heat-cfntools

cfn-signal doesn't respect instance_connection_https_validate_certificates

Bug #1251707 reported by Steven Hardy on 2013-11-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	heat-cfntools	Triaged	High	Unassigned	heat-cfntools v1.3.0

Bug Description

Reported by a user on IRC and verified by inspection of the code, currently instance_connection_https_validate_certificates affects the boto config we create in the instance, but cfn-signal doesn't use boto, it just wraps a curl call.

So we either need to get cfn-signal to read the cfn-boto-cfg file (or other data we provide via userdata if that's deemed to dirty-a solution) such that it adds the --insecure option, or just kill cfn-signal and make users use curl (which is what AWS do AFAICT, I think cfn-signal is something we invented?)

Steve Baker (steve-stevebaker) on 2013-11-17

Changed in heat-cfntools:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → v1.2.7

Steve Baker (steve-stevebaker) on 2014-02-18

Changed in heat-cfntools:
milestone:	v1.2.7 → v1.2.8

Revision history for this message

Yukinori Sagara (sagara) wrote on 2014-08-27:

Download full text (5.9 KiB)

> (which is what AWS do AFAICT, I think cfn-signal is something we invented?)

I checked. AWS always verify SSL cert. (I write my survey at the bottom.)

> So we either need to get cfn-signal to read the cfn-boto-cfg file (or other data we provide via userdata if that's deemed to dirty-a solution) such\
that it adds the --insecure option, or just kill cfn-signal and make users use curl

If you judge a approach, I will try to write a code.

1. get cfn-signal to read the /var/lib/heat-cfntools/cfn-boto-cfg file, and requests with curl

     * read /var/lib/heat-cfntools/cfn-boto-cfg
       is_secure = 0 # do requests via https
       https_validate_certificates = 1 # if is_secure == 1 then validate cert

     * execute curl with the conditions below
        if is_secure:
            if https_validate_certificates:
  curl --cacert <CA certificate> 'https://.*'
            else:
                curl 'https://.*'
else:
            curl 'http://.*'

2. get cfn-signal to read the other data via userdata
* may be dirty, do you have any detailed idea?

----

This is my survey, which is how Amazon Linux treats cfn-signal SSL requests.

* /var/lib/cloud/data/user-data.txt

At instance, cfn-signal is called by userdata. cfn-signal passes 'https' url parameter.

  4 function error_exit
  5 {
  6 /opt/aws/bin/cfn-signal -e 1 -r "$1" 'https://cloudformation-waitcondition-ap-northeast-1.s3-ap-northeast-1.amazonaws.com/arn%3Aaws%3Acloudform\
a tion%3Aap-northeast-1%3A619125787411%3Astack/wordpress/1aad2760-2d70-11e4-9d9e-5088487c4896/WaitHandle?AWSAccessKeyId=AKIAIZ6TP2XVEMTYTWLQ&Expir\
es =1409178429&Signature=pdGcv%2FVjXZNpnASBr37qxxckOBQ%3D'
  7 exit 1
  8 }

* /opt/aws/bin/cfn-signal

cfn-signal implementaion. it uses 'requests' python library in cfnbootstrap.packages.
cfn-signal calls put() method with 'verify=True' parameter. this is whether force to verify SSL cert or not.
so Amazon Cloudformation always verify SSL cert validation.

22 import re
23 from cfnbootstrap.packages import requests
24 import socket

77
78 @util.retry_on_failure()
79 @util.timeout()
80 def send(url, data):
81 requests.put(url,
82 data=json.dumps(data),
83 headers={"Content-Type" : ""},
84 verify=True,
85 proxies=util.get_proxyinfo(options)).raise_for_status()
86
87 try:
88 send(url, data)
89 print 'CloudFormation signaled successfully with %s.' % data['Status']
90 sys.exit(0)
91 except IOError, e:
92 print >> sys.stderr, 'Error signaling CloudFormation: %s' % str(e)
93 sys.exit(1)

* /usr/lib/python2.6/site-packages/cfnbootstrap/packages/requests/__init__.py

requests library. request.put() is alias of request.api.put().

59 from .models import Request, Response, PreparedRequest
60 from .api import request, get, head, post, patch, put, delete, options
61 from .sessions import session, Session

* /usr/lib/python2.6/site-packages/cfnbootstrap/packages/requests/api.py

'verify=True' in kwargs of request.api.put().

91 def put(url, data=None, **kwargs):
92 """Sends a PUT request. Returns :class:`Response` object.
93
...

> (which is what AWS do AFAICT, I think cfn-signal is something we invented?)

I checked. AWS always verify SSL cert. (I write my survey at the bottom.)

> So we either need to get cfn-signal to read the cfn-boto-cfg file (or other data we provide via userdata if that's deemed to dirty-a solution) such\
 that it adds the --insecure option, or just kill cfn-signal and make users use curl

If you judge a approach, I will try to write a code.

1. get cfn-signal to read the /var/lib/heat-cfntools/cfn-boto-cfg file, and requests with curl

* read /var/lib/heat-cfntools/cfn-boto-cfg
       is_secure = 0                      # do requests via https
       https_validate_certificates = 1    # if is_secure == 1 then validate cert

* execute curl with the conditions below
        if is_secure:
            if https_validate_certificates:
		curl --cacert <CA certificate> 'https://.*'
            else:
                curl 'https://.*'
	else:
            curl 'http://.*'

2. get cfn-signal to read the other data via userdata
     * may be dirty, do you have any detailed idea?

----

This is my survey, which is how Amazon Linux treats cfn-signal SSL requests.

* /var/lib/cloud/data/user-data.txt

At instance, cfn-signal is called by userdata. cfn-signal passes 'https' url parameter.

4 function error_exit
  5 {
  6   /opt/aws/bin/cfn-signal -e 1 -r "$1" 'https://cloudformation-waitcondition-ap-northeast-1.s3-ap-northeast-1.amazonaws.com/arn%3Aaws%3Acloudform\
a    tion%3Aap-northeast-1%3A619125787411%3Astack/wordpress/1aad2760-2d70-11e4-9d9e-5088487c4896/WaitHandle?AWSAccessKeyId=AKIAIZ6TP2XVEMTYTWLQ&Expir\
es    =1409178429&Signature=pdGcv%2FVjXZNpnASBr37qxxckOBQ%3D'
  7   exit 1
  8 }

* /opt/aws/bin/cfn-signal

22 import re
 23 from cfnbootstrap.packages import requests
 24 import socket

77
 78 @util.retry_on_failure()
 79 @util.timeout()
 80 def send(url, data):
 81     requests.put(url,
 82                  data=json.dumps(data),
 83                  headers={"Content-Type" : ""},
 84                  verify=True,
 85                  proxies=util.get_proxyinfo(options)).raise_for_status()
 86
 87 try:
 88     send(url, data)
 89     print 'CloudFormation signaled successfully with %s.' % data['Status']
 90     sys.exit(0)
 91 except IOError, e:
 92     print >> sys.stderr, 'Error signaling CloudFormation: %s' % str(e)
 93     sys.exit(1)

* /usr/lib/python2.6/site-packages/cfnbootstrap/packages/requests/__init__.py

requests library. request.put() is alias of request.api.put().

59 from .models import Request, Response, PreparedRequest
 60 from .api import request, get, head, post, patch, put, delete, options
 61 from .sessions import session, Session

* /usr/lib/python2.6/site-packages/cfnbootstrap/packages/requests/api.py

'verify=True' in kwargs of request.api.put().

91 def put(url, data=None, **kwargs):
 92     """Sends a PUT request. Returns :class:`Response` object.
 93
 94     :param url: URL for the new :class:`Request` object.
 95     :param data: (optional) Dictionary, bytes, or file-like object to send in the body of the :class:`Request`.
 96     :param \*\*kwargs: Optional arguments that ``request`` takes.
 97     """
 98
 99     return request('put', url, data=data, **kwargs)

finally, 'verify=True' used to verify the SSL cert validation.

17 def request(method, url, **kwargs):
 18     """Constructs and sends a :class:`Request <Request>`.
 19     Returns :class:`Response <Response>` object.
 20
 21     :param method: method for the new :class:`Request` object.
 22     :param url: URL for the new :class:`Request` object.
 23     :param params: (optional) Dictionary or bytes to be sent in the query string for the :class:`Request`.
 24     :param data: (optional) Dictionary, bytes, or file-like object to send in the body of the :class:`Request`.
 25     :param headers: (optional) Dictionary of HTTP Headers to send with the :class:`Request`.
 26     :param cookies: (optional) Dict or CookieJar object to send with the :class:`Request`.
 27     :param files: (optional) Dictionary of 'name': file-like-objects (or {'name': ('filename', fileobj)}) for multipart encoding upload.
 28     :param auth: (optional) Auth tuple to enable Basic/Digest/Custom HTTP Auth.
 29     :param timeout: (optional) Float describing the timeout of the request.
 30     :param allow_redirects: (optional) Boolean. Set to True if POST/PUT/DELETE redirect following is allowed.
 31     :param proxies: (optional) Dictionary mapping protocol to the URL of the proxy.
 32     :param verify: (optional) if ``True``, the SSL cert will be verified. A CA_BUNDLE path can also be provided.
 33     :param stream: (optional) if ``False``, the response content will be immediately downloaded.
 34     :param cert: (optional) if String, path to ssl client cert file (.pem). If Tuple, ('cert', 'key') pair.
 35
 36     Usage::
 37
 38       >>> import requests
 39       >>> req = requests.request('GET', 'http://httpbin.org/get')
 40       <Response [200]>
 41     """
 42
 43     session = sessions.Session()
 44     return session.request(method=method, url=url, **kwargs)

* cacert.pem

cacert.pem path.

[ec2-user@ip-10-123-34-21 ~]$ ls -l /usr/lib/python2.6/site-packages/cfnbootstrap/packages/requests/cacert.pem
-rw-r--r-- 1 root root 308434  4月 11 19:10 2014 /usr/lib/python2.6/site-packages/cfnbootstrap/packages/requests/cacert.pem

# In OpenStack, I think we need to use cacerts in boto. It is also used by cfn-push-stats.
#
# [root@test-wikidatabase-gnpryrmkip7w ~]# ls -l /usr/lib/python2.6/site-packages/boto/cacerts/cacerts.txt
# -rw-r--r--. 1 root root 251902  1月  7 08:20 2014 /usr/lib/python2.6/site-packages/boto/cacerts/cacerts.txt

* package version

aws-cfn-bootstrap-1.4-0.amzn1.noarch

Steve Baker (steve-stevebaker) on 2014-08-28

Changed in heat-cfntools:
milestone:	v1.2.8 → v1.2.9

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.