-
Notifications
You must be signed in to change notification settings - Fork 765
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support CONNECT based proxies #799
Conversation
- simplify the way we pass the proxy paramerer with just two new parameters. - simplify a bit the way we format the error message - ensure `vmware_host` can also collaborate with a proxy This PR depends on vmware/pyvmomi#799.
@tianhao64, @pgbidkar, may I ask you to take a look at this PR? :-) |
@goneri, VMware has approved your signed contributor license agreement. |
- simplify the way we pass the proxy paramerer with just two new parameters. - simplify a bit the way we format the error message - ensure `vmware_host` can also collaborate with a proxy This PR depends on vmware/pyvmomi#799.
Could you please take a look at the PR, we would like to land in Ansible the HTTP proxy support for the VMware modules ( ansible/ansible#52936 ), and this is a blocker for us. |
def __call__(self, path, *args, **kwargs): | ||
conn = http_client.HTTPSConnection(path, **kwargs) | ||
conn.set_tunnel(self.proxyPath) | ||
return conn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @goneri , I am still not convinced about SSLTunnel change. Any change to SSLTunnel needs to test thoroughly. This might break existing users. We have experienced this internally.
Please can you explain a bit about How Cert/Key validation happens with your change?
Provide more details about testing performed for this change.
I will also do test internally.
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proxy support is currently not working, so I'm not sure how this patch can break existing users.
I didn't implement the cert/key validation because we don't use it and I don't have good way to test it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cert Key Validation is required here.
retval.sock = _SocketWrapper(tunnel.sock,
keyfile=key_file, certfile=cert_file)
Please can you confirm if your change handles this? I was out of office for 2 days. I will also test in my test env and confirm
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @pgbidkar, do you have any update on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, We are testing your change, but test results doesn't look promising. Trying out different scenarios. I will update the detailed findings by tomorrow EOD.
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you just pass a path (/sdkTunnel
) and not the hostname of the proxy server?
HTTPConnection()
exepects a hostname, see: https://docs.python.org/3/library/http.client.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of sslProxyPath
? From my understanding of https://github.com/vmware/pyvmomi/blob/master/pyVmomi/SoapAdapter.py#L1240-L1247 I initially thought it was an alternative way to write the host:port
but it seems to be something different.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you just pass a path (
/sdkTunnel
) and not the hostname of the proxy server?
HTTPConnection()
exepects a hostname, see: https://docs.python.org/3/library/http.client.html
/sdkTunnel is tunnel proxy inbuilt in vCenter. I didnt had actuall proxy server setup, hence using /sdkTunnel
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of
sslProxyPath
? From my understanding of https://github.com/vmware/pyvmomi/blob/master/pyVmomi/SoapAdapter.py#L1240-L1247 I initially thought it was an alternative way to write thehost:port
but it seems to be something different.
'url' is the argument alternative way of sending hostname:port not sslProxyPath. It is proxy path to connect to server. It depends on the way vcenter server setup is done in your infra.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @pgbidkar for your answer. That was really helpful! I just pushed an updated version of my patch. I now add a new HTTPProxyConnection
class, this way, I don't touch the SSLTunnelConnection
class. Both are really difference, and I think it's a better approach.
To summarize, if the user set sslProxyPath
, we use the original method, if instead httpProxyHost
is set, we use the new class. Both should not be used at the same time.
tests/test_connect.py
Outdated
connect.SoapStubAdapter('vcsa', 80, httpProxyHost='vcsa').GetConnection() | ||
self.assertRaises(http_client.HTTPException, should_fail) | ||
@patch('six.moves.http_client.HTTPSConnection') | ||
def test_ssl_tunnelwith_cert_file(self, hs): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pgbidkar I added this test to validate the parameter passing of cert_file
and key_file
.
- simplify the way we pass the proxy paramerer with just two new parameters. - simplify a bit the way we format the error message - ensure `vmware_host` can also collaborate with a proxy This PR depends on vmware/pyvmomi#799.
@pgbidkar Could you please confirm if the latest changes solves your comments ? Thanks. |
802eed6
to
48eda76
Compare
@pgbidkar follow-up to #799 (comment), could you retry to run your functional tests? |
Hi @goneri , Sure. checks are failed for your last commit. Please can you check and fix? |
Oops, I forgot to |
- ensure the proxy configuration is passed to `__GetElementTree()` - reuse @blacksponge fix for the `SSLTunnelConnection` class - add `test_ssl_tunnelwith_cert_file` test to validate that `cert_file` and `key_file` are passed as expected. The patch adds a new `HTTPProxyConnection` class to handle the `CONNECT` based proxies. The patch does not touch the `SSLTunnelConnection` class. Both are really difference, and I think it's a better approach. To summarize, if the user set `sslProxyPath`, we use the original method, if instead `httpProxyHost` is set, we use the new class. Both should not be used at the same time. closes: vmware#620 closes: vmware#567 closes: vmware#198
Thanks @pgbidkar for the feedback. I updated my patch. Could you retry? |
Great news :-), thanks for your time @pgbidkar. Could you include the patch in a new release? |
@pgbidkar, any news on this? |
Hi @goneri , Thanks for contributing 👍 |
Awesome, thank you @pgbidkar for your help during the review process 👍. Do you know when the next release will be published? |
__GetElementTree()
SSLTunnelConnection
classtest_ssl_tunnel_http_failure
because the error will happen latercloses: #620
closes: #567
closes: #198