(#248) support disable cert validation in webhook

Webhooks are often hosted behind firewalls on private machines without
real domains and very frequently invalid certs, so cert validation
should be optional

This adds a verify_ssl task property for webhooks that is on by default

CHANGELOG.md

@@ -1,5 +1,6 @@
 |Date      |Issue |Description                                                                                              |
 |----------|------|---------------------------------------------------------------------------------------------------------|
+|2017/04/12|248   |Allow cert validation to be disabled in webhook                                                          |
 |2017/04/12|250   |Accept http code 201 as a valid return code for the webhook playbook task                                |
 |2017/03/30|212   |Add batch_sleep_time to mcollective playbook task                                                        |
 |2017/03/30|244   |Show correct PuppetDB information in `mco choria show_config`                                            |

lib/mcollective/connector/nats.rb

@@ -243,7 +243,7 @@ def publish_federated_directed(msg)
           messages.each do |data|
             network_target = "choria.federation.%s.federation" % network
 
-            Log.debug("Sending a federated direct message via NATS target '%s' for message type %s" % [target.inspect, msg.type])
+            Log.debug("Sending a federated direct message via NATS target '%s' for message type %s" % [network_target, msg.type])
 
             connection.publish(network_target, data, target[:headers]["reply-to"])
           end

lib/mcollective/util/playbook/tasks/webhook_task.rb

@@ -8,6 +8,8 @@ class Tasks
         class WebhookTask < Base
           USER_AGENT = "Choria Playbooks http://choria.io".freeze
 
+          attr_reader :verify_ssl
+
           def validate_configuration!
             raise("A uri is required") unless @uri
             raise("Only GET and POST is supported as methods") unless ["GET", "POST"].include?(@method)
@@ -19,6 +21,7 @@ def from_hash(data)
             @uri = data["uri"]
             @method = data.fetch("method", "POST").upcase
             @request_id = SSL.uuid
+            @verify_ssl = Util.str_to_bool(data.fetch("verify_ssl", true))
 
             self
           end
@@ -70,13 +73,23 @@ def choria
             @_choria ||= Util::Choria.new("production", nil, false)
           end
 
-          def run
-            uri = create_uri
+          def http(uri)
+            http = choria.https({:target => uri.host, :port => uri.port}, false)
+
+            if verify_ssl
+              http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+            else
+              http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+            end
 
-            http = choria.https(:target => uri.host, :port => uri.port)
             http.use_ssl = false if uri.scheme == "http"
 
-            resp = http.request(http_request(uri))
+            http
+          end
+
+          def run
+            uri = create_uri
+            resp = http(uri).request(http_request(uri))
 
             Log.debug("%s request to %s returned code %s with body: %s" % [@method, uri.to_s, resp.code, resp.body])
 

spec/unit/mcollective/util/playbook/tasks/webhook_task_spec.rb

@@ -20,12 +20,31 @@ class Tasks
             )
           end
 
+          describe "#http" do
+            it "should support https requests with and without SSL verification" do
+              http = task.http(URI("https://localhost"))
+              expect(http.verify_mode).to be(OpenSSL::SSL::VERIFY_PEER)
+              expect(http.use_ssl?).to be(true)
+
+              task.from_hash(
+                "verify_ssl" => false
+              )
+
+              http = task.http(URI("https://localhost"))
+              expect(http.verify_mode).to be(OpenSSL::SSL::VERIFY_NONE)
+              expect(http.use_ssl?).to be(true)
+            end
+
+            it "should support http requests" do
+              http = task.http(URI("http://localhost"))
+              expect(http.use_ssl?).to be(false)
+            end
+          end
+
           describe "#run" do
             it "should handle 200 as success" do
-              task.expects(:choria).returns(choria = stub)
-              choria.expects(:https).with(:target => "localhost", :port => 80).returns(http = stub)
-              http.expects(:use_ssl=).with(false)
-              http.expects(:request).returns(stub(:code => "200", :body => "ok"))
+              stub_request(:post, "http://localhost/rspec?foo=bar").to_return(:status => 200, :body => "ok")
+
               expect(task.run).to eq(
                 [
                   true,
@@ -36,10 +55,8 @@ class Tasks
             end
 
             it "should handle 201 as success" do
-              task.expects(:choria).returns(choria = stub)
-              choria.expects(:https).with(:target => "localhost", :port => 80).returns(http = stub)
-              http.expects(:use_ssl=).with(false)
-              http.expects(:request).returns(stub(:code => "201", :body => "ok"))
+              stub_request(:post, "http://localhost/rspec?foo=bar").to_return(:status => 201, :body => "ok")
+
               expect(task.run).to eq(
                 [
                   true,
@@ -50,10 +67,7 @@ class Tasks
             end
 
             it "should handle !200 as failure" do
-              task.expects(:choria).returns(choria = stub)
-              choria.expects(:https).with(:target => "localhost", :port => 80).returns(http = stub)
-              http.expects(:use_ssl=).with(false)
-              http.expects(:request).returns(stub(:code => "404", :body => "not found"))
+              stub_request(:post, "http://localhost/rspec?foo=bar").to_return(:status => 404, :body => "not found")
               expect(task.run).to eq(
                 [
                   false,