How to use AllowInsecureDownload method of config Package

1/*2 * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.3 *4 * Licensed under the Apache License, Version 2.0 (the "License"). You may not5 * use this file except in compliance with the License. A copy of the6 * License is located at7 *8 * http://aws.amazon.com/apache2.0/9 *10 * or in the "license" file accompanying this file. This file is distributed11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,12 * either express or implied. See the License for the specific language governing13 * permissions and limitations under the License.14 */15package handler16import (17	"errors"18	"fmt"19	"io"20	"net/http"21	"net/http/httptest"22	"net/url"23	"os"24	"path/filepath"25	"testing"26	filemock "github.com/aws/amazon-ssm-agent/agent/fileutil/filemanager/mock"27	"github.com/aws/amazon-ssm-agent/agent/log"28	"github.com/aws/amazon-ssm-agent/agent/plugins/downloadcontent/types"29	bridgemock "github.com/aws/amazon-ssm-agent/agent/ssm/ssmparameterresolver/mock"30	"github.com/stretchr/testify/assert"31)32var logMock = log.NewMockLog()33func getAuthConfig(authMethod, user, password string) HTTPAuthConfig {34	return HTTPAuthConfig{35		AuthMethod: types.NewTrimmedString(authMethod),36		Username:   types.NewTrimmedString(user),37		Password:   types.NewTrimmedString(password),38	}39}40func getExampleURL(scheme, path string) url.URL {41	if scheme == "" {42		scheme = "HTTP"43	}44	return url.URL{45		Scheme: scheme,46		Host:   "example.com",47		Path:   path,48	}49}50func getHttpHandler(httpClient http.Client, url url.URL, allowInsecureDownload bool, authMethod, user, password string) httpHandler {51	return httpHandler{52		client:                     httpClient,53		url:                        url,54		allowInsecureDownload:      allowInsecureDownload,55		authConfig:                 getAuthConfig(authMethod, user, password),56		ssmParameterResolverBridge: bridgemock.GetSsmParamResolverBridge(parameterStoreParameters),57	}58}59func getString(obj interface{}) string {60	return fmt.Sprintf("%v", obj)61}62var parameterStoreParameters = map[string]string{63	"{{ssm-secure:username}}": "admin",64	"{{ssm-secure:password}}": "pwd",65}66func getParameterFromSsmParameterStoreStub(log log.T, reference string) (string, error) {67	if value, exists := parameterStoreParameters[reference]; exists {68		return value, nil69	}70	return "", errors.New("parameter does not exist")71}72func copyStub(dst io.Writer, src io.Reader) (written int64, err error) {73	return 1, nil74}75func TestNewHTTPHandler(t *testing.T) {76	authConfig := HTTPAuthConfig{77		AuthMethod: BASIC,78		Username:   "admin",79		Password:   "pwd",80	}81	bridge := bridgemock.GetSsmParamResolverBridge(parameterStoreParameters)82	assert.Equal(t, &httpHandler{83		url:                        getExampleURL("http", ""),84		authConfig:                 authConfig,85		ssmParameterResolverBridge: bridge,86	}, NewHTTPHandler(87		http.Client{},88		getExampleURL("http", ""),89		false,90		authConfig,91		bridge,92	))93}94func TestHttpHandlerImpl_Validate(t *testing.T) {95	tests := []struct {96		resource httpHandler97		isValid  bool98		err      error99	}{100		{101			getHttpHandler(http.Client{}, getExampleURL("http", ""), true, "", "", ""),102			true,103			nil,104		},105		{106			getHttpHandler(http.Client{}, getExampleURL("http", ""), false, "", "", ""),107			true,108			nil,109		},110		{111			getHttpHandler(http.Client{}, getExampleURL("https", ""), true, " None ", "", ""),112			true,113			nil,114		},115		{116			getHttpHandler(http.Client{}, getExampleURL("http", ""), true, " Basic ", "", ""),117			true,118			nil,119		},120		{121			getHttpHandler(http.Client{}, getExampleURL("file", ""), true, "", "", ""),122			false,123			errors.New("URL scheme for HTTP resource type is invalid. HTTP or HTTPS is accepted"),124		},125		{126			getHttpHandler(http.Client{}, getExampleURL("http", ""), true, "Digest ", "", ""),127			false,128			errors.New("Invalid authentication method: Digest. The following methods are accepted: None, Basic"),129		},130	}131	for _, test := range tests {132		isValid, err := test.resource.Validate()133		if test.err != nil {134			assert.Error(t, err, getString(test))135			assert.EqualError(t, err, test.err.Error(), getString(test))136			assert.False(t, isValid, getString(test))137		} else {138			assert.NoError(t, err, getString(test))139			assert.True(t, isValid, getString(test))140		}141	}142}143func TestNewHTTPHandler_isUsingSecureProtocol(t *testing.T) {144	tests := []struct {145		url                   url.URL146		isUsingSecureProtocol bool147	}{148		{149			getExampleURL("http", ""),150			false,151		},152		{153			getExampleURL("definetelynotsecure", ""),154			false,155		},156		{157			getExampleURL("httpsdasda", ""),158			false,159		},160		{161			getExampleURL("https", ""),162			true,163		},164	}165	for _, test := range tests {166		handler := getHttpHandler(http.Client{}, test.url, true, "", "", "")167		assert.Equal(t, test.isUsingSecureProtocol, handler.isUsingSecureProtocol(), getString(test))168	}169}170func TestHttpHandlerImpl_authRequestBasic(t *testing.T) {171	bridgemock.GetSsmParamResolverBridge(parameterStoreParameters)172	dummyUrl := getExampleURL("http", "")173	tests := []struct {174		resource      httpHandler175		authenticated bool176		credentials   *url.Userinfo177		err           error178	}{179		{180			getHttpHandler(http.Client{}, dummyUrl, true, "Basic", "admin", "pwd"),181			true,182			url.UserPassword("admin", "pwd"),183			nil,184		},185		{186			getHttpHandler(http.Client{}, dummyUrl, true, "None", "", ""),187			false,188			nil,189			nil,190		},191		{192			getHttpHandler(http.Client{}, dummyUrl, true, "Basic", "{{ssm-secure:username}}", "{{ssm-secure:password}}"),193			true,194			url.UserPassword("admin", "pwd"),195			nil,196		},197		{198			getHttpHandler(http.Client{}, dummyUrl, true, "Basic", "{{ssm-secure:invalid-param}}", "pwd"),199			false,200			nil,201			errors.New("parameter does not exist"),202		},203		{204			getHttpHandler(http.Client{}, dummyUrl, true, "Basic", "admin", "{{ssm-secure:invalid-param}}"),205			false,206			nil,207			errors.New("parameter does not exist"),208		},209	}210	for _, test := range tests {211		request := httptest.NewRequest(http.MethodGet, dummyUrl.String(), nil)212		err := test.resource.authRequest(logMock, request)213		if test.err != nil {214			assert.Error(t, err, getString(test))215			assert.EqualError(t, err, test.err.Error(), getString(test))216		} else {217			assert.NoError(t, err, getString(test))218			username, password, authHeaderSet := request.BasicAuth()219			if test.authenticated {220				assert.True(t, authHeaderSet, getString(test))221				assert.Equal(t, url.UserPassword(username, password), test.credentials, getString(test))222			} else {223				assert.False(t, authHeaderSet, getString(test))224			}225		}226	}227}228func TestHttpHandlerImpl_prepareRequest(t *testing.T) {229	tests := []struct {230		handler       httpHandler231		authenticated bool232		err           error233	}{234		{235			getHttpHandler(http.Client{}, getExampleURL("http", ""), true, "", "", ""),236			false,237			nil,238		},239		{240			getHttpHandler(http.Client{}, getExampleURL("http", ""), true, "Basic", "admin", "pwd"),241			true,242			nil,243		},244		{245			getHttpHandler(http.Client{}, getExampleURL("http", ""), true, "Basic", "{{ssm-secure:test}}", "pwd"),246			false,247			errors.New("parameter does not exist"),248		},249	}250	for _, test := range tests {251		request, err := test.handler.prepareRequest(logMock)252		if test.err != nil {253			assert.Error(t, err, getString(test))254			assert.EqualError(t, err, test.err.Error(), getString(test))255			assert.Nil(t, request)256		} else {257			assert.NoError(t, err, getString(test))258			assert.NotNil(t, request)259			_, _, hasBasicAuth := request.BasicAuth()260			assert.Equal(t, test.authenticated, hasBasicAuth)261		}262	}263}264func TestHttpHandlerImpl_requestContent(t *testing.T) {265	testServer := httptest.NewServer(http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {266		if req.URL.Path == "/unauthorized" {267			res.WriteHeader(http.StatusUnauthorized)268		} else {269			res.WriteHeader(http.StatusOK)270		}271	}))272	defer testServer.Close()273	testURL, err := url.Parse(testServer.URL)274	assert.NoError(t, err)275	tests := []struct {276		urlPath               string277		request               *http.Request278		allowInsecureDownload bool279		err                   error280	}{281		{282			"unauthorized",283			httptest.NewRequest(http.MethodGet, fmt.Sprintf("%s/unauthorized", testServer.URL), nil),284			true,285			errors.New("Status: 401 Unauthorized"),286		},287		{288			"",289			httptest.NewRequest(http.MethodGet, fmt.Sprintf("%s/", testServer.URL), nil),290			true,291			nil,292		},293		{294			"any-weird-url",295			&http.Request{URL: nil},296			true,297			errors.New("Cannot execute request: Get \"\": http: nil Request.URL"),298		},299	}300	for _, test := range tests {301		handler := getHttpHandler(*testServer.Client(), *testURL, test.allowInsecureDownload, "", "", "")302		handler.url.Path = test.urlPath303		test.request.RequestURI = ""304		responseBody, err := handler.requestContent(test.request)305		if test.err != nil {306			assert.Error(t, err, getString(test))307			assert.EqualError(t, err, test.err.Error(), getString(test))308			assert.Nil(t, responseBody)309		} else {310			assert.NoError(t, err, getString(test))311			assert.NotNil(t, responseBody)312		}313	}314}315func TestHttpHandlerImpl_Download(t *testing.T) {316	tests := []struct {317		secureServer          bool318		allowInsecureDownload bool319		err                   error320	}{321		{322			true,323			false,324			nil,325		},326		{327			true,328			true,329			nil,330		},331		{332			false,333			false,334			errors.New("Non secure URL provided and insecure download is not allowed. " +335				"Provide a secure URL or set 'allowInsecureDownload' to true to perform the download operation"),336		},337		{338			false,339			true,340			nil,341		},342	}343	ioCopy = copyStub344	destPath := os.TempDir()345	fileName := "testFile"346	destinationFile := filepath.Join(destPath, fileName)347	fileSystemMock := filemock.FileSystemMock{}348	fileSystemMock.On("CreateFile", destinationFile).Return(&os.File{}, nil)349	for _, test := range tests {350		var testServer *httptest.Server351		if test.secureServer {352			testServer = httptest.NewTLSServer(http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {353				res.WriteHeader(http.StatusOK)354			}))355		} else {356			testServer = httptest.NewServer(http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {357				res.WriteHeader(http.StatusOK)358			}))359		}360		testURL, err := url.Parse(testServer.URL)361		assert.NoError(t, err)362		testURL.Path = "testFile"363		handler := getHttpHandler(*testServer.Client(), *testURL, test.allowInsecureDownload, "", "", "")364		downloadedFile, err := handler.Download(logMock, fileSystemMock, destinationFile)365		if test.err == nil {366			assert.NoError(t, err, getString(test))367			assert.Equal(t, destinationFile, downloadedFile, getString(test))368		} else {369			assert.Error(t, err, getString(test))370			assert.EqualError(t, err, test.err.Error(), getString(test))371			logMock.AssertCalled(t, "Info", []interface{}{"Non secure URL provided and insecure download is not allowed"})372		}373		testServer.Close()374	}375	ioCopy = io.Copy376	fileSystemMock.AssertExpectations(t)377}...

1/*2 * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.3 *4 * Licensed under the Apache License, Version 2.0 (the "License"). You may not5 * use this file except in compliance with the License. A copy of the6 * License is located at7 *8 * http://aws.amazon.com/apache2.0/9 *10 * or in the "license" file accompanying this file. This file is distributed11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,12 * either express or implied. See the License for the specific language governing13 * permissions and limitations under the License.14 */15// Package handler provides methods to access resources over HTTP(s)16package handler17import (18	"errors"19	"fmt"20	"io"21	"net/http"22	"net/url"23	"strings"24	"github.com/aws/amazon-ssm-agent/agent/fileutil/filemanager"25	"github.com/aws/amazon-ssm-agent/agent/log"26	"github.com/aws/amazon-ssm-agent/agent/plugins/downloadcontent/types"27	"github.com/aws/amazon-ssm-agent/agent/ssm/ssmparameterresolver"28)29var ioCopy = io.Copy30// Allowed auth method types31const (32	NONE  = "None"33	BASIC = "Basic"34)35var authMethods = map[types.TrimmedString]bool{36	NONE:  true,37	BASIC: true,38}39// HTTPAuthConfig defines the attributes used to perform authentication over HTTP40type HTTPAuthConfig struct {41	AuthMethod types.TrimmedString42	Username   types.TrimmedString43	Password   types.TrimmedString44}45// IHTTPHandler defines methods to interact with HTTP resources46type IHTTPHandler interface {47	Download(log log.T, fileSystem filemanager.FileSystem, downloadPath string) (string, error)48	Validate() (bool, error)49}50// httpHandler is used to interact with specific HTTP resources51type httpHandler struct {52	client                     http.Client53	url                        url.URL54	allowInsecureDownload      bool55	authConfig                 HTTPAuthConfig56	ssmParameterResolverBridge ssmparameterresolver.ISsmParameterResolverBridge57}58// NewHTTPHandler creates a new http handler object59func NewHTTPHandler(60	client http.Client,61	url url.URL,62	allowInsecureDownload bool,63	authConfig HTTPAuthConfig,64	bridge ssmparameterresolver.ISsmParameterResolverBridge,65) IHTTPHandler {66	return &httpHandler{67		client:                     client,68		url:                        url,69		allowInsecureDownload:      allowInsecureDownload,70		authConfig:                 authConfig,71		ssmParameterResolverBridge: bridge,72	}73}74// Download downloads a HTTP resource into a specific download path75func (handler *httpHandler) Download(log log.T, fileSystem filemanager.FileSystem, downloadPath string) (string, error) {76	if !handler.isUsingSecureProtocol() && !handler.allowInsecureDownload {77		log.Info("Non secure URL provided and insecure download is not allowed")78		return "", fmt.Errorf("Non secure URL provided and insecure download is not allowed. " +79			"Provide a secure URL or set 'allowInsecureDownload' to true to perform the download operation")80	}81	request, err := handler.prepareRequest(log)82	if err != nil {83		return "", fmt.Errorf("Failed to prepare the request: %s", err.Error())84	}85	out, err := fileSystem.CreateFile(downloadPath)86	if err != nil {87		return "", fmt.Errorf("Cannot create destinaton file: %s", err.Error())88	}89	defer out.Close()90	contentReader, err := handler.requestContent(request)91	if err != nil {92		return "", fmt.Errorf("Failed to download file: %s", err.Error())93	}94	defer contentReader.Close()95	_, err = ioCopy(out, contentReader)96	if err != nil {97		return "", fmt.Errorf("An error occurred during data transfer: %s", err.Error())98	}99	return downloadPath, nil100}101// Validate validates handler's attributes values102func (handler *httpHandler) Validate() (bool, error) {103	if strings.ToUpper(handler.url.Scheme) != "HTTP" && !handler.isUsingSecureProtocol() {104		return false, errors.New("URL scheme for HTTP resource type is invalid. HTTP or HTTPS is accepted")105	}106	if handler.authConfig.AuthMethod != "" && !authMethods[handler.authConfig.AuthMethod] {107		return false, fmt.Errorf("Invalid authentication method: %s. "+108			"The following methods are accepted: None, Basic", handler.authConfig.AuthMethod)109	}110	return true, nil111}112// authRequest takes care of adding the authorization header to a given request113func (handler *httpHandler) authRequest(log log.T, req *http.Request) (err error) {114	switch handler.authConfig.AuthMethod {115	case BASIC:116		var username = handler.authConfig.Username.Val()117		if handler.ssmParameterResolverBridge.IsValidParameterStoreReference(username) {118			username, err = handler.ssmParameterResolverBridge.GetParameterFromSsmParameterStore(log, username)119			if err != nil {120				return err121			}122		}123		var password = handler.authConfig.Password.Val()124		if handler.ssmParameterResolverBridge.IsValidParameterStoreReference(password) {125			password, err = handler.ssmParameterResolverBridge.GetParameterFromSsmParameterStore(log, password)126			if err != nil {127				return err128			}129		}130		req.SetBasicAuth(username, password)131		break132	default:133		break134	}135	return nil136}137// isUsingSecureProtocol determines whether the scheme of the given url is HTTPS138func (handler *httpHandler) isUsingSecureProtocol() bool {139	return strings.ToUpper(handler.url.Scheme) == "HTTPS"140}141// prepareRequest prepares the request and takes care of authentication142func (handler *httpHandler) prepareRequest(log log.T) (request *http.Request, err error) {143	request, err = http.NewRequest(http.MethodGet, handler.url.String(), nil)144	if err != nil {145		return nil, err146	}147	err = handler.authRequest(log, request)148	if err != nil {149		return nil, err150	}151	return request, nil152}153// requestContent executes the given request and returns the response body154func (handler *httpHandler) requestContent(request *http.Request) (io.ReadCloser, error) {155	response, err := handler.client.Do(request)156	if err != nil {157		return nil, fmt.Errorf("Cannot execute request: %s", err.Error())158	}159	if response.StatusCode != http.StatusOK {160		return nil, fmt.Errorf("Status: %s", response.Status)161	}162	return response.Body, nil163}...

...70		intervalString = getFromConfig(ideRequestTimeout)71	}72	return convertToTime(intervalString, defaultIdeRequestTimeout, ideRequestTimeout)73}74// AllowInsecureDownload determines if insecure download is enabled75func AllowInsecureDownload() bool {76	allow := getFromConfig(allowInsecureDownload)77	return convertToBool(allow, allowInsecureDownload, false)78}79// GaugeRepositoryUrl fetches the repository URL to locate plugins80func GaugeRepositoryUrl() string {81	return getFromConfig(gaugeRepositoryURL)82}83// SetProjectRoot sets project root location in ENV.84func SetProjectRoot(args []string) error {85	if ProjectRoot != "" {86		return setCurrentProjectEnvVariable()87	}88	value := ""89	if len(args) != 0 {...

1import (2func main() {3  config := common.NewConfig()4  config.SetBool("ssl.verification_mode", -1, false)5  config.SetBool("ssl.insecure", -1, true)6  config.SetString("ssl.certificate_authorities", -1, "/etc/pki/root/ca.pem")7  config.SetString("ssl.certificate", -1, "/etc/pki/client/cert.pem")8  config.SetString("ssl.key", -1, "/etc/pki/client/key.pem")9  client, err := elasticsearch.NewClient(config)

1import (2func main() {3	if err != nil {4		fmt.Println(err)5	}6	config := downloader.Config{7	}8	downloader := downloader.New(common.Hash{}, client, &config)9	_, err = downloader.Synchronise("test", params.RopstenGenesisHash, 0, 0)10	if err != nil {11		fmt.Println(err)12	}13	fmt.Println("Done")14}

1import (2func main() {3	t, err := tail.TailFile("/var/log/syslog", tail.Config{Follow: true, ReOpen: true, MustExist: false, Poll: true})4	if err != nil {5		fmt.Println("Error")6	}7	for line := range t.Lines {8		fmt.Println(line.Text)9	}10}

1import (2func main() {3	beego.Run()4}5import (6func main() {7	beego.Run()8}9import (10func main() {11	beego.Run()12}13import (14func main() {15	beego.Run()16}17import (18func main() {19	beego.Run()20}21import (22func main() {23	beego.Run()24}25import (26func main() {

1import (2func main() {3	config.AllowInsecureDownload(true)4	fmt.Println("Hello World")5}6import (7func main() {8	config.AllowInsecureDownload(false)9	fmt.Println("Hello World")10}11import (12func main() {13	config.AllowInsecureDownload(true)14	fmt.Println("Hello World")15}16import (17func main() {18	config.AllowInsecureDownload(false)19	fmt.Println("Hello World")20}21import (22func main() {23	config.AllowInsecureDownload(true)24	fmt.Println("Hello World")25}26import (27func main() {28	config.AllowInsecureDownload(false)29	fmt.Println("Hello World")30}31import (32func main() {

1import (2func main() {3	config := common.NewConfig()4	if err != nil {5		panic(err)6	}7	if err != nil {8		panic(err)9	}10	processor, err := processors.NewAllowInsecureDownload(config)11	if err != nil {12		panic(err)13	}14	fmt.Println(processor)15}16import (17func main() {18	config := common.NewConfig()19	processor, err := processors.NewAddCloudMetadata(config)20	if err != nil {21		panic(err)22	}23	fmt.Println(processor)24}25import (26func main() {27	config := common.NewConfig()28	processor, err := processors.NewAddDockerMetadata(config)29	if err != nil {30		panic(err)31	}32	fmt.Println(processor)33}34import (35func main() {36	config := common.NewConfig()37	processor, err := processors.NewAddFields(config)38	if err != nil {39		panic(err)40	}41	fmt.Println(processor)42}43import (44func main() {45	config := common.NewConfig()46	processor, err := processors.NewAddHostMetadata(config)47	if err != nil {48		panic(err)49	}50	fmt.Println(processor)51}