Add a node.secure_fetch boolean keyword

The default is true.
opensvc · Nov 25, 2020 · 57210db · 57210db
1 parent bac57ce
commit 57210db
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/opensvc/core/node/node.py b/opensvc/core/node/node.py
@@ -1919,8 +1919,9 @@ def updatecomp(self):
 
         from utilities.uri import Uri
         print("get %s" % pkg_name)
+        secure = self.oget("node", "secure_fetch")
         try:
-            with Uri(pkg_name).fetch() as fpath:
+            with Uri(pkg_name, secure=secure).fetch() as fpath:
                 self._updatecomp(fpath)
         except IOError as exc:
             print("download failed", ":", exc, file=sys.stderr)
@@ -2009,8 +2010,9 @@ def updatepkg(self):
 
         from utilities.uri import Uri
         print("get %s" % pkg_name)
+        secure = self.oget("node", "secure_fetch")
         try:
-            with Uri(pkg_name).fetch() as fpath:
+            with Uri(pkg_name, secure=secure).fetch() as fpath:
                 print("updating opensvc")
                 mod.update(fpath)
         except IOError as exc:
@@ -2093,8 +2095,9 @@ def do(fpath):
 
         from utilities.uri import Uri
         print("get %s" % bundle_name)
+        secure = self.oget("node", "secure_fetch")
         try:
-            with Uri(bundle_name).fetch() as fpath:
+            with Uri(bundle_name, secure=secure).fetch() as fpath:
                 do(fpath)
         except IOError as exc:
             print("download failed", ":", exc, file=sys.stderr)
@@ -2797,8 +2800,9 @@ def svc_conf_from_uri(self, name, namespace, kind, fpath):
         """
         from utilities.uri import Uri
         print("get %s" % fpath)
+        secure = self.oget("node", "secure_fetch")
         try:
-            with Uri(fpath).fetch() as tmpfpath:
+            with Uri(fpath, secure=secure).fetch() as tmpfpath:
                 return self.svc_conf_from_file(name, namespace, kind, tmpfpath)
         except IOError as exc:
             print("download failed", ":", exc, file=sys.stderr)

diff --git a/opensvc/core/node/nodedict.py b/opensvc/core/node/nodedict.py
@@ -287,6 +287,13 @@
 ]
 
 KEYWORDS = [
+    {
+        "section": "node",
+        "keyword": "secure_fetch",
+        "default": True,
+        "convert": "boolean",
+        "text": "If set to false, disable ssl authentication checks on all uri fetches."
+    },
     {
         "section": "node",
         "keyword": "min_avail_mem",

diff --git a/opensvc/daemon/listener.py b/opensvc/daemon/listener.py
@@ -184,8 +184,9 @@ def fetch_crl(self):
         if os.path.exists(crl):
             return crl
         crl_path = os.path.join(Env.paths.certs, "certificate_revocation_list")
+        secure = shared.NODE.oget("node", "secure_fetch")
         try:
-            with Uri(crl).fetch() as fpath:
+            with Uri(crl, secure=secure).fetch() as fpath:
                 shutil.copy(fpath, crl_path)
             # TODO: extract expire from crl
             self.crl_expire = time.time() + 60*60*24

diff --git a/opensvc/drivers/resource/container/lxc/__init__.py b/opensvc/drivers/resource/container/lxc/__init__.py
@@ -806,8 +806,9 @@ def get_template(self):
             self.log.info("template %s already downloaded"%self.template_fname)
             return
         from utilities.uri import Uri
+        secure = self.node.oget("node", "secure_fetch")
         try:
-            with Uri(self.template).fetch() as fpath:
+            with Uri(self.template, secure=secure).fetch() as fpath:
                 shutil.copy(fpath, self.template_local)
         except IOError as e:
             self.log.error("download failed", ":", e)