Support turning off https from channel.ini
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu system image |
Fix Released
|
Wishlist
|
Barry Warsaw |
Bug Description
Now that the server code can be used to build alternate server for porters, it's doubtful that all those folks will have valid SSL certificates (due to their cost and requirement for a separate public IP), so it'd be good to have a way to turn off https.
We clearly don't want to do any fallback to http automatically as this would allow an attacker to make us drop to http by blocking tcp/443, but having this be an option in channel.ini would be perfectly acceptable.
My suggestion for the implementation would be to support:
- http_port: 0 => the server only supports https, don't even attempt an http connection
- https_port: 0 => the server only supports http, don't even attempt an https connection
The first option likely won't be used by many setups, but it's still good to have if only for consistency. The second option is the one we need to make our porters' life easier.
Related branches
- Barry Warsaw (community): Approve
-
Diff: 290 lines (+180/-11)7 files modifiedini-manpage.rst (+4/-2)
systemimage/bag.py (+8/-0)
systemimage/config.py (+30/-9)
systemimage/tests/data/config_05.ini (+36/-0)
systemimage/tests/data/config_06.ini (+36/-0)
systemimage/tests/data/config_07.ini (+36/-0)
systemimage/tests/test_config.py (+30/-0)
- Manuel de la Peña (community): Approve
- Ubuntu CI managed package branches: Pending requested
-
Diff: 1484 lines (+646/-221)33 files modifiedNEWS.rst (+22/-0)
PKG-INFO (+1/-1)
debian/changelog (+26/-0)
debian/patches/lp1284217.patch (+0/-106)
debian/patches/series (+0/-1)
debian/rules (+3/-0)
ini-manpage.rst (+6/-2)
setup.cfg (+1/-1)
system_image.egg-info/PKG-INFO (+1/-1)
system_image.egg-info/SOURCES.txt (+4/-0)
system_image.egg-info/entry_points.txt (+1/-1)
systemimage/api.py (+16/-3)
systemimage/bag.py (+9/-1)
systemimage/config.py (+54/-14)
systemimage/dbus.py (+29/-13)
systemimage/download.py (+13/-39)
systemimage/main.py (+6/-2)
systemimage/scores.py (+1/-1)
systemimage/state.py (+2/-10)
systemimage/testing/controller.py (+2/-1)
systemimage/testing/dbus.py (+0/-2)
systemimage/testing/helpers.py (+11/-0)
systemimage/tests/data/channel_02.ini (+3/-0)
systemimage/tests/data/config_05.ini (+36/-0)
systemimage/tests/data/config_06.ini (+36/-0)
systemimage/tests/data/config_07.ini (+36/-0)
systemimage/tests/data/config_08.ini (+36/-0)
systemimage/tests/test_api.py (+16/-2)
systemimage/tests/test_bag.py (+61/-0)
systemimage/tests/test_config.py (+56/-4)
systemimage/tests/test_dbus.py (+128/-14)
systemimage/tests/test_main.py (+29/-1)
systemimage/version.txt (+1/-1)
Changed in ubuntu-system-image: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
tags: | added: client |
Changed in ubuntu-system-image: | |
assignee: | nobody → Barry Warsaw (barry) |
Changed in ubuntu-system-image: | |
status: | Triaged → In Progress |
assignee: | nobody → Barry Warsaw (barry) |
Changed in ubuntu-system-image: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-system-image: | |
status: | Fix Committed → Fix Released |
I think rather, that I would add a `use_https` flag to the [service] section of the configuration file. This would of course default to yes/true/1 (we'd need a systemimage.helpers function as_boolean() to convert from any of those string values to Python True/False. lazr.config has such a converter, but we don't need to pull that whole dep in just for that function; we can do a straight rip, it's not much code).
Then in config.py, where we calculate self.service[ 'https_ base'], we'd first check this flag. If it was False, we'd just copy the value of self.service[ 'http_base' ] into self.service[ 'https_ base']. Everything else should then Just Work.
Probably the most work will be in setting up a test of this. The test infrastructure may need some code changes in order to set up the right scenario.
We'd also have to update ini-manpage.rst to document the new setting, and add that flag to all the .ini files in the code.