-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login must ignore some SSL cert errors when --insecure #11145
Conversation
[test] |
@@ -121,7 +121,7 @@ func (o *LoginOptions) getClientConfig() (*restclient.Config, error) { | |||
// certificate authority unknown, check or prompt if we want an insecure | |||
// connection or if we already have a cluster stanza that tells us to | |||
// connect to this particular server insecurely | |||
case x509.UnknownAuthorityError: | |||
case x509.UnknownAuthorityError, x509.HostnameError, x509.CertificateInvalidError: | |||
if o.InsecureTLS || | |||
hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig) || | |||
promptForInsecureTLS(o.Reader, o.Out) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
promptForInsecureTLS needs to tweak the text based on the error... pass in the error, and switch inside promptForInsecureTLS on the error type
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt Sounds good, should we also show the original error message when prompting (so that in case of HostnameError
it displays the expected/actual hostnames), or would a generic message be enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would show the original error for hostname and certificateinvalid errors (along with nice wrapping text)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Just note that it will prompt and in case you say n
, it will error out and exit with pretty much the same message, just adding the error:
prefix.
@@ -50,6 +53,12 @@ func GetPrettyMessageForServer(err error, serverName string) string { | |||
serverName = "server" | |||
} | |||
return fmt.Sprintf(tlsOversizedRecordMsg, err, serverName) | |||
|
|||
case certificateHostnameErrorReason: | |||
return fmt.Sprintf("The set of authorized names doesn't match the requested name: %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The server is using a certificate that does not match its hostname: %s
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, done.
return fmt.Sprintf("The set of authorized names doesn't match the requested name: %s", err) | ||
|
||
case certificateInvalidReason: | ||
return fmt.Sprintf("Invalid certificate: %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The server is using an invalid certificate: %s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
5fdac9b
to
eaae833
Compare
@liggitt comments addressed. |
362d350
to
18a0307
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a couple tweaks, then squash and LGTM
@@ -80,10 +81,23 @@ func dialToServer(clientConfig restclient.Config) error { | |||
return nil | |||
} | |||
|
|||
func promptForInsecureTLS(reader io.Reader, out io.Writer) bool { | |||
func promptForInsecureTLS(reader io.Reader, out io.Writer, err error) bool { | |||
var insecureTLSRequestReason string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably need a generic default reason
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't think so, we are already filtered on the errors we check. If in future this changes or gets called by something else, you are asking for "prompt for insecure" when calling this anyway, and the reason line will just be suppressed.
@@ -103,6 +123,12 @@ func detectReason(err error) int { | |||
case strings.Contains(err.Error(), "tls: oversized record received"): | |||
return tlsOversizedRecordReason | |||
} | |||
switch err.(type) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
go ahead and add a case for UnknownAuthorityError here and return certificateAuthorityUnknownReason, just in case they change the text in the future
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
4348669
to
23c7cd6
Compare
@liggitt should we backport? |
|
23c7cd6
to
7a623c5
Compare
@liggitt yep, fixed. |
7a623c5
to
b91019e
Compare
[merge] |
b91019e
to
34a5bfd
Compare
Evaluated for origin test up to 34a5bfd |
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9517/) |
Evaluated for origin merge up to 34a5bfd |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9540/) (Image: devenv-rhel7_5108) |
Fixes #11122
When
oc login --insecure-skip-tls-verify
some SSL cert errors like hostname mismatch, cert invalid or expired, etc must be ignored.@thoraxe @liggitt @openshift/cli-review