add verify tls_opts only when we open connection
for other requests tesla will add tls_opts
This commit is contained in:
parent
426f5ee48a
commit
f39e1b9eff
@ -45,6 +45,7 @@ def open(%URI{} = uri, name, opts) do
|
|||||||
|> Map.put_new(:retry, pool_opts[:retry] || 1)
|
|> Map.put_new(:retry, pool_opts[:retry] || 1)
|
||||||
|> Map.put_new(:retry_timeout, pool_opts[:retry_timeout] || 1000)
|
|> Map.put_new(:retry_timeout, pool_opts[:retry_timeout] || 1000)
|
||||||
|> Map.put_new(:await_up_timeout, pool_opts[:await_up_timeout] || 5_000)
|
|> Map.put_new(:await_up_timeout, pool_opts[:await_up_timeout] || 5_000)
|
||||||
|
|> maybe_add_tls_opts(uri)
|
||||||
|
|
||||||
key = "#{uri.scheme}:#{uri.host}:#{uri.port}"
|
key = "#{uri.scheme}:#{uri.host}:#{uri.port}"
|
||||||
|
|
||||||
@ -70,6 +71,29 @@ def open(%URI{} = uri, name, opts) do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp maybe_add_tls_opts(opts, %URI{scheme: "http"}), do: opts
|
||||||
|
|
||||||
|
defp maybe_add_tls_opts(opts, %URI{scheme: "https", host: host}) do
|
||||||
|
tls_opts = [
|
||||||
|
verify: :verify_peer,
|
||||||
|
cacertfile: CAStore.file_path(),
|
||||||
|
depth: 20,
|
||||||
|
reuse_sessions: false,
|
||||||
|
verify_fun:
|
||||||
|
{&:ssl_verify_hostname.verify_fun/3,
|
||||||
|
[check_hostname: Pleroma.HTTP.Connection.format_host(host)]}
|
||||||
|
]
|
||||||
|
|
||||||
|
tls_opts =
|
||||||
|
if Keyword.keyword?(opts[:tls_opts]) do
|
||||||
|
Keyword.merge(tls_opts, opts[:tls_opts])
|
||||||
|
else
|
||||||
|
tls_opts
|
||||||
|
end
|
||||||
|
|
||||||
|
Map.put(opts, :tls_opts, tls_opts)
|
||||||
|
end
|
||||||
|
|
||||||
defp do_open(uri, %{proxy: {proxy_host, proxy_port}} = opts) do
|
defp do_open(uri, %{proxy: {proxy_host, proxy_port}} = opts) do
|
||||||
connect_opts =
|
connect_opts =
|
||||||
uri
|
uri
|
||||||
|
@ -45,21 +45,11 @@ def after_request(opts) do
|
|||||||
|
|
||||||
defp add_scheme_opts(opts, %URI{scheme: "http"}), do: opts
|
defp add_scheme_opts(opts, %URI{scheme: "http"}), do: opts
|
||||||
|
|
||||||
defp add_scheme_opts(opts, %URI{scheme: "https", host: host}) do
|
defp add_scheme_opts(opts, %URI{scheme: "https"}) do
|
||||||
adapter_opts = [
|
opts
|
||||||
certificates_verification: true,
|
|> Keyword.put(:certificates_verification, true)
|
||||||
transport: :tls,
|
|> Keyword.put(:transport, :tls)
|
||||||
tls_opts: [
|
|> Keyword.put(:tls_opts, log_level: :warning)
|
||||||
verify: :verify_peer,
|
|
||||||
cacertfile: CAStore.file_path(),
|
|
||||||
depth: 20,
|
|
||||||
reuse_sessions: false,
|
|
||||||
verify_fun: {&:ssl_verify_hostname.verify_fun/3, [check_hostname: format_host(host)]},
|
|
||||||
log_level: :warning
|
|
||||||
]
|
|
||||||
]
|
|
||||||
|
|
||||||
Keyword.merge(opts, adapter_opts)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
defp maybe_get_conn(adapter_opts, uri, connection_opts) do
|
defp maybe_get_conn(adapter_opts, uri, connection_opts) do
|
||||||
@ -93,17 +83,4 @@ defp try_to_get_conn(uri, opts) do
|
|||||||
|> Keyword.put(:close_conn, false)
|
|> Keyword.put(:close_conn, false)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
@spec format_host(String.t()) :: charlist()
|
|
||||||
def format_host(host) do
|
|
||||||
host_charlist = to_charlist(host)
|
|
||||||
|
|
||||||
case :inet.parse_address(host_charlist) do
|
|
||||||
{:error, :einval} ->
|
|
||||||
:idna.encode(host_charlist)
|
|
||||||
|
|
||||||
{:ok, _ip} ->
|
|
||||||
host_charlist
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
@ -106,4 +106,17 @@ def parse_host(host) when is_binary(host) do
|
|||||||
{:ok, ip} -> ip
|
{:ok, ip} -> ip
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@spec format_host(String.t()) :: charlist()
|
||||||
|
def format_host(host) do
|
||||||
|
host_charlist = to_charlist(host)
|
||||||
|
|
||||||
|
case :inet.parse_address(host_charlist) do
|
||||||
|
{:error, :einval} ->
|
||||||
|
:idna.encode(host_charlist)
|
||||||
|
|
||||||
|
{:ok, _ip} ->
|
||||||
|
host_charlist
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
@ -38,31 +38,23 @@ test "https url with default port" do
|
|||||||
|
|
||||||
opts = Gun.options([receive_conn: false], uri)
|
opts = Gun.options([receive_conn: false], uri)
|
||||||
assert opts[:certificates_verification]
|
assert opts[:certificates_verification]
|
||||||
refute opts[:tls_opts] == []
|
assert opts[:tls_opts][:log_level] == :warning
|
||||||
|
|
||||||
assert opts[:tls_opts][:verify_fun] ==
|
|
||||||
{&:ssl_verify_hostname.verify_fun/3, [check_hostname: 'example.com']}
|
|
||||||
|
|
||||||
assert File.exists?(opts[:tls_opts][:cacertfile])
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test "https ipv4 with default port" do
|
test "https ipv4 with default port" do
|
||||||
uri = URI.parse("https://127.0.0.1")
|
uri = URI.parse("https://127.0.0.1")
|
||||||
|
|
||||||
opts = Gun.options([receive_conn: false], uri)
|
opts = Gun.options([receive_conn: false], uri)
|
||||||
|
assert opts[:certificates_verification]
|
||||||
assert opts[:tls_opts][:verify_fun] ==
|
assert opts[:tls_opts][:log_level] == :warning
|
||||||
{&:ssl_verify_hostname.verify_fun/3, [check_hostname: '127.0.0.1']}
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test "https ipv6 with default port" do
|
test "https ipv6 with default port" do
|
||||||
uri = URI.parse("https://[2a03:2880:f10c:83:face:b00c:0:25de]")
|
uri = URI.parse("https://[2a03:2880:f10c:83:face:b00c:0:25de]")
|
||||||
|
|
||||||
opts = Gun.options([receive_conn: false], uri)
|
opts = Gun.options([receive_conn: false], uri)
|
||||||
|
assert opts[:certificates_verification]
|
||||||
assert opts[:tls_opts][:verify_fun] ==
|
assert opts[:tls_opts][:log_level] == :warning
|
||||||
{&:ssl_verify_hostname.verify_fun/3,
|
|
||||||
[check_hostname: '2a03:2880:f10c:83:face:b00c:0:25de']}
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test "https url with non standart port" do
|
test "https url with non standart port" do
|
||||||
@ -269,23 +261,4 @@ test "with ipv6" do
|
|||||||
} = Connections.get_state(:gun_connections)
|
} = Connections.get_state(:gun_connections)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "format_host/1" do
|
|
||||||
test "with domain" do
|
|
||||||
assert Gun.format_host("example.com") == 'example.com'
|
|
||||||
end
|
|
||||||
|
|
||||||
test "with idna domain" do
|
|
||||||
assert Gun.format_host("ですexample.com") == 'xn--example-183fne.com'
|
|
||||||
end
|
|
||||||
|
|
||||||
test "with ipv4" do
|
|
||||||
assert Gun.format_host("127.0.0.1") == '127.0.0.1'
|
|
||||||
end
|
|
||||||
|
|
||||||
test "with ipv6" do
|
|
||||||
assert Gun.format_host("2a03:2880:f10c:83:face:b00c:0:25de") ==
|
|
||||||
'2a03:2880:f10c:83:face:b00c:0:25de'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
@ -113,4 +113,23 @@ test "passed opts have more weight than defaults" do
|
|||||||
assert opts[:proxy] == {'example.com', 4321}
|
assert opts[:proxy] == {'example.com', 4321}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "format_host/1" do
|
||||||
|
test "with domain" do
|
||||||
|
assert Connection.format_host("example.com") == 'example.com'
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with idna domain" do
|
||||||
|
assert Connection.format_host("ですexample.com") == 'xn--example-183fne.com'
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with ipv4" do
|
||||||
|
assert Connection.format_host("127.0.0.1") == '127.0.0.1'
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with ipv6" do
|
||||||
|
assert Connection.format_host("2a03:2880:f10c:83:face:b00c:0:25de") ==
|
||||||
|
'2a03:2880:f10c:83:face:b00c:0:25de'
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user