You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2013/11/16 18:30:56 UTC
[2/2] git commit: Modify drivers for public cloud providers which use
HTTP Basic authentication to not allow insecure connections by default
(secure kwarg being set to False).
Modify drivers for public cloud providers which use HTTP Basic
authentication to not allow insecure connections by default (secure kwarg
being set to False).
This way credentials can't accidentaly be sent in plain text over the
write.
Affected drivers: Bluebox, Joyent, NephoScale, OpSource, VPSNet
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/a8aff7e1
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/a8aff7e1
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/a8aff7e1
Branch: refs/heads/trunk
Commit: a8aff7e1934e9cd07db7e966054b6cf2106b7160
Parents: 6ebe04b
Author: Tomaz Muraus <to...@apache.org>
Authored: Sat Nov 16 18:05:08 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sat Nov 16 18:30:46 2013 +0100
----------------------------------------------------------------------
CHANGES | 10 ++++++++++
libcloud/common/base.py | 8 ++++++++
libcloud/compute/drivers/bluebox.py | 2 ++
libcloud/compute/drivers/joyent.py | 2 ++
libcloud/compute/drivers/nephoscale.py | 2 ++
libcloud/compute/drivers/opsource.py | 2 ++
libcloud/compute/drivers/vpsnet.py | 2 ++
libcloud/test/test_connection.py | 13 +++++++++++++
8 files changed, 41 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index d18f50f..cbb472f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,16 @@ Changes with Apache Libcloud in development
this driver.
[Tomaz Muraus]
+ - Modify drivers for public cloud providers which use HTTP Basic
+ authentication to not allow insecure connections (secure constructor
+ kwarg being set to False) by default.
+
+ This way credentials can't accidentaly be sent in plain text over the
+ write.
+
+ Affected drivers: Bluebox, Joyent, NephoScale, OpSource, VPSNet
+ [Tomaz Muraus]
+
Changes with Apache Libcloud 0.14.0-beta3
*) General
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/common/base.py
----------------------------------------------------------------------
diff --git a/libcloud/common/base.py b/libcloud/common/base.py
index 9dc778f..6cccc0a 100644
--- a/libcloud/common/base.py
+++ b/libcloud/common/base.py
@@ -391,12 +391,20 @@ class Connection(object):
action = None
cache_busting = False
+ allow_insecure = True
+
def __init__(self, secure=True, host=None, port=None, url=None,
timeout=None):
self.secure = secure and 1 or 0
self.ua = []
self.context = {}
+ if not self.allow_insecure and not secure:
+ # TODO: We should eventually switch to whitelist instead of
+ # blacklist approach
+ raise ValueError('Non https connections are not allowed (use '
+ 'secure=True)')
+
self.request_path = ''
if host:
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/compute/drivers/bluebox.py
----------------------------------------------------------------------
diff --git a/libcloud/compute/drivers/bluebox.py b/libcloud/compute/drivers/bluebox.py
index 8dc1ba2..204e0de 100644
--- a/libcloud/compute/drivers/bluebox.py
+++ b/libcloud/compute/drivers/bluebox.py
@@ -119,6 +119,8 @@ class BlueboxConnection(ConnectionUserAndKey):
secure = True
responseCls = BlueboxResponse
+ allow_insecure = False
+
def add_default_headers(self, headers):
user_b64 = base64.b64encode(b('%s:%s' % (self.user_id, self.key)))
headers['Authorization'] = 'Basic %s' % (user_b64)
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/compute/drivers/joyent.py
----------------------------------------------------------------------
diff --git a/libcloud/compute/drivers/joyent.py b/libcloud/compute/drivers/joyent.py
index f3c0132..1aa1a60 100644
--- a/libcloud/compute/drivers/joyent.py
+++ b/libcloud/compute/drivers/joyent.py
@@ -75,6 +75,8 @@ class JoyentConnection(ConnectionUserAndKey):
responseCls = JoyentResponse
+ allow_insecure = False
+
def add_default_headers(self, headers):
headers['Accept'] = 'application/json'
headers['Content-Type'] = 'application/json; charset=UTF-8'
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/compute/drivers/nephoscale.py
----------------------------------------------------------------------
diff --git a/libcloud/compute/drivers/nephoscale.py b/libcloud/compute/drivers/nephoscale.py
index dc100ce..c8fad3b 100644
--- a/libcloud/compute/drivers/nephoscale.py
+++ b/libcloud/compute/drivers/nephoscale.py
@@ -95,6 +95,8 @@ class NephoscaleConnection(ConnectionUserAndKey):
host = API_HOST
responseCls = NephoscaleResponse
+ allow_insecure = False
+
def add_default_headers(self, headers):
"""
Add parameters that are necessary for every request
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/compute/drivers/opsource.py
----------------------------------------------------------------------
diff --git a/libcloud/compute/drivers/opsource.py b/libcloud/compute/drivers/opsource.py
index e16dfec..fc98be3 100644
--- a/libcloud/compute/drivers/opsource.py
+++ b/libcloud/compute/drivers/opsource.py
@@ -134,6 +134,8 @@ class OpsourceConnection(ConnectionUserAndKey):
_orgId = None
responseCls = OpsourceResponse
+ allow_insecure = False
+
def add_default_headers(self, headers):
headers['Authorization'] = \
('Basic %s' % b64encode(b('%s:%s' % (self.user_id,
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/compute/drivers/vpsnet.py
----------------------------------------------------------------------
diff --git a/libcloud/compute/drivers/vpsnet.py b/libcloud/compute/drivers/vpsnet.py
index ec0dd5d..8d026a8 100644
--- a/libcloud/compute/drivers/vpsnet.py
+++ b/libcloud/compute/drivers/vpsnet.py
@@ -69,6 +69,8 @@ class VPSNetConnection(ConnectionUserAndKey):
host = API_HOST
responseCls = VPSNetResponse
+ allow_insecure = False
+
def add_default_headers(self, headers):
user_b64 = base64.b64encode(b('%s:%s' % (self.user_id, self.key)))
headers['Authorization'] = 'Basic %s' % (user_b64.decode('utf-8'))
http://git-wip-us.apache.org/repos/asf/libcloud/blob/a8aff7e1/libcloud/test/test_connection.py
----------------------------------------------------------------------
diff --git a/libcloud/test/test_connection.py b/libcloud/test/test_connection.py
index 1418c3c..0525dd4 100644
--- a/libcloud/test/test_connection.py
+++ b/libcloud/test/test_connection.py
@@ -29,10 +29,23 @@ class ConnectionClassTestCase(unittest.TestCase):
Connection.connect = Mock()
Connection.responseCls = Mock()
+ Connection.allow_insecure = True
def tearDown(self):
Connection.connect = self.originalConnect
Connection.responseCls = Connection.responseCls
+ Connection.allow_insecure = True
+
+ def test_dont_allow_insecure(self):
+ Connection.allow_insecure = True
+ Connection(secure=False)
+
+ Connection.allow_insecure = False
+
+ expected_msg = (r'Non https connections are not allowed \(use '
+ 'secure=True\)')
+ self.assertRaisesRegexp(ValueError, expected_msg, Connection,
+ secure=False)
def test_content_length(self):
con = Connection()