle, invalid path: crap
User details could not be fetched.
(synadm38) ~/git/heurtematte_synadm (master) $ 

• A configurator run would still display the current value crap, and the user intentionally has to set 1 or true or True to fix it. I think that is ok:

(synadm38) ~/git/heurtematte_synadm (master) $ synadm config
ERROR Config value error: ssl_verify, crap must be boolean
Running configurator...
Synapse admin user name [admin]: 
Synapse admin user token [REDACTED]: 
Synapse base URL [https://peek-a-boo.at]: 
Synapse admin API path [/_synapse/admin]: 
Matrix API path [/_matrix]: 
Default output format (yaml, json, human, pprint) [yaml]: 
Default http timeout [3600]: 
Homeserver name (auto-retrieval or matrix.DOMAIN) [peek-a-boo.at]: 
Verify certificate [crap]: 1   
Server discovery mode (used with homeserver name auto-retrieval) (well-known, dns) [well-known]: 
Restricting access to config file to user only.

• They could still leave crap but then would get displayed an error again:

$ synadm config
ERROR Config value error: ssl_verify, crap must be boolean
Running configurator...
Synapse admin user name [admin]: 
Synapse admin user token [REDACTED]: 
Synapse base URL [https://peek-a-boo.at]: 
Synapse admin API path [/_synapse/admin]: 
Matrix API path [/_matrix]: 
Default output format (yaml, json, human, pprint) [yaml]: 
Default http timeout [3600]: 
Homeserver name (auto-retrieval or matrix.DOMAIN) [peek-a-boo.at]: 
Verify certificate [crap]: 
Server discovery mode (used with homeserver name auto-retrieval) (well-known, dns) [well-known]: 
Restricting access to config file to user only.
ERROR Config value error: ssl_verify, crap must be boolean