Add an insecure flag for drg stream, allowing to connect to self sign…

…ed certs. Partially addresses #143

Cargo.toml

@@ -59,7 +59,8 @@ rsa = "0.5.0"
 rand = "0.8.4"
 sha-crypt = "0.3.2"
 
-tungstenite = { version = "0.12.0", features = ["native-tls"]}
+tungstenite = { version = "0.17.2", features = ["native-tls"]}
+native-tls = "0.2.10"
 
 [dev-dependencies]
 assert_cmd = "2.0.4"

src/arguments/cli.rs

@@ -118,6 +118,7 @@ pub enum Parameters {
     // stream command
     count,
     device,
+    insecure,
 
     // login & whoami command
     token,
@@ -530,10 +531,17 @@ pub fn app_arguments() -> clap::Command<'static> {
         .global(true)
         .help("The number of messages to stream before exiting.");
 
+    let insecure = Arg::new(Parameters::insecure.as_ref())
+        .required(false)
+        .long("insecure")
+        .takes_value(false)
+        .help("Skip the TLS certificate verification");
+
     let stream = Command::new(Action::stream.as_ref())
         .about("Stream all events going through drogue cloud")
         .arg(&app_flag)
         .arg(&count)
+        .arg(&insecure)
         .arg(
             Arg::new(Parameters::device.as_ref())
                 .long("device")

src/config.rs

@@ -69,17 +69,27 @@ impl RequestBuilderExt for reqwest::RequestBuilder {
     }
 }
 
-impl RequestBuilderExt for tungstenite::http::request::Builder {
-    fn auth(self, token: &Token) -> Self {
+impl RequestBuilderExt for tungstenite::http::Request<()> {
+    fn auth(mut self, token: &Token) -> Self {
         match token {
             Token::TokenResponse(token) => {
                 let bearer_header = format!("Bearer {}", &token.access_token().secret());
-                self.header(tungstenite::http::header::AUTHORIZATION, bearer_header)
+                let mut bearer_header =
+                    tungstenite::http::HeaderValue::from_str(&bearer_header).unwrap();
+                bearer_header.set_sensitive(true);
+                self.headers_mut()
+                    .insert(tungstenite::http::header::AUTHORIZATION, bearer_header);
+                self
             }
             Token::AccessToken(auth) => {
                 let encoded = base64::encode(&format!("{}:{}", auth.id, auth.token).as_bytes());
                 let basic_header = format!("Basic {}", encoded);
-                self.header(tungstenite::http::header::AUTHORIZATION, basic_header)
+                let mut basic_header =
+                    tungstenite::http::HeaderValue::from_str(&basic_header).unwrap();
+                basic_header.set_sensitive(true);
+                self.headers_mut()
+                    .insert(tungstenite::http::header::AUTHORIZATION, basic_header);
+                self
             }
         }
     }

src/main.rs

@@ -240,8 +240,9 @@ async fn process_arguments(matches: ArgMatches) -> Result<i32> {
                 .map(|s| s.parse::<usize>().unwrap())
                 .unwrap_or(usize::MAX);
             let device = matches.value_of(Parameters::device.as_ref());
+            let insecure = matches.is_present(Parameters::insecure.as_ref());
 
-            stream::stream_app(context, &app_id, device, count).await?;
+            stream::stream_app(context, &app_id, device, count, insecure).await?;
             0
         }
 

src/stream.rs

@@ -1,29 +1,41 @@
 use anyhow::{anyhow, Context as AnyhowContext, Result};
 use colored_json::write_colored_json;
+use native_tls::TlsConnector;
 use oauth2::TokenResponse;
 use serde_json::Value;
 use std::io::stdout;
+use std::net::TcpStream;
 use tungstenite::http::Request;
 use tungstenite::{connect, Message};
 
 use crate::config::{Context, RequestBuilderExt, Token};
 use crate::{openid, util};
 use drogue_client::integration::ws::v1::client::Message as Drogue_ws_message;
+use tungstenite::client::IntoClientRequest;
 
 pub async fn stream_app(
     config: &mut Context,
     app: &str,
     device: Option<&str>,
     mut count: usize,
+    insecure: bool,
 ) -> Result<()> {
-    let url = util::get_drogue_websocket_endpoint(config).await?;
-    let url = format!("{}{}", url, urlencoding::encode(app));
+    let ws_endpoint = util::get_drogue_websocket_endpoint(config).await?;
+    let url = format!("{}{}", ws_endpoint, urlencoding::encode(app));
 
-    let request = Request::builder().uri(url).auth(&config.token).body(())?;
+    let mut request: Request<()> = url.into_client_request()?;
+    request = request.auth(&config.token);
+
+    log::debug!("Connecting to websocket with request : {:?}", &request);
+    let (mut socket, response) = if insecure {
+        log::warn!("Skipping certificate verification");
+        let (connector, stream) = insecure_stream(&ws_endpoint.socket_addrs(|| None).unwrap())?;
+        tungstenite::client_tls_with_config(request, stream, None, Some(connector))
+            .context("Error connecting to the Websocket endpoint:")?
+    } else {
+        connect(request).context("Error connecting to the Websocket endpoint:")?
+    };
 
-    log::debug!("Connecting to websocket with request : {:?}", request);
-    let (mut socket, response) =
-        connect(request).context("Error connecting to the Websocket endpoint:")?;
     log::debug!("HTTP response: {}", response.status());
 
     while count > 0 {
@@ -97,3 +109,17 @@ async fn refresh_token(config: &mut Context) -> Option<String> {
         }
     }
 }
+
+fn insecure_stream(
+    address: &Vec<std::net::SocketAddr>,
+) -> Result<(tungstenite::Connector, TcpStream)> {
+    let connector = TlsConnector::builder()
+        .danger_accept_invalid_certs(true)
+        .build()
+        .unwrap();
+
+    let stream = TcpStream::connect(address.as_slice())?;
+    let connector: tungstenite::Connector = tungstenite::Connector::NativeTls(connector);
+
+    Ok((connector, stream))
+}