add verify tls_opts only when we open connection
for other requests tesla will add tls_opts
This commit is contained in:
parent
426f5ee48a
commit
f39e1b9eff
|
@ -45,6 +45,7 @@ def open(%URI{} = uri, name, opts) do
|
|||
|> Map.put_new(:retry, pool_opts[:retry] || 1)
|
||||
|> Map.put_new(:retry_timeout, pool_opts[:retry_timeout] || 1000)
|
||||
|> Map.put_new(:await_up_timeout, pool_opts[:await_up_timeout] || 5_000)
|
||||
|> maybe_add_tls_opts(uri)
|
||||
|
||||
key = "#{uri.scheme}:#{uri.host}:#{uri.port}"
|
||||
|
||||
|
@ -70,6 +71,29 @@ def open(%URI{} = uri, name, opts) do
|
|||
end
|
||||
end
|
||||
|
||||
defp maybe_add_tls_opts(opts, %URI{scheme: "http"}), do: opts
|
||||
|
||||
defp maybe_add_tls_opts(opts, %URI{scheme: "https", host: host}) do
|
||||
tls_opts = [
|
||||
verify: :verify_peer,
|
||||
cacertfile: CAStore.file_path(),
|
||||
depth: 20,
|
||||
reuse_sessions: false,
|
||||
verify_fun:
|
||||
{&:ssl_verify_hostname.verify_fun/3,
|
||||
[check_hostname: Pleroma.HTTP.Connection.format_host(host)]}
|
||||
]
|
||||
|
||||
tls_opts =
|
||||
if Keyword.keyword?(opts[:tls_opts]) do
|
||||
Keyword.merge(tls_opts, opts[:tls_opts])
|
||||
else
|
||||
tls_opts
|
||||
end
|
||||
|
||||
Map.put(opts, :tls_opts, tls_opts)
|
||||
end
|
||||
|
||||
defp do_open(uri, %{proxy: {proxy_host, proxy_port}} = opts) do
|
||||
connect_opts =
|
||||
uri
|
||||
|
|
|
@ -45,21 +45,11 @@ def after_request(opts) do
|
|||
|
||||
defp add_scheme_opts(opts, %URI{scheme: "http"}), do: opts
|
||||
|
||||
defp add_scheme_opts(opts, %URI{scheme: "https", host: host}) do
|
||||
adapter_opts = [
|
||||
certificates_verification: true,
|
||||
transport: :tls,
|
||||
tls_opts: [
|
||||
verify: :verify_peer,
|
||||
cacertfile: CAStore.file_path(),
|
||||
depth: 20,
|
||||
reuse_sessions: false,
|
||||
verify_fun: {&:ssl_verify_hostname.verify_fun/3, [check_hostname: format_host(host)]},
|
||||
log_level: :warning
|
||||
]
|
||||
]
|
||||
|
||||
Keyword.merge(opts, adapter_opts)
|
||||
defp add_scheme_opts(opts, %URI{scheme: "https"}) do
|
||||
opts
|
||||
|> Keyword.put(:certificates_verification, true)
|
||||
|> Keyword.put(:transport, :tls)
|
||||
|> Keyword.put(:tls_opts, log_level: :warning)
|
||||
end
|
||||
|
||||
defp maybe_get_conn(adapter_opts, uri, connection_opts) do
|
||||
|
@ -93,17 +83,4 @@ defp try_to_get_conn(uri, opts) do
|
|||
|> Keyword.put(:close_conn, false)
|
||||
end
|
||||
end
|
||||
|
||||
@spec format_host(String.t()) :: charlist()
|
||||
def format_host(host) do
|
||||
host_charlist = to_charlist(host)
|
||||
|
||||
case :inet.parse_address(host_charlist) do
|
||||
{:error, :einval} ->
|
||||
:idna.encode(host_charlist)
|
||||
|
||||
{:ok, _ip} ->
|
||||
host_charlist
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -106,4 +106,17 @@ def parse_host(host) when is_binary(host) do
|
|||
{:ok, ip} -> ip
|
||||
end
|
||||
end
|
||||
|
||||
@spec format_host(String.t()) :: charlist()
|
||||
def format_host(host) do
|
||||
host_charlist = to_charlist(host)
|
||||
|
||||
case :inet.parse_address(host_charlist) do
|
||||
{:error, :einval} ->
|
||||
:idna.encode(host_charlist)
|
||||
|
||||
{:ok, _ip} ->
|
||||
host_charlist
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -38,31 +38,23 @@ test "https url with default port" do
|
|||
|
||||
opts = Gun.options([receive_conn: false], uri)
|
||||
assert opts[:certificates_verification]
|
||||
refute opts[:tls_opts] == []
|
||||
|
||||
assert opts[:tls_opts][:verify_fun] ==
|
||||
{&:ssl_verify_hostname.verify_fun/3, [check_hostname: 'example.com']}
|
||||
|
||||
assert File.exists?(opts[:tls_opts][:cacertfile])
|
||||
assert opts[:tls_opts][:log_level] == :warning
|
||||
end
|
||||
|
||||
test "https ipv4 with default port" do
|
||||
uri = URI.parse("https://127.0.0.1")
|
||||
|
||||
opts = Gun.options([receive_conn: false], uri)
|
||||
|
||||
assert opts[:tls_opts][:verify_fun] ==
|
||||
{&:ssl_verify_hostname.verify_fun/3, [check_hostname: '127.0.0.1']}
|
||||
assert opts[:certificates_verification]
|
||||
assert opts[:tls_opts][:log_level] == :warning
|
||||
end
|
||||
|
||||
test "https ipv6 with default port" do
|
||||
uri = URI.parse("https://[2a03:2880:f10c:83:face:b00c:0:25de]")
|
||||
|
||||
opts = Gun.options([receive_conn: false], uri)
|
||||
|
||||
assert opts[:tls_opts][:verify_fun] ==
|
||||
{&:ssl_verify_hostname.verify_fun/3,
|
||||
[check_hostname: '2a03:2880:f10c:83:face:b00c:0:25de']}
|
||||
assert opts[:certificates_verification]
|
||||
assert opts[:tls_opts][:log_level] == :warning
|
||||
end
|
||||
|
||||
test "https url with non standart port" do
|
||||
|
@ -269,23 +261,4 @@ test "with ipv6" do
|
|||
} = Connections.get_state(:gun_connections)
|
||||
end
|
||||
end
|
||||
|
||||
describe "format_host/1" do
|
||||
test "with domain" do
|
||||
assert Gun.format_host("example.com") == 'example.com'
|
||||
end
|
||||
|
||||
test "with idna domain" do
|
||||
assert Gun.format_host("ですexample.com") == 'xn--example-183fne.com'
|
||||
end
|
||||
|
||||
test "with ipv4" do
|
||||
assert Gun.format_host("127.0.0.1") == '127.0.0.1'
|
||||
end
|
||||
|
||||
test "with ipv6" do
|
||||
assert Gun.format_host("2a03:2880:f10c:83:face:b00c:0:25de") ==
|
||||
'2a03:2880:f10c:83:face:b00c:0:25de'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -113,4 +113,23 @@ test "passed opts have more weight than defaults" do
|
|||
assert opts[:proxy] == {'example.com', 4321}
|
||||
end
|
||||
end
|
||||
|
||||
describe "format_host/1" do
|
||||
test "with domain" do
|
||||
assert Connection.format_host("example.com") == 'example.com'
|
||||
end
|
||||
|
||||
test "with idna domain" do
|
||||
assert Connection.format_host("ですexample.com") == 'xn--example-183fne.com'
|
||||
end
|
||||
|
||||
test "with ipv4" do
|
||||
assert Connection.format_host("127.0.0.1") == '127.0.0.1'
|
||||
end
|
||||
|
||||
test "with ipv6" do
|
||||
assert Connection.format_host("2a03:2880:f10c:83:face:b00c:0:25de") ==
|
||||
'2a03:2880:f10c:83:face:b00c:0:25de'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue