pepper
pepper copied to clipboard
saltstack
TLS issues are always ignored
When the API endpoint uses a self-signed/invalid/untrusted certificate, Pepper ignores this and connects anyway.
Thanks to badssl.com this can be easily reproduced by adding this section to ~/.pepperrc:
[tls-self-signed]
SALTAPI_URL=https://self-signed.badssl.com/
SALTAPI_USER=johndoe
SALTAPI_PASS=hunter2
Then execute pepper -p tls-self-signed '*' test.ping.
The result:
Error with request: HTTP Error 404: Not Found
HTTP Error 404: Not Found
Uncaught Pepper error (increase verbosity for the full traceback).
I wouldn't expect it to be able to get a 404 response, it should fail way before that when trying to establish the TLS connection.
Increasing the verbosity using -vvv shows:
Error with request
Traceback (most recent call last):
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 231, in req
f = urlopen(req)
File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.8/urllib/request.py", line 531, in open
response = meth(req, response)
File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
response = self.parent.error(
File "/usr/lib/python3.8/urllib/request.py", line 569, in error
return self._call_chain(*args)
File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found
Error with request: HTTP Error 404: Not Found
HTTP Error 404: Not Found
Uncaught Pepper error (increase verbosity for the full traceback).
Uncaught traceback:
Traceback (most recent call last):
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/script.py", line 52, in __call__
for exit_code, result in self.cli.run():
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/cli.py", line 670, in run
self.login(api)
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/cli.py", line 634, in login
auth = login(**self.parse_login())
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 467, in login
self.auth = self._send_auth('/login', **kwargs).get('return', [{}])[0]
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 449, in _send_auth
return self.req(path, kwargs)
File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 231, in req
f = urlopen(req)
File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.8/urllib/request.py", line 531, in open
response = meth(req, response)
File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
response = self.parent.error(
File "/usr/lib/python3.8/urllib/request.py", line 569, in error
return self._call_chain(*args)
File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found
I suspected the following code to cause the issue (wrongly negating _ssl_verify):
https://github.com/saltstack/pepper/blob/8096e0896417ef9b533c7b99dac77535c6eba15d/pepper/libpepper.py#L226-L231
but removing not didn't change the outcome, so I suspect there's something else going on.
Using:
-
Python 3.8.10 -
pepper 0.7.6 -
salt 3003.1 -
urllib 1.26.6 -
certifi 2021.5.30 -
requests 2.26.0
