// Spec attempts to fill in SslThumbprint if empty.
// First checks GOVC_TLS_KNOWN_HOSTS, if not found and noverify=true then
// use object.HostCertificateInfo to get the thumbprint.
func (flag *HostConnectFlag) Spec(c *vim25.Client) types.HostConnectSpec {
spec := flag.HostConnectSpec
if spec.SslThumbprint == "" {
spec.SslThumbprint = c.Thumbprint(spec.HostName)
if spec.SslThumbprint == "" && flag.noverify {
var info object.HostCertificateInfo
t := c.Transport.(*http.Transport)
_ = info.FromURL(&url.URL{Host: spec.HostName}, t.TLSClientConfig)
spec.SslThumbprint = info.ThumbprintSHA1
}
}
return spec
}
func CreateNoDCCheck(ctx context.Context, input *data.Data) (*Validator, error) {
defer trace.End(trace.Begin(""))
var err error
v := &Validator{}
v.Context = ctx
tURL := input.URL
// default to https scheme
if tURL.Scheme == "" {
tURL.Scheme = "https"
}
// if they specified only an IP address the parser for some reason considers that a path
if tURL.Host == "" {
tURL.Host = tURL.Path
tURL.Path = ""
}
if tURL.Scheme == "https" && input.Thumbprint == "" {
var cert object.HostCertificateInfo
if err = cert.FromURL(tURL, new(tls.Config)); err != nil {
return nil, err
}
if cert.Err != nil {
if !input.Force {
// TODO: prompt user / check ./known_hosts
log.Errorf("Failed to verify certificate for target=%s (thumbprint=%s)",
tURL.Host, cert.ThumbprintSHA1)
return nil, cert.Err
}
}
input.Thumbprint = cert.ThumbprintSHA1
log.Debugf("Accepting host %q thumbprint %s", tURL.Host, input.Thumbprint)
}
sessionconfig := &session.Config{
Thumbprint: input.Thumbprint,
Insecure: input.Force,
}
// if a datacenter was specified, set it
v.DatacenterPath = tURL.Path
if v.DatacenterPath != "" {
sessionconfig.DatacenterPath = v.DatacenterPath
// path needs to be stripped before we can use it as a service url
tURL.Path = ""
}
sessionconfig.Service = tURL.String()
v.Session = session.NewSession(sessionconfig)
v.Session, err = v.Session.Connect(v.Context)
if err != nil {
return nil, err
}
// cached here to allow a modicum of testing while session is still in use.
v.isVC = v.Session.IsVC()
finder := find.NewFinder(v.Session.Client.Client, false)
v.Session.Finder = finder
v.Session.Populate(ctx)
// only allow the datacenter to be specified in the taget url, if any
pElems := strings.Split(v.DatacenterPath, "/")
if len(pElems) > 2 {
detail := "--target should only specify datacenter in the path (e.g. https://addr/datacenter) - specify cluster, resource pool, or folder with --compute-resource"
log.Error(detail)
v.suggestDatacenter()
return nil, errors.New(detail)
}
return v, nil
}
func TestServeHTTPS(t *testing.T) {
s := New(NewServiceInstance(esx.ServiceContent, esx.RootFolder))
s.TLS = new(tls.Config)
ts := s.NewServer()
defer ts.Close()
ctx := context.Background()
// insecure=true OK
client, err := govmomi.NewClient(ctx, ts.URL, true)
if err != nil {
t.Fatal(err)
}
err = client.Login(ctx, ts.URL.User)
if err != nil {
t.Fatal(err)
}
// insecure=false should FAIL
_, err = govmomi.NewClient(ctx, ts.URL, false)
if err == nil {
t.Fatal("expected error")
}
uerr, ok := err.(*url.Error)
if !ok {
t.Fatalf("err type=%T", err)
}
_, ok = uerr.Err.(x509.UnknownAuthorityError)
if !ok {
t.Fatalf("err type=%T", uerr.Err)
}
sinfo := ts.CertificateInfo()
// Test thumbprint validation
sc := soap.NewClient(ts.URL, false)
// Add host with thumbprint mismatch should fail
sc.SetThumbprint(ts.URL.Host, "nope")
_, err = vim25.NewClient(ctx, sc)
if err == nil {
t.Error("expected error")
}
// Add host with thumbprint match should pass
sc.SetThumbprint(ts.URL.Host, sinfo.ThumbprintSHA1)
_, err = vim25.NewClient(ctx, sc)
if err != nil {
t.Fatal(err)
}
var pinfo object.HostCertificateInfo
err = pinfo.FromURL(ts.URL, nil)
if err != nil {
t.Fatal(err)
}
if pinfo.ThumbprintSHA1 != sinfo.ThumbprintSHA1 {
t.Error("thumbprint mismatch")
}
// Test custom RootCAs list
sc = soap.NewClient(ts.URL, false)
caFile, err := ts.CertificateFile()
if err != nil {
t.Fatal(err)
}
if err = sc.SetRootCAs(caFile); err != nil {
t.Fatal(err)
}
_, err = vim25.NewClient(ctx, sc)
if err != nil {
t.Fatal(err)
}
}