Merge pull request #583 from uvindra/2.x.x

Support TLS renegotiation configuration

import-export-cli/cmd/root.go

@@ -114,7 +114,7 @@ func createConfigFiles() {
 
 	if !utils.IsFileExist(utils.MainConfigFilePath) {
 		var mainConfig = new(utils.MainConfig)
-		mainConfig.Config = utils.Config{utils.DefaultHttpRequestTimeout, utils.DefaultExportDirPath}
+		mainConfig.Config = utils.Config{utils.DefaultHttpRequestTimeout, utils.DefaultExportDirPath, utils.TLSRenegotiationNever}
 		utils.WriteConfigFile(mainConfig, utils.MainConfigFilePath)
 	}
 

import-export-cli/cmd/set.go

@@ -20,24 +20,28 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/spf13/cobra"
 	"github.com/wso2/product-apim-tooling/import-export-cli/utils"
 )
 
 var flagHttpRequestTimeout int
 var flagExportDirectory string
+var flagTLSRenegotiationMode string
 
 // Set command related Info
 const setCmdLiteral = "set"
 const setCmdShortDesc = "Set configuration"
 
 const setCmdLongDesc = `Set configuration parameters. Use at least one of the following flags
 * --http-request-timeout <time-in-milli-seconds>
-* --export-directory <path-to-directory-where-apis-should-be-saved>`
+* --export-directory <path-to-directory-where-apis-should-be-saved>
+* --tls_renegotiation_mode <never|once|freely>`
 
 const setCmdExamples = utils.ProjectName + ` ` + setCmdLiteral + ` --http-request-timeout 3600 --export-directory /home/user/exported-apis
 ` + utils.ProjectName + ` ` + setCmdLiteral + ` --http-request-timeout 5000 --export-directory C:\Documents\exported
-` + utils.ProjectName + ` ` + setCmdLiteral + ` --http-request-timeout 5000`
+` + utils.ProjectName + ` ` + setCmdLiteral + ` --http-request-timeout 5000
+` + utils.ProjectName + ` ` + setCmdLiteral + ` --tls_renegotiation_mode freely`
 
 // SetCmd represents the 'set' command
 var SetCmd = &cobra.Command{
@@ -64,6 +68,13 @@ func executeSetCmd(mainConfigFilePath, exportDirectory string) {
 	} else {
 		fmt.Println("Invalid input for flag --export-directory")
 	}
+	if flagTLSRenegotiationMode == utils.TLSRenegotiationNever ||
+		flagTLSRenegotiationMode == utils.TLSRenegotiationOnce ||
+		flagTLSRenegotiationMode == utils.TLSRenegotiationFreely {
+		configVars.Config.TLSRenegotiationMode = flagTLSRenegotiationMode
+	} else {
+		fmt.Println("Invalid input for flag --tls_renegotiation_mode")
+	}
 	utils.WriteConfigFile(configVars, mainConfigFilePath)
 }
 
@@ -89,4 +100,6 @@ func init() {
 		"Timeout for HTTP Client")
 	SetCmd.Flags().StringVar(&flagExportDirectory, "export-directory", defaultExportDirectory,
 		"Path to directory where APIs should be saved")
+	SetCmd.Flags().StringVar(&flagTLSRenegotiationMode, "tls_renegotiation_mode", utils.TLSRenegotiationNever,
+		"Supported TLS renegotiation mode")
 }

import-export-cli/docs/apimcli_set.md

@@ -7,6 +7,7 @@ Set configuration
 
 Set configuration parameters. Use at least one of the following flags
 * --http-request-timeout <time-in-milli-seconds>
+* --tls_renegotiation_mode <never|once|freely>
 * --export-directory <path-to-directory-where-apis-should-be-saved>
 
 ```
@@ -19,6 +20,7 @@ apimcli set [flags]
 apimcli set --http-request-timeout 3600 --export-directory /home/user/exported-apis
 apimcli set --http-request-timeout 5000 --export-directory C:\Documents\exported
 apimcli set --http-request-timeout 5000
+apimcli set --tls_renegotiation_mode freely
 ```
 
 ### Options

import-export-cli/resources/README.html

@@ -232,9 +232,11 @@ <h3 id="commands">Commands</h3>
     <li><h4 id="set">set</h4>
         <pre><code class="lang-bash">      Flags
           --http-request-timeout
+          --tls_renegotiation_mode
           --export-directory
       Examples:
           apimcli set --http-request-timeout 10000
+          apimcli set --tls_renegotiation_mode freely
           apimcli set --export-directory /home/user/exported
 </code></pre>
     </li>

import-export-cli/utils/configVars.go

@@ -19,6 +19,7 @@
 package utils
 
 import (
+	"crypto/tls"
 	"errors"
 	"io/ioutil"
 	"os"
@@ -29,6 +30,9 @@ var HttpRequestTimeout = DefaultHttpRequestTimeout
 var Insecure bool
 var ExportDirectory string
 
+// TLSRenegotiationMode : Defines TLS Renegotiation support mode, default is never
+var TLSRenegotiationMode = tls.RenegotiateNever
+
 // SetConfigVars
 // @param mainConfigFilePath : Path to file where Configuration details are stored
 // @return error
@@ -55,6 +59,8 @@ func SetConfigVars(mainConfigFilePath string) error {
 	ExportDirectory = mainConfig.Config.ExportDirectory
 	Logln(LogPrefixInfo + "Setting ExportDirectory " + mainConfig.Config.ExportDirectory)
 
+	setTLSRenegotiationMode(mainConfig)
+
 	return nil
 }
 
@@ -76,3 +82,20 @@ func IsValid(fp string) bool {
 
 	return false
 }
+
+func setTLSRenegotiationMode(mainConfig *MainConfig) {
+	modeMap := map[string]tls.RenegotiationSupport{
+		TLSRenegotiationOnce:   tls.RenegotiateOnceAsClient,
+		TLSRenegotiationFreely: tls.RenegotiateFreelyAsClient,
+		TLSRenegotiationNever:  tls.RenegotiateNever,
+	}
+
+	if val, ok := modeMap[mainConfig.Config.TLSRenegotiationMode]; ok {
+		if ok {
+			TLSRenegotiationMode = val
+			Logln(LogPrefixInfo + "Setting TLSRenegotiationMode : " + mainConfig.Config.TLSRenegotiationMode)
+		} else {
+			Logln(LogPrefixInfo + "Setting TLSRenegotiationMode : never")
+		}
+	}
+}

import-export-cli/utils/constants.go

@@ -92,6 +92,15 @@ const APISecurityMutualSsl = "mutualssl"
 const DefaultTokenValidityPeriod = "3600"
 const DefaultHttpRequestTimeout = 10000
 
+// TLSRenegotiationNever : never negotiate
+const TLSRenegotiationNever = "never"
+
+// TLSRenegotiationOnce : negotiate once
+const TLSRenegotiationOnce = "once"
+
+// TLSRenegotiationFreely : negotiate freely
+const TLSRenegotiationFreely = "freely"
+
 //migration export
 const MaxAPIsToExportOnce = 20
 const MigrationAPIsExportMetadataFileName = "migration-apis-export-metadata.yaml"

import-export-cli/utils/structs.go

@@ -34,8 +34,9 @@ type MainConfig struct {
 }
 
 type Config struct {
-	HttpRequestTimeout int    `yaml:"http_request_timeout"`
-	ExportDirectory    string `yaml:"export_directory"`
+	HttpRequestTimeout   int    `yaml:"http_request_timeout"`
+	ExportDirectory      string `yaml:"export_directory"`
+	TLSRenegotiationMode string `yaml:"tls_renegotiation_mode,omitempty"`
 }
 
 type EnvKeys struct {

import-export-cli/utils/utils.go

@@ -22,21 +22,26 @@ import (
 	"bufio"
 	"crypto/tls"
 	"fmt"
-	"github.com/go-resty/resty"
-	"golang.org/x/crypto/ssh/terminal"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
+
+	"github.com/go-resty/resty"
+	"golang.org/x/crypto/ssh/terminal"
 )
 
 // Invoke http-post request using go-resty
 func InvokePOSTRequest(url string, headers map[string]string, body string) (*resty.Response, error) {
+	tlsConfig := &tls.Config{Renegotiation: TLSRenegotiationMode}
 	if Insecure {
-		resty.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) // To bypass errors in SSL certificates
+		tlsConfig.InsecureSkipVerify = true // To bypass errors in SSL certificates
 	}
+
+	resty.SetTLSClientConfig(tlsConfig)
+
 	if os.Getenv("HTTP_PROXY") != "" {
 		resty.SetProxy(os.Getenv("HTTP_PROXY"))
 	} else if os.Getenv("HTTPS_PROXY") != "" {
@@ -54,9 +59,13 @@ func InvokePOSTRequest(url string, headers map[string]string, body string) (*res
 
 // Invoke http-post request using go-resty with byte[] body
 func InvokePOSTRequestWithBytes(url string, headers map[string]string, body []byte) (*resty.Response, error) {
+	tlsConfig := &tls.Config{Renegotiation: TLSRenegotiationMode}
 	if Insecure {
-		resty.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) // To bypass errors in SSL certificates
+		tlsConfig.InsecureSkipVerify = true // To bypass errors in SSL certificates
 	}
+
+	resty.SetTLSClientConfig(tlsConfig)
+
 	if os.Getenv("HTTP_PROXY") != "" {
 		resty.SetProxy(os.Getenv("HTTP_PROXY"))
 	} else if os.Getenv("HTTPS_PROXY") != "" {
@@ -74,9 +83,13 @@ func InvokePOSTRequestWithBytes(url string, headers map[string]string, body []by
 
 // Invoke http-post request using go-resty with byte[] body
 func InvokePUTRequestWithBytes(url string, headers map[string]string, body []byte) (*resty.Response, error) {
+	tlsConfig := &tls.Config{Renegotiation: TLSRenegotiationMode}
 	if Insecure {
-		resty.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) // To bypass errors in SSL certificates
+		tlsConfig.InsecureSkipVerify = true // To bypass errors in SSL certificates
 	}
+
+	resty.SetTLSClientConfig(tlsConfig)
+
 	if os.Getenv("HTTP_PROXY") != "" {
 		resty.SetProxy(os.Getenv("HTTP_PROXY"))
 	} else if os.Getenv("HTTPS_PROXY") != "" {
@@ -94,9 +107,13 @@ func InvokePUTRequestWithBytes(url string, headers map[string]string, body []byt
 
 // Invoke http-get request using go-resty
 func InvokeGETRequest(url string, headers map[string]string) (*resty.Response, error) {
+	tlsConfig := &tls.Config{Renegotiation: TLSRenegotiationMode}
 	if Insecure {
-		resty.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) // To bypass errors in SSL certificates
+		tlsConfig.InsecureSkipVerify = true // To bypass errors in SSL certificates
 	}
+
+	resty.SetTLSClientConfig(tlsConfig)
+
 	if os.Getenv("HTTP_PROXY") != "" {
 		resty.SetProxy(os.Getenv("HTTP_PROXY"))
 	} else if os.Getenv("HTTPS_PROXY") != "" {
@@ -115,9 +132,13 @@ func InvokeGETRequest(url string, headers map[string]string) (*resty.Response, e
 // Invoke http-get request with query param
 func InvokeGETRequestWithQueryParam(queryParam string, paramValue string, url string, headers map[string]string) (
 	*resty.Response, error) {
+	tlsConfig := &tls.Config{Renegotiation: TLSRenegotiationMode}
 	if Insecure {
-		resty.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) // To bypass errors in SSL certificates
+		tlsConfig.InsecureSkipVerify = true // To bypass errors in SSL certificates
 	}
+
+	resty.SetTLSClientConfig(tlsConfig)
+
 	if os.Getenv("HTTP_PROXY") != "" {
 		resty.SetProxy(os.Getenv("HTTP_PROXY"))
 	} else if os.Getenv("HTTPS_PROXY") != "" {