Skip to content

Commit 2ddc1a0

Browse files
mcpaddymcpaddy
committed
MB-35254 Verify the CA cert correctly
Previously the CAcert was being handed to the Requests functions "cert" argument, which is used for client side certificate. It should have been passed to the "verify" argument. Change-Id: Ic73639c87e351d7c6e05c62f6cad094b5bfb1023 Reviewed-on: http://review.couchbase.org/112679 Well-Formed: Build Bot <build@couchbase.com> Reviewed-by: Carlos Gonzalez <carlos.gonzalez@couchbase.com> Tested-by: Patrick Varley <patrick@couchbase.com>
1 parent 6777168 commit 2ddc1a0

2 files changed

Lines changed: 18 additions & 11 deletions

File tree

cbmgr.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -440,7 +440,7 @@ def __init__(self, deprecate_username=False, deprecate_password=False, cluster_d
440440
help="Use ssl when connecting to Couchbase (Deprecated)")
441441
group.add_argument("--no-ssl-verify", dest="ssl_verify", action="store_false", default=True,
442442
help="Skips SSL verification of certificates against the CA")
443-
group.add_argument("--cacert", dest="cacert", default=None,
443+
group.add_argument("--cacert", dest="cacert", default=True,
444444
help="Verifies the cluster identity with this certificate")
445445
group.add_argument("-h", "--help", action=CBHelpAction, klass=self,
446446
help="Prints the short or long help message")

cluster_manager.py

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,8 @@ def g(*args, **kwargs):
3939
'certificates set up in your cluster and use the --cacert flag to specify\n' +
4040
'your client certificate.']
4141
elif str(e).startswith('[SSL]'):
42-
return None, ['Unable to connect with the given CA certificate']
43-
return None, ['Unable to connect to host at %s' % cm.hostname]
42+
return None, ['Unable to connect with the given CA certificate: ', str(e)]
43+
return None, ['Unable to connect to host at %s: ' % cm.hostname, str(e)]
4444
except requests.exceptions.ReadTimeout, e:
4545
return None, ['Request to host `%s` timed out after %d seconds' % (url, cm.timeout)]
4646
return g
@@ -57,12 +57,19 @@ class ClusterManager(object):
5757
"""A set of REST API's for managing a Couchbase cluster"""
5858

5959
def __init__(self, hostname, username, password, sslFlag=False, verifyCert=True,
60-
cert=None, debug=False, timeout=DEFAULT_REQUEST_TIMEOUT):
60+
caCert=True, debug=False, timeout=DEFAULT_REQUEST_TIMEOUT, cert=None):
6161
hostname = hostname.replace("couchbase://", "http://", 1)
6262
hostname = hostname.replace("couchbases://", "https://", 1)
6363

6464
self.hostname = hostname
65+
# verify argument on Request functions can take boolean or a path to a CA if
66+
# a path is not provide but the cert still needs to be verified it should use
67+
# the system provided CAs
6568
self.verifyCert = verifyCert
69+
self.caCert = caCert
70+
if not verifyCert:
71+
self.caCert = False
72+
# This is for client side certs which is currently not used.
6673
self.cert = cert
6774

6875
parsed = urlparse.urlparse(hostname)
@@ -77,7 +84,7 @@ def __init__(self, hostname, username, password, sslFlag=False, verifyCert=True,
7784
# Certificates and verification are not used when the ssl flag is
7885
# specified.
7986
self.verifyCert = False
80-
self.cert = None
87+
self.caCert = False
8188

8289
self.username = username
8390
self.password = password
@@ -1360,7 +1367,7 @@ def deploy_function(self, function, deploy):
13601367
def _get(self, url):
13611368
if self.debug:
13621369
print "GET %s" % url
1363-
response = requests.get(url, auth=(self.username, self.password), verify=self.verifyCert,
1370+
response = requests.get(url, auth=(self.username, self.password), verify=self.caCert,
13641371
cert=self.cert, timeout=self.timeout)
13651372
return _handle_response(response, self.debug)
13661373

@@ -1371,7 +1378,7 @@ def _post_form_encoded(self, url, params):
13711378
params = {}
13721379
print "POST %s %s" % (url, urllib.urlencode(params))
13731380
response = requests.post(url, auth=(self.username, self.password), data=params,
1374-
cert=self.cert, verify=self.verifyCert, timeout=self.timeout)
1381+
cert=self.cert, verify=self.caCert, timeout=self.timeout)
13751382
return _handle_response(response, self.debug)
13761383

13771384
@request
@@ -1381,7 +1388,7 @@ def _post_json(self, url, params):
13811388
params = {}
13821389
print "POST %s %s" % (url, json.dumps(params))
13831390
response = requests.post(url, auth=(self.username, self.password), json=params,
1384-
cert=self.cert, verify=self.verifyCert, timeout=self.timeout)
1391+
cert=self.cert, verify=self.caCert, timeout=self.timeout)
13851392
return _handle_response(response, self.debug)
13861393

13871394
@request
@@ -1391,7 +1398,7 @@ def _put(self, url, params):
13911398
params = {}
13921399
print "PUT %s %s" % (url, urllib.urlencode(params))
13931400
response = requests.put(url, params, auth=(self.username, self.password),
1394-
cert=None, verify=self.verifyCert, timeout=self.timeout)
1401+
cert=None, verify=self.caCert, timeout=self.timeout)
13951402
return _handle_response(response, self.debug)
13961403

13971404
@request
@@ -1401,7 +1408,7 @@ def _put_json(self, url, params):
14011408
params = {}
14021409
print "PUT %s %s" % (url, json.dumps(params))
14031410
response = requests.put(url, auth=(self.username, self.password), json=params,
1404-
cert=None, verify=self.verifyCert, timeout=self.timeout)
1411+
cert=None, verify=self.caCert, timeout=self.timeout)
14051412
return _handle_response(response, self.debug)
14061413

14071414
@request
@@ -1411,7 +1418,7 @@ def _delete(self, url, params):
14111418
params = {}
14121419
print "DELETE %s %s" % (url, urllib.urlencode(params))
14131420
response = requests.delete(url, auth=(self.username, self.password), data=params,
1414-
cert=None, verify=self.verifyCert, timeout=self.timeout)
1421+
cert=None, verify=self.caCert, timeout=self.timeout)
14151422
return _handle_response(response, self.debug)
14161423

14171424

0 commit comments

Comments
 (0)