Add optional validate param to raw_connect #100
Conversation
|
@miq-bot add_label gaprindashvili/yes bug |
|
@tumido Cannot apply the following label because they are not recognized: gaprindashvili/yes bug |
|
@agrare @chessbyte I can't add for some reason @jntullo as a reviewer. any idea why? |
|
With Correct credentials should be correct I am getting Invalid Credentials With incorrect credentials go OK With a Incorrect Host go OK |
|
@aljesusg it's not working because the mapping in your ManageIQ/manageiq-ui-classic#2577 is sending |
|
@tumido in get_task_args the first line is |
|
@aljesusg I know.. It seems so. Without encryption it works for me. But I'm not sure how it behaves when the ssl is enabled, I haven't checked that. |
|
Ok I tested and work without encryption I am gonna test this with SSL and CA @tumido |
tumido
force-pushed
the
fix_credentials_validate
branch
from
504e4ab to
bd7488f
Compare
|
This fail with SSL credentials object {:username=>"jdoe", :password=>"password"}options object {:tenant=>"hawkular", :verify_ssl=>1, :ssl_cert_store=>"-----BEGIN CERTIFICATE-----\r\nMIIC/TCCAeWgAwIBAgIEZi3DSDANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFo\r\nYXdrdWxhci1zZXJ2aWNlczAgFw0xNzExMDIwOTQxMzVaGA8yMTE3MTAwOTA5NDEz\r\nNVowHDEaMBgGA1UEAxMRaGF3a3VsYXItc2VydmljZXMwggEiMA0GCSqGSIb3DQEB\r\nAQUAA4IBDwAwggEKAoIBAQCYWbkxaDx6e9mMK/T87QSJ6NS5KtlPzx3RItmegeOs\r\n8Z9vxHMC6rDKr+qlX3Ed/OhIk36az8rSrOYHT3ONdVVOK/em0JnOq8+lFyL1sfDT\r\nnN63s3ON4p8JS1jUxVcIafTJu12h//xf/nVbW5q3pcE242AXL4q0LIDIGczm2cV5\r\nYjeofTLJl/ra+8+yAygUm6+kT1MTkzb8TtNiJJDxAUTDDBF+iuISV4R5adLGmCmz\r\njiDZPxiwHI4TLO0I02jIzpQ9Rql+7Sd7jnEzea9oFJT7dr3E+CbknvUO1bso+Jwt\r\ns7T9CeYzKxBswW83pPTI44iYmydtWwenzPqUivMIwio3AgMBAAGjRTBDMCIGA1Ud\r\nEQQbMBmHBH8AAAGCEWhhd2t1bGFyLXNlcnZpY2VzMB0GA1UdDgQWBBTfPluQkZHh\r\nCsKExlfsrrzpNhJpNzANBgkqhkiG9w0BAQsFAAOCAQEAM5MDnDcgz5XKc6FL/fBr\r\nQ4TIgNG9T7qFn2lLEkOkqh4kDAKfyFa5bBRTrDRglQoGQBfdAJD4nnS/mxBsLrBD\r\neW8bS9+1aGIyUnZK8fYIVR7wXSvb3U/+D0foqJJDEtyBftSsscrL1dYNEaOMrhAO\r\nECj7xl4638zdjp3klxlcIvJ9NINdPON4ltr796nhZIoHs8OTDW04M3sztzdpMkiH\r\ncBz1seRQlPAmWSK29y1fpXNrr0PmlYijgMYVv59o7zm4/Gvv2PcTzWh9ykFK/WnZ\r\nY1MooB0peBI4X3vWx/VAuX1ybUyPthx/gzbtZks6ztVjJOgs50eawUz3Q7S3BtWv\r\n5g==\r\n-----END CERTIFICATE-----"}With SSL withpout validation is running ok so maybe is a problem working with the CA |
|
@aljesusg ok, do you think this should be covered in this PR? Is it caused by me or just exposed? |
|
I think you should take a look at the PR[1] that did that work. Edit, this [2] is could also be helpful. I'm uncertain on how currently is handled, but these calls are needed to transform the text into an actual [1] https://github.com/ManageIQ/manageiq/pull/13721/files#diff-5d3f1a5ab701ca4a756d3c921e36e9f6R22 |
|
So why is getting this error @josejulio? I need to debug this. |
|
I suppose that call needs to be done when passing the arguments on manageiq-ui-classic. |
|
But in MiddlewareManager the connect call to default_endpoint.ssl_cert_store that do this transform |
|
From the error mentioned before [1], that function isn't being called. Certainly debug is needed there, sorry for not having more information. [1] #100 (comment) |
| @@ -104,8 +112,12 @@ def self.raw_connect(host, port, username, password, security_protocol, cert_sto | |||
| :verify_ssl => verify_ssl_mode(security_protocol), | |||
| :ssl_cert_store => cert_store | |||
There was a problem hiding this comment.
To fix the SSL error, please change this to:
:ssl_cert_store => if cert_store.kind_of?(String)
Endpoint.new(:certificate_authority => cert_store).ssl_cert_store
else
cert_store
endThere was a problem hiding this comment.
I think this should come as a separate PR, since it's fixing different issue.
There was a problem hiding this comment.
@israel-hdez fixed here #101
|
|
||
| true | ||
| end | ||
|
|
||
| def self.validate_connection(connection, hostname = nil, port = nil) |
There was a problem hiding this comment.
All of them are mixins. Ruby modules have some lack of encapsulation features; you can do encapsulation but the code looks weird and in MiQ most of the time it's not done.
This method is not in a module, and I see it as internal implementation and not meant to be used outside the class. So, I would make it private.
There was a problem hiding this comment.
@israel-hdez thanks very much for explanation! I didn't realized they are mixins. Cool, I'm making them private now! ;)
There was a problem hiding this comment.
@israel-hdez, ok, I've found out, the "old way" without queued validation is not working when this method is private (because it's called from instance via verify_credentials). The other method can be made private for sure.
There was a problem hiding this comment.
Private class methods are an anti-pattern. If we want to have this not be part of the interface then we should make it an instance method, or extract connection validation to another class (which I would prefer tbh).
| end | ||
| end | ||
|
|
||
| def self.connection_rescue_block(hostname = nil, port = nil) |
There was a problem hiding this comment.
This name is not descriptive, as well.
There was a problem hiding this comment.
Also, I think it would be a great idea to overwrite with_provider_connection with this, so that this error handling is used everywhere.
|
@israel-hdez I'll work on the tests, I'm not sure if it should block this to be merged though. |
When provider is added the credentials validation is newly done via `raw_connect` (class method) instead of `verify_credentials` (needed EMS object)
tumido
force-pushed
the
fix_credentials_validate
branch
from
bd7488f to
b2d24b8
Compare
|
By applying locally this PR, and also ManageIQ/manageiq-ui-classic#2577, I was finally able to create a non-ssl provider and so hopefully can now make some progress. It seems it's been a week being unable to create a provider, that is a long time. If a merge is not imminent I'd suggest maybe posting in dev-list how to work around this problem. |
| # As the connect will only give a handle | ||
| # we verify the credentials via an actual operation | ||
| connection_rescue_block(hostname, port) do | ||
| connection.inventory.list_feeds |
There was a problem hiding this comment.
@josejulio I'm not sure, but with Inventory V4 is list_feeds available? This is not a problem for this PR but it may be a problem for applying it to the hawkular-1275 branch.
There was a problem hiding this comment.
Yes, but i don't think there is other way to test it at this point, "status" is unprotected, so it won't be good way to test the connection.
|
Now It's working again after ManageIQ/manageiq-ui-classic#2643 with normal servers and SSL with CA. Tested !!! Do we need this PR? |
|
@aljesusg if we want to be prepared for the new dialog, we need this PR. It's not breaking the "old way" it's just enabling the "new way". I vote for being prepared and have your and mine PRs merged. |
|
Now its working with SSL and CA too @tumido |
| @@ -94,7 +102,7 @@ def self.entrypoint(host, port, security_protocol) | |||
| end | |||
|
|
|||
| # Hawkular Client | |||
| def self.raw_connect(host, port, username, password, security_protocol, cert_store) | |||
| def self.raw_connect(host, port, username, password, security_protocol, cert_store, validate = false) | |||
| credentials = { | |||
There was a problem hiding this comment.
I don't know if validate argument should be true
There was a problem hiding this comment.
This is switched to true in the new dialog in your PR, for other calls it should be false. So old and new dialogs can live together and it also allows any call to connect to handle the connection right.
| connection.inventory.list_feeds | ||
| end | ||
| end | ||
|
|
There was a problem hiding this comment.
This throw an error in the status of a provider
There was a problem hiding this comment.
@aljesusg you sure you have the latest revision of this PR?
|
Tested with: ManageIQ/manageiq-ui-classic#2577 and revert ManageIQ/manageiq-ui-classic#2643 and it's working with hawkular server, ssl and CA |
@jshaughn there was a regression due to a broader change in core. core team fixed it yesterday and merged. so now it should be ok on master. |
|
Checked commits tumido/manageiq-providers-hawkular@b2d24b8~...d1efd7b with ruby 2.3.3, rubocop 0.47.1, and haml-lint 0.20.0 app/models/manageiq/providers/hawkular/middleware_manager.rb
|
|
@israel-hdez test coverage is available here #102 |
| @@ -94,7 +103,7 @@ def self.entrypoint(host, port, security_protocol) | |||
| end | |||
|
|
|||
| # Hawkular Client | |||
| def self.raw_connect(host, port, username, password, security_protocol, cert_store) | |||
| def self.raw_connect(host, port, username, password, security_protocol, cert_store, validate = false) | |||
There was a problem hiding this comment.
@israel-hdez do you know if MiQ uses raw_connect? If not I think this should be on a different class, probably a delegator. What do you think, @tumido?
If so, it could be changed on a different PR, because it seems to me that adding optional params is increasing cyclomatic complexity on the class that is already our biggest offender on this.
There was a problem hiding this comment.
@cfcosta, basically, the whole new workflow is about shifting the load from UI worker to spawning a queued job (created here) Also it tries to smaller the load by not creating a temporary EMS object for the credentials validation and instead validates them as is. So it requires a class method. And they decided, that using the already available raw_connect is the right way. For some providers it was already doing the job without any modifications, for others, like Hawkular, it means these adjustments...
|
Closing, won't merge. Repo abandoned. ⛔ |
|
@tumido Cannot apply the following label because they are not recognized: gaprindashvili/yes bug |
When provider is added the credentials validation is newly done via
raw_connect(class method) instead ofverify_credentials(needed EMS object). Further reading on this change can be found here: ManageIQ/manageiq-ui-classic#1580Related to: ManageIQ/manageiq-ui-classic#2577
Similar PRs for other providers:
This PR enables the new workflow on provider. With this PR both workflows are available.