Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add accept_invalid_certs flag to HttpSource #1405

Merged
merged 5 commits into from
Mar 7, 2024
Merged
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions crates/symbolicator-service/src/download/http.rs
Original file line number Diff line number Diff line change
@@ -14,12 +14,17 @@ use super::USER_AGENT;
#[derive(Debug)]
pub struct HttpDownloader {
client: Client,
no_ssl_client: Client,
timeouts: DownloadTimeouts,
}

impl HttpDownloader {
pub fn new(client: Client, timeouts: DownloadTimeouts) -> Self {
Self { client, timeouts }
pub fn new(client: Client, no_ssl_client: Client, timeouts: DownloadTimeouts) -> Self {
Self {
client,
no_ssl_client,
timeouts,
}
}

/// Downloads a source hosted on an HTTP server.
@@ -32,7 +37,13 @@ impl HttpDownloader {
let download_url = file_source.url().map_err(|_| CacheError::NotFound)?;

tracing::debug!("Fetching debug file from `{}`", download_url);
let mut builder = self.client.get(download_url);

// Use `self.no_ssl_client` if the source is configured to accept invalid SSL certs
let mut builder = if file_source.source.accept_invalid_certs {
self.no_ssl_client.get(download_url)
} else {
self.client.get(download_url)
};

let headers = file_source
.source
@@ -73,7 +84,7 @@ mod tests {
let loc = SourceLocation::new("hello.txt");
let file_source = HttpRemoteFile::new(http_source, loc);

let downloader = HttpDownloader::new(Client::new(), Default::default());
let downloader = HttpDownloader::new(Client::new(), Client::new(), Default::default());
let mut destination = tokio::fs::File::create(&dest).await.unwrap();
let download_status = downloader
.download_source("", &file_source, &mut destination)
@@ -100,7 +111,7 @@ mod tests {
let loc = SourceLocation::new("i-do-not-exist");
let file_source = HttpRemoteFile::new(http_source, loc);

let downloader = HttpDownloader::new(Client::new(), Default::default());
let downloader = HttpDownloader::new(Client::new(), Client::new(), Default::default());
let mut destination = tokio::fs::File::create(&dest).await.unwrap();
let download_status = downloader
.download_source("", &file_source, &mut destination)
11 changes: 8 additions & 3 deletions crates/symbolicator-service/src/download/mod.rs
Original file line number Diff line number Diff line change
@@ -231,19 +231,24 @@ impl DownloadService {
pub fn new(config: &Config, runtime: tokio::runtime::Handle) -> Arc<Self> {
let timeouts = DownloadTimeouts::from_config(config);

// The trusted client can always connect to reserved IPs. The restricted client only can if it's
// explicitly allowed in the config.
// | client | can connect to reserved IPs | accepts invalid SSL certs |
// | -----------| ----------------------------|---------------------------|
// | trusted | yes | no |
// | restricted | according to config setting | no |
// | no_ssl | according to config setting | yes |
let trusted_client = crate::utils::http::create_client(&timeouts, true, false);
let restricted_client =
crate::utils::http::create_client(&timeouts, config.connect_to_reserved_ips, false);
let no_ssl_client =
crate::utils::http::create_client(&timeouts, config.connect_to_reserved_ips, true);

let in_memory = &config.caches.in_memory;
Arc::new(Self {
runtime: runtime.clone(),
timeouts,
trusted_client: trusted_client.clone(),
sentry: sentry::SentryDownloader::new(trusted_client, runtime, timeouts, in_memory),
http: http::HttpDownloader::new(restricted_client.clone(), timeouts),
http: http::HttpDownloader::new(restricted_client.clone(), no_ssl_client, timeouts),
s3: s3::S3Downloader::new(timeouts, in_memory.s3_client_capacity),
gcs: gcs::GcsDownloader::new(restricted_client, timeouts, in_memory.gcs_token_capacity),
fs: filesystem::FilesystemDownloader::new(),
7 changes: 7 additions & 0 deletions crates/symbolicator-sources/src/sources/http.rs
Original file line number Diff line number Diff line change
@@ -22,6 +22,13 @@ pub struct HttpSourceConfig {
/// Configuration common to all sources.
#[serde(flatten)]
pub files: CommonSourceConfig,

/// If true, it should be possible to download from this source
/// even if SSL certificates can't be verified.
///
/// Don't use this lightly!
#[serde(default)]
pub accept_invalid_certs: bool,
}

/// The HTTP-specific [`RemoteFile`].