Update meta nodes to respect insecure skip verify

2018-02-14 14:28:02 -05:00 · 2018-02-14 14:28:02 -05:00 · f7144112a9
parent 779da128fe
commit f7144112a9
10 changed files with 91 additions and 34 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.4.1.2
+current_version = 1.4.1.3
 files = README.md server/swagger.json
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\.(?P<release>\d+)
 serialize = {major}.{minor}.{patch}.{release}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,11 @@
 ## v1.4.2.0 [unreleased]
+### Features
+### UI Improvements
+### Bug Fixes

+## v1.4.1.3 [2018-02-14]
+### Bug Fixes
+1. [#2818](https://github.com/influxdata/chronograf/pull/2818): Allow self-signed certificates for Enterprise InfluxDB Meta nodes

 ## v1.4.1.2 [2018-02-13]
 ### Bug Fixes
--- a/README.md
+++ b/README.md
@ -136,7 +136,7 @@ option.
 ## Versions

 The most recent version of Chronograf is
-[v1.4.1.2](https://www.influxdata.com/downloads/).
+[v1.4.1.3](https://www.influxdata.com/downloads/).

 Spotted a bug or have a feature request? Please open
 [an issue](https://github.com/influxdata/chronograf/issues/new)!
@ -178,7 +178,7 @@ By default, chronograf runs on port `8888`.
 To get started right away with Docker, you can pull down our latest release:

 ```sh
-docker pull chronograf:1.4.1.2
+docker pull chronograf:1.4.1.3
 ```

 ### From Source
--- a/enterprise/enterprise.go
+++ b/enterprise/enterprise.go
@ -51,13 +51,13 @@ type Client struct {
 }

 // NewClientWithTimeSeries initializes a Client with a known set of TimeSeries.
-func NewClientWithTimeSeries(lg chronograf.Logger, mu string, authorizer influx.Authorizer, tls bool, series ...chronograf.TimeSeries) (*Client, error) {
+func NewClientWithTimeSeries(lg chronograf.Logger, mu string, authorizer influx.Authorizer, tls, insecure bool, series ...chronograf.TimeSeries) (*Client, error) {
 	metaURL, err := parseMetaURL(mu, tls)
 	if err != nil {
 		return nil, err
 	}

-	ctrl := NewMetaClient(metaURL, authorizer)
+	ctrl := NewMetaClient(metaURL, insecure, authorizer)
 	c := &Client{
 		Ctrl: ctrl,
 		UsersStore: &UserStore{
@ -85,13 +85,13 @@ func NewClientWithTimeSeries(lg chronograf.Logger, mu string, authorizer influx.
 // varieties. TLS is used when the URL contains "https" or when the TLS
 // parameter is set.  authorizer will add the correct `Authorization` headers
 // on the out-bound request.
-func NewClientWithURL(mu string, authorizer influx.Authorizer, tls bool, lg chronograf.Logger) (*Client, error) {
+func NewClientWithURL(mu string, authorizer influx.Authorizer, tls bool, insecure bool, lg chronograf.Logger) (*Client, error) {
 	metaURL, err := parseMetaURL(mu, tls)
 	if err != nil {
 		return nil, err
 	}

-	ctrl := NewMetaClient(metaURL, authorizer)
+	ctrl := NewMetaClient(metaURL, insecure, authorizer)
 	return &Client{
 		Ctrl: ctrl,
 		UsersStore: &UserStore{
--- a/enterprise/enterprise_test.go
+++ b/enterprise/enterprise_test.go
@ -84,6 +84,7 @@ func Test_Enterprise_AdvancesDataNodes(t *testing.T) {
 			Password: "thelake",
 		},
 		false,
+		false,
 		chronograf.TimeSeries(m1),
 		chronograf.TimeSeries(m2))
 	if err != nil {
@ -114,23 +115,53 @@ func Test_Enterprise_NewClientWithURL(t *testing.T) {
 	t.Parallel()

 	urls := []struct {
-		url       string
-		username  string
-		password  string
-		tls       bool
-		shouldErr bool
+		name               string
+		url                string
+		username           string
+		password           string
+		tls                bool
+		insecureSkipVerify bool
+		wantErr            bool
 	}{
-		{"http://localhost:8086", "", "", false, false},
-		{"https://localhost:8086", "", "", false, false},
-		{"http://localhost:8086", "username", "password", false, false},
-
-		{"http://localhost:8086", "", "", true, false},
-		{"https://localhost:8086", "", "", true, false},
-
-		{"localhost:8086", "", "", false, false},
-		{"localhost:8086", "", "", true, false},
-
-		{":http", "", "", false, true},
+		{
+			name: "no tls should have no error",
+			url:  "http://localhost:8086",
+		},
+		{
+			name: "tls sholuld have no error",
+			url:  "https://localhost:8086",
+		},
+		{
+			name:     "no tls but with basic auth",
+			url:      "http://localhost:8086",
+			username: "username",
+			password: "password",
+		},
+		{
+			name: "tls request but url is not tls should not error",
+			url:  "http://localhost:8086",
+			tls:  true,
+		},
+		{
+			name:               "https with tls and with insecureSkipVerify should not error",
+			url:                "https://localhost:8086",
+			tls:                true,
+			insecureSkipVerify: true,
+		},
+		{
+			name: "URL does not require http or https",
+			url:  "localhost:8086",
+		},
+		{
+			name: "URL with TLS request should not error",
+			url:  "localhost:8086",
+			tls:  true,
+		},
+		{
+			name:    "invalid URL causes error",
+			url:     ":http",
+			wantErr: true,
+		},
 	}

 	for _, testURL := range urls {
@ -141,10 +172,11 @@ func Test_Enterprise_NewClientWithURL(t *testing.T) {
 				Password: testURL.password,
 			},
 			testURL.tls,
+			testURL.insecureSkipVerify,
 			log.New(log.DebugLevel))
-		if err != nil && !testURL.shouldErr {
+		if err != nil && !testURL.wantErr {
 			t.Errorf("Unexpected error creating Client with URL %s and TLS preference %t. err: %s", testURL.url, testURL.tls, err.Error())
-		} else if err == nil && testURL.shouldErr {
+		} else if err == nil && testURL.wantErr {
 			t.Errorf("Expected error creating Client with URL %s and TLS preference %t", testURL.url, testURL.tls)
 		}
 	}
@ -159,7 +191,7 @@ func Test_Enterprise_ComplainsIfNotOpened(t *testing.T) {
 			Username: "docbrown",
 			Password: "1.21 gigawatts",
 		},
-		false, chronograf.TimeSeries(m1))
+		false, false, chronograf.TimeSeries(m1))
 	if err != nil {
 		t.Error("Expected ErrUnitialized, but was this err:", err)
 	}
--- a/enterprise/meta.go
+++ b/enterprise/meta.go
@ -3,6 +3,7 @@ package enterprise
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -14,6 +15,14 @@ import (
 	"github.com/influxdata/chronograf/influx"
 )

+// Shared transports for all clients to prevent leaking connections
+var (
+	skipVerifyTransport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	defaultTransport = &http.Transport{}
+)
+
 type client interface {
 	Do(URL *url.URL, path, method string, authorizer influx.Authorizer, params map[string]string, body io.Reader) (*http.Response, error)
 }
@ -26,10 +35,12 @@ type MetaClient struct {
 }

 // NewMetaClient represents a meta node in an Influx Enterprise cluster
-func NewMetaClient(url *url.URL, authorizer influx.Authorizer) *MetaClient {
+func NewMetaClient(url *url.URL, InsecureSkipVerify bool, authorizer influx.Authorizer) *MetaClient {
 	return &MetaClient{
-		URL:        url,
-		client:     &defaultClient{},
+		URL: url,
+		client: &defaultClient{
+			InsecureSkipVerify: InsecureSkipVerify,
+		},
 		authorizer: authorizer,
 	}
 }
@ -399,7 +410,8 @@ func (m *MetaClient) Post(ctx context.Context, path string, action interface{},
 }

 type defaultClient struct {
-	Leader string
+	Leader             string
+	InsecureSkipVerify bool
 }

 // Do is a helper function to interface with Influx Enterprise's Meta API
@ -438,6 +450,12 @@ func (d *defaultClient) Do(URL *url.URL, path, method string, authorizer influx.
 		CheckRedirect: d.AuthedCheckRedirect,
 	}

+	if d.InsecureSkipVerify {
+		client.Transport = skipVerifyTransport
+	} else {
+		client.Transport = defaultTransport
+	}
+
 	res, err := client.Do(req)
 	if err != nil {
 		return nil, err
--- a/enterprise/users.go
+++ b/enterprise/users.go
@ -37,7 +37,7 @@ func (c *UserStore) Delete(ctx context.Context, u *chronograf.User) error {
 	return c.Ctrl.DeleteUser(ctx, u.Name)
 }

-// Number of users in Influx
+// Num of users in Influx
 func (c *UserStore) Num(ctx context.Context) (int, error) {
 	all, err := c.All(ctx)
 	if err != nil {
--- a/server/service.go
+++ b/server/service.go
@ -48,7 +48,8 @@ func (c *InfluxClient) New(src chronograf.Source, logger chronograf.Logger) (chr
 	}
 	if src.Type == chronograf.InfluxEnterprise && src.MetaURL != "" {
 		tls := strings.Contains(src.MetaURL, "https")
-		return enterprise.NewClientWithTimeSeries(logger, src.MetaURL, influx.DefaultAuthorization(&src), tls, client)
+		insecure := src.InsecureSkipVerify
+		return enterprise.NewClientWithTimeSeries(logger, src.MetaURL, influx.DefaultAuthorization(&src), tls, insecure, client)
 	}
 	return client, nil
 }
--- a/server/swagger.json
+++ b/server/swagger.json
@ -3,7 +3,7 @@
  "info": {
    "title": "Chronograf",
    "description": "API endpoints for Chronograf",
-    "version": "1.4.1.2"
+    "version": "1.4.1.3"
  },
  "schemes": ["http"],
  "basePath": "/chronograf/v1",
--- a/ui/package.json
+++ b/ui/package.json
@ -1,6 +1,6 @@
 {
  "name": "chronograf-ui",
-  "version": "1.4.1-2",
+  "version": "1.4.1-3",
  "private": false,
  "license": "AGPL-3.0",
  "description": "",