support CONNECT based proxies #799
Conversation
- simplify the way we pass the proxy paramerer with just two new parameters. - simplify a bit the way we format the error message - ensure `vmware_host` can also collaborate with a proxy This PR depends on vmware/pyvmomi#799.
|
@tianhao64, @pgbidkar, may I ask you to take a look at this PR? :-) |
|
@goneri, VMware has approved your signed contributor license agreement. |
- simplify the way we pass the proxy paramerer with just two new parameters. - simplify a bit the way we format the error message - ensure `vmware_host` can also collaborate with a proxy This PR depends on vmware/pyvmomi#799.
|
Could you please take a look at the PR, we would like to land in Ansible the HTTP proxy support for the VMware modules ( ansible/ansible#52936 ), and this is a blocker for us. |
| def __call__(self, path, *args, **kwargs): | ||
| conn = http_client.HTTPSConnection(path, **kwargs) | ||
| conn.set_tunnel(self.proxyPath) | ||
| return conn |
There was a problem hiding this comment.
Hi @goneri , I am still not convinced about SSLTunnel change. Any change to SSLTunnel needs to test thoroughly. This might break existing users. We have experienced this internally.
Please can you explain a bit about How Cert/Key validation happens with your change?
Provide more details about testing performed for this change.
I will also do test internally.
Thanks
There was a problem hiding this comment.
The proxy support is currently not working, so I'm not sure how this patch can break existing users.
I didn't implement the cert/key validation because we don't use it and I don't have good way to test it.
There was a problem hiding this comment.
cert Key Validation is required here.
retval.sock = _SocketWrapper(tunnel.sock,
keyfile=key_file, certfile=cert_file)
Please can you confirm if your change handles this? I was out of office for 2 days. I will also test in my test env and confirm
Thanks
There was a problem hiding this comment.
Hi @pgbidkar, do you have any update on this?
There was a problem hiding this comment.
Hi, We are testing your change, but test results doesn't look promising. Trying out different scenarios. I will update the detailed findings by tomorrow EOD.
Thanks
There was a problem hiding this comment.
Why do you just pass a path (/sdkTunnel) and not the hostname of the proxy server?
HTTPConnection() exepects a hostname, see: https://docs.python.org/3/library/http.client.html
There was a problem hiding this comment.
What's the purpose of sslProxyPath? From my understanding of https://github.com/vmware/pyvmomi/blob/master/pyVmomi/SoapAdapter.py#L1240-L1247 I initially thought it was an alternative way to write the host:port but it seems to be something different.
There was a problem hiding this comment.
Why do you just pass a path (
/sdkTunnel) and not the hostname of the proxy server?
HTTPConnection()exepects a hostname, see: https://docs.python.org/3/library/http.client.html
/sdkTunnel is tunnel proxy inbuilt in vCenter. I didnt had actuall proxy server setup, hence using /sdkTunnel
There was a problem hiding this comment.
What's the purpose of
sslProxyPath? From my understanding of https://github.com/vmware/pyvmomi/blob/master/pyVmomi/SoapAdapter.py#L1240-L1247 I initially thought it was an alternative way to write thehost:portbut it seems to be something different.
'url' is the argument alternative way of sending hostname:port not sslProxyPath. It is proxy path to connect to server. It depends on the way vcenter server setup is done in your infra.
There was a problem hiding this comment.
Thank you @pgbidkar for your answer. That was really helpful! I just pushed an updated version of my patch. I now add a new HTTPProxyConnection class, this way, I don't touch the SSLTunnelConnection class. Both are really difference, and I think it's a better approach.
To summarize, if the user set sslProxyPath, we use the original method, if instead httpProxyHost is set, we use the new class. Both should not be used at the same time.
tests/test_connect.py
Outdated
| connect.SoapStubAdapter('vcsa', 80, httpProxyHost='vcsa').GetConnection() | ||
| self.assertRaises(http_client.HTTPException, should_fail) | ||
| @patch('six.moves.http_client.HTTPSConnection') | ||
| def test_ssl_tunnelwith_cert_file(self, hs): |
There was a problem hiding this comment.
@pgbidkar I added this test to validate the parameter passing of cert_file and key_file.
- simplify the way we pass the proxy paramerer with just two new parameters. - simplify a bit the way we format the error message - ensure `vmware_host` can also collaborate with a proxy This PR depends on vmware/pyvmomi#799.
|
@pgbidkar Could you please confirm if the latest changes solves your comments ? Thanks. |
goneri
force-pushed
the
fix_proxy
branch
2 times, most recently
from
802eed6
to
48eda76
Compare
|
@pgbidkar follow-up to #799 (comment), could you retry to run your functional tests? |
Hi @goneri , Sure. checks are failed for your last commit. Please can you check and fix? |
Oops, I forgot to |
- ensure the proxy configuration is passed to `__GetElementTree()` - reuse @blacksponge fix for the `SSLTunnelConnection` class - add `test_ssl_tunnelwith_cert_file` test to validate that `cert_file` and `key_file` are passed as expected. The patch adds a new `HTTPProxyConnection` class to handle the `CONNECT` based proxies. The patch does not touch the `SSLTunnelConnection` class. Both are really difference, and I think it's a better approach. To summarize, if the user set `sslProxyPath`, we use the original method, if instead `httpProxyHost` is set, we use the new class. Both should not be used at the same time. closes: vmware#620 closes: vmware#567 closes: vmware#198
|
Thanks @pgbidkar for the feedback. I updated my patch. Could you retry? |
|
Great news :-), thanks for your time @pgbidkar. Could you include the patch in a new release? |
|
@pgbidkar, any news on this? |
|
Hi @goneri , Thanks for contributing 👍 |
|
Awesome, thank you @pgbidkar for your help during the review process 👍. Do you know when the next release will be published? |
__GetElementTree()SSLTunnelConnectionclasstest_ssl_tunnel_http_failurebecause the error will happen latercloses: #620
closes: #567
closes: #198