#104: use TLS certificates in scbe backend

ibm-block-storage-via-scbe.md

@@ -46,7 +46,6 @@ UbiquityInstanceName = "instance1" # A prefix for any new volume created on the
 [ScbeConfig.ConnectionInfo]
 managementIp = "IP Address"     # SCBE server IP or FQDN.
 Port = 8440                     # SCBE server port. Optional parameter. Default is 8440.
-SkipVerifySSL = true            # false verifies SCB SSL certificate or false ignores the certificate. Default is true.
 
 [ScbeConfig.ConnectionInfo.CredentialInfo]
 Username = "user"               # User name defined for SCBE Ubiquity interface.

local/scbe/scbe.go

@@ -56,7 +56,10 @@ var (
 
 func NewScbeLocalClient(config resources.ScbeConfig) (resources.StorageClient, error) {
 	datamodel := NewScbeDataModelWrapper()
-	scbeRestClient := NewScbeRestClient(config.ConnectionInfo)
+	scbeRestClient, err := NewScbeRestClient(config.ConnectionInfo)
+	if err != nil {
+		return nil, logs.GetLogger().ErrorRet(err, "NewScbeRestClient failed")
+	}
 	return NewScbeLocalClientWithNewScbeRestClientAndDataModel(config, datamodel, scbeRestClient)
 }
 

local/scbe/scbe_rest_client.go

@@ -54,16 +54,16 @@ const (
 	DefaultSizeUnit        = "gb"
 )
 
-func NewScbeRestClient(conInfo resources.ConnectionInfo) ScbeRestClient {
+func NewScbeRestClient(conInfo resources.ConnectionInfo) (ScbeRestClient, error) {
 	return newScbeRestClient(conInfo, nil)
 }
 
 // NewScbeRestClientWithNewRestClient for mocking during test # TODO consider to remove it to test file
-func NewScbeRestClientWithSimpleRestClient(conInfo resources.ConnectionInfo, simpleClient SimpleRestClient) ScbeRestClient {
+func NewScbeRestClientWithSimpleRestClient(conInfo resources.ConnectionInfo, simpleClient SimpleRestClient) (ScbeRestClient, error) {
 	return newScbeRestClient(conInfo, simpleClient)
 }
 
-func newScbeRestClient(conInfo resources.ConnectionInfo, simpleClient SimpleRestClient) ScbeRestClient {
+func newScbeRestClient(conInfo resources.ConnectionInfo, simpleClient SimpleRestClient) (ScbeRestClient, error) {
 	// Set default SCBE port if not mentioned
 	if conInfo.Port == 0 {
 		conInfo.Port = DefaultScbePort
@@ -74,9 +74,12 @@ func newScbeRestClient(conInfo resources.ConnectionInfo, simpleClient SimpleRest
 	if simpleClient == nil {
 		referrer := fmt.Sprintf(UrlScbeReferer, conInfo.ManagementIP, conInfo.Port)
 		baseUrl := referrer + UrlScbeBaseSuffix
-		simpleClient = NewSimpleRestClient(conInfo, baseUrl, UrlScbeResourceGetAuth, referrer)
+		var err error
+		if simpleClient, err = NewSimpleRestClient(conInfo, baseUrl, UrlScbeResourceGetAuth, referrer); err != nil {
+			return nil, logs.GetLogger().ErrorRet(err, "NewSimpleRestClient failed")
+		}
 	}
-	return &scbeRestClient{logs.GetLogger(), conInfo, simpleClient}
+	return &scbeRestClient{logs.GetLogger(), conInfo, simpleClient}, nil
 }
 
 func (s *scbeRestClient) Login() error {

local/scbe/scbe_rest_client_integration_test.go

@@ -43,12 +43,13 @@ var _ = Describe("restClient integration testing with existing SCBE instance", f
 			Skip(err.Error())
 		}
 		credentialInfo = resources.CredentialInfo{scbeUser, scbePassword, "flocker"}
-		conInfo = resources.ConnectionInfo{credentialInfo, scbePort, scbeIP, true}
-		client = scbe.NewSimpleRestClient(
+		conInfo = resources.ConnectionInfo{credentialInfo, scbePort, scbeIP}
+		client, err = scbe.NewSimpleRestClient(
 			conInfo,
 			"https://"+scbeIP+":"+strconv.Itoa(scbePort)+"/api/v1",
 			scbe.UrlScbeResourceGetAuth,
 			"https://"+scbeIP+":"+strconv.Itoa(scbePort)+"/")
+		Expect(err).ToNot(HaveOccurred())
 	})
 
 	Context(".Login", func() {
@@ -85,8 +86,9 @@ var _ = Describe("ScbeRestClient integration testing with existing SCBE instance
 			Skip(err.Error())
 		}
 		credentialInfo = resources.CredentialInfo{scbeUser, scbePassword, "flocker"}
-		conInfo = resources.ConnectionInfo{credentialInfo, scbePort, scbeIP, true}
-		scbeRestClient = scbe.NewScbeRestClient(conInfo)
+		conInfo = resources.ConnectionInfo{credentialInfo, scbePort, scbeIP}
+		scbeRestClient, err = scbe.NewScbeRestClient(conInfo)
+		Expect(err).ToNot(HaveOccurred())
 	})
 
 	Context(".Login", func() {
@@ -126,8 +128,9 @@ var _ = Describe("ScbeRestClient volume operations integration testing with exis
 			Skip(err.Error())
 		}
 		credentialInfo = resources.CredentialInfo{scbeUser, scbePassword, "flocker"}
-		conInfo = resources.ConnectionInfo{credentialInfo, scbePort, scbeIP, true}
-		scbeRestClient = scbe.NewScbeRestClient(conInfo)
+		conInfo = resources.ConnectionInfo{credentialInfo, scbePort, scbeIP}
+		scbeRestClient, err = scbe.NewScbeRestClient(conInfo)
+		Expect(err).ToNot(HaveOccurred())
 
 		err = scbeRestClient.Login()
 		Expect(err).ToNot(HaveOccurred())

local/scbe/scbe_rest_client_test.go

@@ -43,8 +43,9 @@ var _ = Describe("ScbeRestClient", func() {
     BeforeEach(func() {
         fakeSimpleRestClient = new(fakes.FakeSimpleRestClient)
         credentialInfo := resources.CredentialInfo{"user", "password", "flocker"}
-        conInfo := resources.ConnectionInfo{credentialInfo, 8440, "ip", true}
-        scbeRestClient = scbe.NewScbeRestClientWithSimpleRestClient(conInfo, fakeSimpleRestClient)
+        conInfo := resources.ConnectionInfo{credentialInfo, 8440, "ip"}
+        scbeRestClient, err = scbe.NewScbeRestClientWithSimpleRestClient(conInfo, fakeSimpleRestClient)
+        Expect(err).NotTo(HaveOccurred())
     })
 
 

local/scbe/simple_rest_client.go

@@ -26,6 +26,9 @@ import (
     "net/http"
     "encoding/json"
     "errors"
+    "fmt"
+    "os"
+    "crypto/x509"
 )
 
 // SimpleRestClient is an interface that wrapper the http requests to provide easy REST API operations,
@@ -49,6 +52,7 @@ const (
     HTTP_SUCCEED_POST    = 201
     HTTP_SUCCEED_DELETED = 204
     HTTP_AUTH_KEY        = "Authorization"
+    KEY_VERIFY_SCBE_CERT = "UBIQUITY_SERVER_VERIFY_SCBE_CERT"
 )
 
 // simpleRestClient implements SimpleRestClient interface.
@@ -64,13 +68,13 @@ type simpleRestClient struct {
     headers        map[string]string
 }
 
-func NewSimpleRestClient(conInfo resources.ConnectionInfo, baseURL string, authURL string, referrer string) SimpleRestClient {
+func NewSimpleRestClient(conInfo resources.ConnectionInfo, baseURL string, authURL string, referrer string) (SimpleRestClient, error) {
     headers := map[string]string{"Content-Type": "application/json", "referer": referrer}
-    client := &http.Client{}
-    if conInfo.SkipVerifySSL {
-        client.Transport = &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+    client := &simpleRestClient{logger: logs.GetLogger(), connectionInfo: conInfo, baseURL: baseURL, authURL: authURL, referrer: referrer, httpClient: &http.Client{}, headers: headers}
+    if err := client.initTransport(); err != nil {
+        return nil, client.logger.ErrorRet(err, "client.initTransport failed")
     }
-    return &simpleRestClient{logger: logs.GetLogger(), connectionInfo: conInfo, baseURL: baseURL, authURL: authURL, referrer: referrer, httpClient: client, headers: headers}
+    return client, nil
 }
 
 func (s *simpleRestClient) Login() error {
@@ -199,3 +203,32 @@ func (s *simpleRestClient) Delete(resource_url string, payload []byte, exitStatu
     }
     return s.genericAction("DELETE", resource_url, payload, nil, exitStatus, nil)
 }
+
+
+func (s *simpleRestClient) initTransport() error {
+    defer s.logger.Trace(logs.DEBUG)()
+    exec := utils.NewExecutor()
+
+    emptyConnection := resources.ConnectionInfo{}
+    if s.connectionInfo != emptyConnection {
+        verifyFileCA := os.Getenv(KEY_VERIFY_SCBE_CERT)
+        if verifyFileCA != "" {
+            if _, err := exec.Stat(verifyFileCA); err != nil {
+                return s.logger.ErrorRet(err, "failed")
+            }
+            caCert, err := ioutil.ReadFile(verifyFileCA)
+            if err != nil {
+                return s.logger.ErrorRet(err, "failed")
+            }
+            caCertPool := x509.NewCertPool()
+            if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+                return fmt.Errorf("parse %v failed", verifyFileCA)
+            }
+            s.httpClient.Transport = &http.Transport{TLSClientConfig: &tls.Config{RootCAs: caCertPool}}
+        } else {
+            s.httpClient.Transport = &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+        }
+        s.logger.Info("", logs.Args{{KEY_VERIFY_SCBE_CERT, verifyFileCA}})
+    }
+    return nil
+}

local/scbe/simple_rest_client_test.go

@@ -67,7 +67,8 @@ var _ = Describe("restClient", func() {
 		err    error
 	)
 	BeforeEach(func() {
-		client = scbe.NewSimpleRestClient(resources.ConnectionInfo{}, fakeScbeUrlBase+"/"+suffix, fakeScbeUrlAuth, fakeScbeUrlReferer)
+		client, err = scbe.NewSimpleRestClient(resources.ConnectionInfo{}, fakeScbeUrlBase+"/"+suffix, fakeScbeUrlAuth, fakeScbeUrlReferer)
+		Expect(err).ToNot(HaveOccurred())
 	})
 
 	Context(".Login", func() {
@@ -114,7 +115,8 @@ var _ = Describe("restClient", func() {
 		err    error
 	)
 	BeforeEach(func() {
-		client = scbe.NewSimpleRestClient(resources.ConnectionInfo{}, fakeScbeUrlBase+"/"+suffix, fakeScbeUrlAuth, fakeScbeUrlReferer)
+		client, err = scbe.NewSimpleRestClient(resources.ConnectionInfo{}, fakeScbeUrlBase+"/"+suffix, fakeScbeUrlAuth, fakeScbeUrlReferer)
+		Expect(err).ToNot(HaveOccurred())
 		loginResponse := scbe.LoginResponse{Token: "fake-token"}
 		marshalledResponse, err := json.Marshal(loginResponse)
 		Expect(err).ToNot(HaveOccurred())

resources/resources.go

@@ -55,7 +55,6 @@ type ConnectionInfo struct {
 	CredentialInfo CredentialInfo
 	Port           int
 	ManagementIP   string
-	SkipVerifySSL  bool
 }
 
 type ScbeConfig struct {

ubiquity-server.conf

@@ -18,7 +18,6 @@ DefaultFilesystemType = "ext4"
 [ScbeConfig.ConnectionInfo]
 managementIp = "IP Address"
 port = 8440
-SkipVerifySSL = true
 
 [ScbeConfig.ConnectionInfo.CredentialInfo]
 username = "USER"