dohertj2/mxaccessgw
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(clients): inline Go gosec directive and strip IPv6 brackets in Python authority split

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-01 07:57:22 -04:00
parent e5c704de69
commit 9bdb899774
3 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
clients/go/mxgateway/client.go
+3 -5
View File
@@ -234,11 +234,9 @@ func tlsConfigForOptions(opts Options) *tls.Config {
return nil return nil
} }
return &tls.Config{ return &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
ServerName: opts.ServerNameOverride, ServerName: opts.ServerNameOverride,
//nolint:gosec // internal tool; self-signed cert is the expected gateway default; InsecureSkipVerify: !opts.RequireCertificateValidation, //nolint:gosec // internal tool; self-signed gateway cert expected; opt-in strict via RequireCertificateValidation
// opt-in to strict verification via RequireCertificateValidation.
InsecureSkipVerify: !opts.RequireCertificateValidation,
} }
} }
clients/python/src/zb_mom_ww_mxgateway/options.py
+13 -1
View File
@@ -74,8 +74,20 @@ class BrowseChildrenOptions:
def _split_authority(endpoint: str) -> tuple[str, int]: def _split_authority(endpoint: str) -> tuple[str, int]:
"""Split a gRPC target (optionally scheme-prefixed) into (host, port).""" """Split a gRPC target (optionally scheme-prefixed) into (host, port).
Handles bracketed IPv6 literals (e.g. ``[::1]:5120`` or bare ``[::1]``),
returning the host without brackets so it is safe to pass to
``ssl.get_server_certificate``.
"""
target = endpoint.split("://", 1)[-1] target = endpoint.split("://", 1)[-1]
if target.startswith("["):
# Bracketed IPv6: "[::1]:5120" or "[::1]"
bracket_end = target.find("]")
host = target[1:bracket_end] # strip surrounding brackets
remainder = target[bracket_end + 1 :] # ":5120" or ""
port_str = remainder.lstrip(":")
return (host, int(port_str) if port_str else 443)
host, _, port = target.rpartition(":") host, _, port = target.rpartition(":")
return (host or "localhost", int(port) if port else 443) return (host or "localhost", int(port) if port else 443)
clients/python/tests/test_tls.py
+11
View File
@@ -134,6 +134,17 @@ def test_split_authority_parses_host_and_port() -> None:
assert _split_authority(":5120") == ("localhost", 5120) assert _split_authority(":5120") == ("localhost", 5120)
def test_split_authority_strips_ipv6_brackets() -> None:
from zb_mom_ww_mxgateway.options import _split_authority
# Bracketed IPv6 with port — brackets must be removed for ssl.get_server_certificate
assert _split_authority("[::1]:5120") == ("::1", 5120)
# Bare bracketed IPv6 (no port) — default port 443
assert _split_authority("[::1]") == ("::1", 443)
# Scheme-prefixed bracketed IPv6
assert _split_authority("grpc://[::1]:5120") == ("::1", 5120)
def test_tofu_connect_failure_raises_transport_error() -> None: def test_tofu_connect_failure_raises_transport_error() -> None:
"""A failed cert pre-fetch surfaces the client's transport error type.""" """A failed cert pre-fetch surfaces the client's transport error type."""
options = ClientOptions(endpoint=f"127.0.0.1:{_free_port()}") options = ClientOptions(endpoint=f"127.0.0.1:{_free_port()}")