From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A6D801FF15C for ; Wed, 13 Nov 2024 14:59:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 85ADA16907; Wed, 13 Nov 2024 14:59:23 +0100 (CET) From: Christoph Heiss To: pve-devel@lists.proxmox.com Date: Wed, 13 Nov 2024 14:59:03 +0100 Message-ID: <20241113135908.1622968-2-c.heiss@proxmox.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241113135908.1622968-1-c.heiss@proxmox.com> References: <20241113135908.1622968-1-c.heiss@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.030 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [RFC PATCH installer 1/5] common: add function for issuing HTTP GET requests X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Factors out the user-agent building into a separate function and then re-uses that for get(). This has the side-effect that now for all requests issued by post() a timeout of 60s is applied. Previously, this was only done when an explicit fingerprint was given. Minute change and shouldn't effect anything. Signed-off-by: Christoph Heiss --- proxmox-installer-common/src/http.rs | 71 +++++++++++++++++++--------- 1 file changed, 48 insertions(+), 23 deletions(-) diff --git a/proxmox-installer-common/src/http.rs b/proxmox-installer-common/src/http.rs index b754ed8..f4afe14 100644 --- a/proxmox-installer-common/src/http.rs +++ b/proxmox-installer-common/src/http.rs @@ -4,33 +4,25 @@ use sha2::{Digest, Sha256}; use std::sync::Arc; use ureq::{Agent, AgentBuilder}; -/// Issues a POST request with the payload (JSON). Optionally a SHA256 fingerprint can be used to -/// check the cert against it, instead of the regular cert validation. +/// Builds an [`Agent`] with TLS suitable set up, depending whether a custom fingerprint was +/// supplied or not. If a fingerprint was supplied, only matching certificates will be accepted. +/// Otherwise, the system certificate store is loaded. +/// /// To gather the sha256 fingerprint you can use the following command: /// ```no_compile /// openssl s_client -connect :443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin /// ``` /// /// # Arguments -/// * `url` - URL to call /// * `fingerprint` - SHA256 cert fingerprint if certificate pinning should be used. Optional. -/// * `payload` - The payload to send to the server. Expected to be a JSON formatted string. -pub fn post(url: &str, fingerprint: Option<&str>, payload: String) -> Result { - let answer; - +fn build_agent(fingerprint: Option<&str>) -> Result { if let Some(fingerprint) = fingerprint { let tls_config = ClientConfig::builder() .with_safe_defaults() .with_custom_certificate_verifier(VerifyCertFingerprint::new(fingerprint)?) .with_no_client_auth(); - let agent: Agent = AgentBuilder::new().tls_config(Arc::new(tls_config)).build(); - - answer = agent - .post(url) - .set("Content-Type", "application/json; charset=utf-8") - .send_string(&payload)? - .into_string()?; + Ok(AgentBuilder::new().tls_config(Arc::new(tls_config)).build()) } else { let mut roots = rustls::RootCertStore::empty(); for cert in rustls_native_certs::load_native_certs()? { @@ -42,18 +34,51 @@ pub fn post(url: &str, fingerprint: Option<&str>, payload: String) -> Result:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin +/// ``` +/// +/// # Arguments +/// * `url` - URL to fetch +/// * `fingerprint` - SHA256 cert fingerprint if certificate pinning should be used. Optional. +pub fn get(url: &str, fingerprint: Option<&str>) -> Result { + Ok(build_agent(fingerprint)? + .get(url) + .timeout(std::time::Duration::from_secs(60)) + .call()? + .into_string()?) +} + +/// Issues a POST request with the payload (JSON). Optionally a SHA256 fingerprint can be used to +/// check the cert against it, instead of the regular cert validation. +/// To gather the sha256 fingerprint you can use the following command: +/// ```no_compile +/// openssl s_client -connect :443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin +/// ``` +/// +/// # Arguments +/// * `url` - URL to call +/// * `fingerprint` - SHA256 cert fingerprint if certificate pinning should be used. Optional. +/// * `payload` - The payload to send to the server. Expected to be a JSON formatted string. +pub fn post(url: &str, fingerprint: Option<&str>, payload: String) -> Result { + Ok(build_agent(fingerprint)? + .post(url) + .set("Content-Type", "application/json; charset=utf-8") + .timeout(std::time::Duration::from_secs(60)) + .send_string(&payload)? + .into_string()?) } struct VerifyCertFingerprint { -- 2.47.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel