Don't retry the atlas requests with the wrong cert
This probably won't recover, so abort immediately. Requires retryablehttp CheckRetry patch.
This commit is contained in:
James Bardin
parent
ee6159cd9d
commit
df0c795b39
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
|
@ -276,9 +277,26 @@ func (c *AtlasClient) http() (*retryablehttp.Client, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
rc := retryablehttp.NewClient()
|
rc := retryablehttp.NewClient()
|
||||||
|
|
||||||
|
rc.CheckRetry = func(resp *http.Response, err error) (bool, error) {
|
||||||
|
if err != nil {
|
||||||
|
// don't bother retrying if the certs don't match
|
||||||
|
if err, ok := err.(*url.Error); ok {
|
||||||
|
if _, ok := err.Err.(x509.UnknownAuthorityError); ok {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// continue retrying
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return retryablehttp.DefaultRetryPolicy(resp, err)
|
||||||
|
}
|
||||||
|
|
||||||
t := cleanhttp.DefaultTransport()
|
t := cleanhttp.DefaultTransport()
|
||||||
t.TLSClientConfig = tlsConfig
|
t.TLSClientConfig = tlsConfig
|
||||||
rc.HTTPClient.Transport = t
|
rc.HTTPClient.Transport = t
|
||||||
|
|
||||||
|
c.HTTPClient = rc
|
||||||
return rc, nil
|
return rc, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,11 @@ package remote
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
@ -36,6 +39,53 @@ func TestAtlasClient(t *testing.T) {
|
||||||
testClient(t, client)
|
testClient(t, client)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAtlasClient_noRetryOnBadCerts(t *testing.T) {
|
||||||
|
acctest.RemoteTestPrecheck(t)
|
||||||
|
|
||||||
|
client, err := atlasFactory(map[string]string{
|
||||||
|
"access_token": "NOT_REQUIRED",
|
||||||
|
"name": "hashicorp/test-remote-state",
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("bad: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ac := client.(*AtlasClient)
|
||||||
|
// trigger the AtlasClient to build the http client and assign HTTPClient
|
||||||
|
httpClient, err := ac.http()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// remove the CA certs from the client
|
||||||
|
brokenCfg := &tls.Config{
|
||||||
|
RootCAs: new(x509.CertPool),
|
||||||
|
}
|
||||||
|
httpClient.HTTPClient.Transport.(*http.Transport).TLSClientConfig = brokenCfg
|
||||||
|
|
||||||
|
// Instrument CheckRetry to make sure we didn't retry
|
||||||
|
retries := 0
|
||||||
|
oldCheck := httpClient.CheckRetry
|
||||||
|
httpClient.CheckRetry = func(resp *http.Response, err error) (bool, error) {
|
||||||
|
if retries > 0 {
|
||||||
|
t.Fatal("retried after certificate error")
|
||||||
|
}
|
||||||
|
retries++
|
||||||
|
return oldCheck(resp, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = client.Get()
|
||||||
|
if err != nil {
|
||||||
|
if err, ok := err.(*url.Error); ok {
|
||||||
|
if _, ok := err.Err.(x509.UnknownAuthorityError); ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Fatalf("expected x509.UnknownAuthorityError, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
func TestAtlasClient_ReportedConflictEqualStates(t *testing.T) {
|
func TestAtlasClient_ReportedConflictEqualStates(t *testing.T) {
|
||||||
fakeAtlas := newFakeAtlas(t, testStateModuleOrderChange)
|
fakeAtlas := newFakeAtlas(t, testStateModuleOrderChange)
|
||||||
srv := fakeAtlas.Server()
|
srv := fakeAtlas.Server()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue