From a2fd287e56ede2995c964553078a607838dc4cba Mon Sep 17 00:00:00 2001 From: Davi Vidal Date: Tue, 5 Mar 2019 10:57:11 +0100 Subject: [PATCH 1/5] Ignores SSL verification when on premise vagrant cloud --- post-processor/vagrant-cloud/client.go | 10 +++++++++- post-processor/vagrant-cloud/post-processor.go | 18 +++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/post-processor/vagrant-cloud/client.go b/post-processor/vagrant-cloud/client.go index bbea6b245..e63196684 100644 --- a/post-processor/vagrant-cloud/client.go +++ b/post-processor/vagrant-cloud/client.go @@ -2,6 +2,7 @@ package vagrantcloud import ( "bytes" + "crypto/tls" "encoding/json" "fmt" "io" @@ -37,13 +38,20 @@ func (v VagrantCloudErrors) FormatErrors() string { return strings.Join(errs, ". ") } -func (v VagrantCloudClient) New(baseUrl string, token string) (*VagrantCloudClient, error) { +func (v VagrantCloudClient) New(baseUrl string, token string, InsecureSkipTLSVerify bool) (*VagrantCloudClient, error) { c := &VagrantCloudClient{ client: commonhelper.HttpClientWithEnvironmentProxy(), BaseURL: baseUrl, AccessToken: token, } + if InsecureSkipTLSVerify { + transport := c.client.Transport.(*http.Transport) + transport.TLSClientConfig = &tls.Config{ + InsecureSkipVerify: true, + } + } + return c, c.ValidateAuthentication() } diff --git a/post-processor/vagrant-cloud/post-processor.go b/post-processor/vagrant-cloud/post-processor.go index cb651017f..39d131c4e 100644 --- a/post-processor/vagrant-cloud/post-processor.go +++ b/post-processor/vagrant-cloud/post-processor.go @@ -27,8 +27,9 @@ type Config struct { VersionDescription string `mapstructure:"version_description"` NoRelease bool `mapstructure:"no_release"` - AccessToken string `mapstructure:"access_token"` - VagrantCloudUrl string `mapstructure:"vagrant_cloud_url"` + AccessToken string `mapstructure:"access_token"` + VagrantCloudUrl string `mapstructure:"vagrant_cloud_url"` + InsecureSkipTLSVerify bool `mapstructure:"insecure_skip_tls_verify"` BoxDownloadUrl string `mapstructure:"box_download_url"` @@ -41,10 +42,11 @@ type boxDownloadUrlTemplate struct { } type PostProcessor struct { - config Config - client *VagrantCloudClient - runner multistep.Runner - warnAtlasToken bool + config Config + client *VagrantCloudClient + runner multistep.Runner + warnAtlasToken bool + insecureSkipTLSVerify bool } func (p *PostProcessor) Configure(raws ...interface{}) error { @@ -66,6 +68,8 @@ func (p *PostProcessor) Configure(raws ...interface{}) error { p.config.VagrantCloudUrl = VAGRANT_CLOUD_URL } + p.insecureSkipTLSVerify = p.config.InsecureSkipTLSVerify == true && p.config.VagrantCloudUrl != VAGRANT_CLOUD_URL + if p.config.AccessToken == "" { envToken := os.Getenv("VAGRANT_CLOUD_TOKEN") if envToken == "" { @@ -95,7 +99,7 @@ func (p *PostProcessor) Configure(raws ...interface{}) error { } // create the HTTP client - p.client, err = VagrantCloudClient{}.New(p.config.VagrantCloudUrl, p.config.AccessToken) + p.client, err = VagrantCloudClient{}.New(p.config.VagrantCloudUrl, p.config.AccessToken, p.insecureSkipTLSVerify) if err != nil { errs = packer.MultiErrorAppend( errs, fmt.Errorf("Failed to verify authentication token: %v", err)) From 1a94ad14bd3df5fd794e04bc3db3b7b52caebd48 Mon Sep 17 00:00:00 2001 From: Davi Vidal Date: Tue, 5 Mar 2019 14:37:37 +0100 Subject: [PATCH 2/5] Adds test for insecure_skip_tls_verify --- .../vagrant-cloud/post-processor_test.go | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/post-processor/vagrant-cloud/post-processor_test.go b/post-processor/vagrant-cloud/post-processor_test.go index c21a2fd2a..e038c7786 100644 --- a/post-processor/vagrant-cloud/post-processor_test.go +++ b/post-processor/vagrant-cloud/post-processor_test.go @@ -41,6 +41,32 @@ func newSecureServer(token string, handler http.HandlerFunc) *httptest.Server { })) } +func newSelfSignedSslServer(token string, handler http.HandlerFunc) *httptest.Server { + token = fmt.Sprintf("Bearer %s", token) + return httptest.NewTLSServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { + if req.Header.Get("authorization") != token { + http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + return + } + if handler != nil { + handler(rw, req) + } + })) +} + +func TestPostProcessor_Insecure_Ssl(t *testing.T) { + var p PostProcessor + server := newSelfSignedSslServer("foo", nil) + defer server.Close() + + config := testGoodConfig() + config["vagrant_cloud_url"] = server.URL + config["insecure_skip_tls_verify"] = true + if err := p.Configure(config); err != nil { + t.Fatalf("err: %s", err) + } +} + func TestPostProcessor_Configure_fromVagrantEnv(t *testing.T) { var p PostProcessor config := testGoodConfig() From b0e3128125db28a653a8a96aebe81b68b26b961a Mon Sep 17 00:00:00 2001 From: Davi Vidal Date: Tue, 5 Mar 2019 14:39:50 +0100 Subject: [PATCH 3/5] Improves test message --- post-processor/vagrant-cloud/post-processor_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/post-processor/vagrant-cloud/post-processor_test.go b/post-processor/vagrant-cloud/post-processor_test.go index e038c7786..5649aca4c 100644 --- a/post-processor/vagrant-cloud/post-processor_test.go +++ b/post-processor/vagrant-cloud/post-processor_test.go @@ -63,7 +63,7 @@ func TestPostProcessor_Insecure_Ssl(t *testing.T) { config["vagrant_cloud_url"] = server.URL config["insecure_skip_tls_verify"] = true if err := p.Configure(config); err != nil { - t.Fatalf("err: %s", err) + t.Fatalf("Expected TLS to skip certificate validation: %s", err) } } From 6c3b74bfd39542c6d6862d76d397724bf2b2de80 Mon Sep 17 00:00:00 2001 From: Davi Vidal Date: Wed, 6 Mar 2019 11:13:25 +0100 Subject: [PATCH 4/5] Adds documentation on insecure_skip_tls_verify --- website/source/docs/post-processors/vagrant-cloud.html.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/source/docs/post-processors/vagrant-cloud.html.md b/website/source/docs/post-processors/vagrant-cloud.html.md index 7d24c9b87..499e51530 100644 --- a/website/source/docs/post-processors/vagrant-cloud.html.md +++ b/website/source/docs/post-processors/vagrant-cloud.html.md @@ -78,6 +78,10 @@ on Vagrant Cloud, as well as authentication and version information. This is useful if you're using Vagrant Private Cloud in your own network. Defaults to `https://vagrantcloud.com/api/v1` +- `insecure_skip_tls_verify` (boolean) - If set to true *and* `vagrant_cloud_url` + is set to something different than its default, it will set TLS InsecureSkipVerify + to true. In other words, this will disable security checks of SSL. + - `version_description` (string) - Optionally markdown text used as a full-length and in-depth description of the version, typically for denoting changes introduced From e3618bdedf658da0fdbf4f80058cf5e2d2e4c526 Mon Sep 17 00:00:00 2001 From: Davi Vidal Date: Wed, 6 Mar 2019 21:38:57 +0100 Subject: [PATCH 5/5] Improves insecure_skip_tls_verify doc, expliciting an use case --- website/source/docs/post-processors/vagrant-cloud.html.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/source/docs/post-processors/vagrant-cloud.html.md b/website/source/docs/post-processors/vagrant-cloud.html.md index 499e51530..369b229bd 100644 --- a/website/source/docs/post-processors/vagrant-cloud.html.md +++ b/website/source/docs/post-processors/vagrant-cloud.html.md @@ -80,7 +80,9 @@ on Vagrant Cloud, as well as authentication and version information. - `insecure_skip_tls_verify` (boolean) - If set to true *and* `vagrant_cloud_url` is set to something different than its default, it will set TLS InsecureSkipVerify - to true. In other words, this will disable security checks of SSL. + to true. In other words, this will disable security checks of SSL. You may need + to set this option to true if your host at vagrant_cloud_url is using a + self-signed certificate. - `version_description` (string) - Optionally markdown text used as a full-length and in-depth description of the version, typically for denoting