gabriel-samfira
diff --git a/‎api/apiclient.go
Lines changed: 83 additions & 72 deletions b/‎api/apiclient.go
Lines changed: 83 additions & 72 deletions
diff --git a/‎api/apiclient_test.go
Lines changed: 97 additions & 16 deletions b/‎api/apiclient_test.go
Lines changed: 97 additions & 16 deletions
diff --git a/‎api/certpool.go
Lines changed: 1 addition & 1 deletion b/‎api/certpool.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/export_test.go
Lines changed: 7 additions & 8 deletions b/‎api/export_test.go
Lines changed: 7 additions & 8 deletions
@@ -180,7 +180,7 @@ func open(
 	if clock == nil {
 		return nil, errors.NotValidf("nil clock")
 	}
-	conn, tlsConfig, err := connectWebsocket(info, opts)
+	conn, tlsConfig, err := dialAPI(info, opts)
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
@@ -275,70 +275,6 @@ func (t *hostSwitchingTransport) RoundTrip(req *http.Request) (*http.Response, e
 	return t.fallback.RoundTrip(req)
 }
 
-// connectWebsocket establishes a websocket connection to the RPC
-// API websocket on the API server using Info. If multiple API addresses
-// are provided in Info they will be tried concurrently - the first successful
-// connection wins.
-//
-// It also returns the TLS configuration that it has derived from the Info.
-func connectWebsocket(info *Info, opts DialOpts) (*websocket.Conn, *tls.Config, error) {
-	if len(info.Addrs) == 0 {
-		return nil, nil, errors.New("no API addresses to connect to")
-	}
-	tlsConfig := utils.SecureTLSConfig()
-	tlsConfig.InsecureSkipVerify = opts.InsecureSkipVerify
-
-	if info.CACert != "" && !tlsConfig.InsecureSkipVerify {
-		// We want to be specific here (rather than just using "anything".
-		// See commit 7fc118f015d8480dfad7831788e4b8c0432205e8 (PR 899).
-		tlsConfig.ServerName = "juju-apiserver"
-		certPool, err := CreateCertPool(info.CACert)
-		if err != nil {
-			return nil, nil, errors.Annotate(err, "cert pool creation failed")
-		}
-		tlsConfig.RootCAs = certPool
-	}
-	path, err := apiPath(info.ModelTag, "/api")
-	if err != nil {
-		return nil, nil, errors.Trace(err)
-	}
-	conn, err := dialWebSocket(info.Addrs, path, tlsConfig, opts)
-	if err != nil {
-		return nil, nil, errors.Trace(err)
-	}
-	logger.Infof("connection established to %q", conn.RemoteAddr())
-	return conn, tlsConfig, nil
-}
-
-// dialWebSocket dials a websocket with one of the provided addresses, the
-// specified URL path, TLS configuration, and dial options. Each of the
-// specified addresses will be attempted concurrently, and the first
-// successful connection will be returned.
-func dialWebSocket(addrs []string, path string, tlsConfig *tls.Config, opts DialOpts) (*websocket.Conn, error) {
-	// Dial all addresses at reasonable intervals.
-	try := parallel.NewTry(0, nil)
-	defer try.Kill()
-	for _, addr := range addrs {
-		err := dialWebsocket(addr, path, opts, tlsConfig, try)
-		if err == parallel.ErrStopped {
-			break
-		}
-		if err != nil {
-			return nil, errors.Trace(err)
-		}
-		select {
-		case <-time.After(opts.DialAddressInterval):
-		case <-try.Dead():
-		}
-	}
-	try.Close()
-	result, err := try.Result()
-	if err != nil {
-		return nil, errors.Trace(err)
-	}
-	return result.(*websocket.Conn), nil
-}
-
 // ConnectStream implements StreamConnector.ConnectStream.
 func (st *state) ConnectStream(path string, attrs url.Values) (base.Stream, error) {
 	if !st.isLoggedIn() {
@@ -486,7 +422,83 @@ func tagToString(tag names.Tag) string {
 	return tag.String()
 }
 
-func dialWebsocket(addr, path string, opts DialOpts, tlsConfig *tls.Config, try *parallel.Try) error {
+// dialAPI establishes a websocket connection to the RPC
+// API websocket on the API server using Info. If multiple API addresses
+// are provided in Info they will be tried concurrently - the first successful
+// connection wins.
+//
+// It also returns the TLS configuration that it has derived from the Info.
+func dialAPI(info *Info, opts DialOpts) (*websocket.Conn, *tls.Config, error) {
+	// Set opts.DialWebsocket here rather than in open because
+	// some tests call dialAPI directly.
+	if opts.DialWebsocket == nil {
+		opts.DialWebsocket = websocket.DialConfig
+	}
+	if len(info.Addrs) == 0 {
+		return nil, nil, errors.New("no API addresses to connect to")
+	}
+	tlsConfig := utils.SecureTLSConfig()
+	tlsConfig.InsecureSkipVerify = opts.InsecureSkipVerify
+
+	if info.CACert != "" {
+		// We want to be specific here (rather than just using "anything".
+		// See commit 7fc118f015d8480dfad7831788e4b8c0432205e8 (PR 899).
+		tlsConfig.ServerName = "juju-apiserver"
+		certPool, err := CreateCertPool(info.CACert)
+		if err != nil {
+			return nil, nil, errors.Annotate(err, "cert pool creation failed")
+		}
+		tlsConfig.RootCAs = certPool
+	} else {
+		// No CA certificate so use the SNI host name for all
+		// connections (if SNIHostName is empty, the host
+		// name in the address will be used as usual).
+		tlsConfig.ServerName = info.SNIHostName
+	}
+	path, err := apiPath(info.ModelTag, "/api")
+	if err != nil {
+		return nil, nil, errors.Trace(err)
+	}
+	conn, err := dialWebsocketMulti(info.Addrs, path, tlsConfig, opts)
+	if err != nil {
+		return nil, nil, errors.Trace(err)
+	}
+	logger.Infof("connection established to %q", conn.RemoteAddr())
+	return conn, tlsConfig, nil
+}
+
+// dialWebsocketMulti dials a websocket with one of the provided addresses, the
+// specified URL path, TLS configuration, and dial options. Each of the
+// specified addresses will be attempted concurrently, and the first
+// successful connection will be returned.
+func dialWebsocketMulti(addrs []string, path string, tlsConfig *tls.Config, opts DialOpts) (*websocket.Conn, error) {
+	// Dial all addresses at reasonable intervals.
+	try := parallel.NewTry(0, nil)
+	defer try.Kill()
+	for _, addr := range addrs {
+		err := startDialWebsocket(try, addr, path, opts, tlsConfig)
+		if err == parallel.ErrStopped {
+			break
+		}
+		if err != nil {
+			return nil, errors.Trace(err)
+		}
+		select {
+		case <-time.After(opts.DialAddressInterval):
+		case <-try.Dead():
+		}
+	}
+	try.Close()
+	result, err := try.Result()
+	if err != nil {
+		return nil, errors.Trace(err)
+	}
+	return result.(*websocket.Conn), nil
+}
+
+// startDialWebsocket starts websocket connection to a single address
+// on the given try instance.
+func startDialWebsocket(try *parallel.Try, addr, path string, opts DialOpts, tlsConfig *tls.Config) error {
 	// origin is required by the WebSocket API, used for "origin policy"
 	// in websockets. We pass localhost to satisfy the API; it is
 	// inconsequential to us.
@@ -499,11 +511,10 @@ func dialWebsocket(addr, path string, opts DialOpts, tlsConfig *tls.Config, try
 	return try.Start(newWebsocketDialer(cfg, opts))
 }
 
-// newWebsocketDialer returns a function that
-// can be passed to utils/parallel.Try.Start.
-var newWebsocketDialer = createWebsocketDialer
-
-func createWebsocketDialer(cfg *websocket.Config, opts DialOpts) func(<-chan struct{}) (io.Closer, error) {
+// newWebsocketDialer0 returns a function that dials the websocket represented
+// by the given configuration with the given dial options, suitable for passing
+// to utils/parallel.Try.Start.
+func newWebsocketDialer(cfg *websocket.Config, opts DialOpts) func(<-chan struct{}) (io.Closer, error) {
 	// TODO(katco): 2016-08-09: lp:1611427
 	openAttempt := utils.AttemptStrategy{
 		Total: opts.Timeout,
@@ -517,7 +528,7 @@ func createWebsocketDialer(cfg *websocket.Config, opts DialOpts) func(<-chan str
 			default:
 			}
 			logger.Infof("dialing %q", cfg.Location)
-			conn, err := websocket.DialConfig(cfg)
+			conn, err := opts.DialWebsocket(cfg)
 			if err == nil {
 				return conn, nil
 			}
 
@@ -34,24 +34,24 @@ type apiclientSuite struct {
 
 var _ = gc.Suite(&apiclientSuite{})
 
-func (s *apiclientSuite) TestConnectWebsocketToEnv(c *gc.C) {
+func (s *apiclientSuite) TestDialAPIToEnv(c *gc.C) {
 	info := s.APIInfo(c)
-	conn, _, err := api.ConnectWebsocket(info, api.DialOpts{})
+	conn, _, err := api.DialAPI(info, api.DialOpts{})
 	c.Assert(err, jc.ErrorIsNil)
 	defer conn.Close()
-	assertConnAddrForEnv(c, conn, info.Addrs[0], s.State.ModelUUID(), "/api")
+	assertConnAddrForModel(c, conn, info.Addrs[0], s.State.ModelUUID())
 }
 
-func (s *apiclientSuite) TestConnectWebsocketToRoot(c *gc.C) {
+func (s *apiclientSuite) TestDialAPIToRoot(c *gc.C) {
 	info := s.APIInfo(c)
 	info.ModelTag = names.NewModelTag("")
-	conn, _, err := api.ConnectWebsocket(info, api.DialOpts{})
+	conn, _, err := api.DialAPI(info, api.DialOpts{})
 	c.Assert(err, jc.ErrorIsNil)
 	defer conn.Close()
 	assertConnAddrForRoot(c, conn, info.Addrs[0])
 }
 
-func (s *apiclientSuite) TestConnectWebsocketMultiple(c *gc.C) {
+func (s *apiclientSuite) TestDialAPIMultiple(c *gc.C) {
 	// Create a socket that proxies to the API server.
 	info := s.APIInfo(c)
 	serverAddr := info.Addrs[0]
@@ -60,22 +60,22 @@ func (s *apiclientSuite) TestConnectWebsocketMultiple(c *gc.C) {
 
 	// Check that we can use the proxy to connect.
 	info.Addrs = []string{proxy.Addr()}
-	conn, _, err := api.ConnectWebsocket(info, api.DialOpts{})
+	conn, _, err := api.DialAPI(info, api.DialOpts{})
 	c.Assert(err, jc.ErrorIsNil)
 	conn.Close()
-	assertConnAddrForEnv(c, conn, proxy.Addr(), s.State.ModelUUID(), "/api")
+	assertConnAddrForModel(c, conn, proxy.Addr(), s.State.ModelUUID())
 
 	// Now break Addrs[0], and ensure that Addrs[1]
 	// is successfully connected to.
 	proxy.Close()
 	info.Addrs = []string{proxy.Addr(), serverAddr}
-	conn, _, err = api.ConnectWebsocket(info, api.DialOpts{})
+	conn, _, err = api.DialAPI(info, api.DialOpts{})
 	c.Assert(err, jc.ErrorIsNil)
 	conn.Close()
-	assertConnAddrForEnv(c, conn, serverAddr, s.State.ModelUUID(), "/api")
+	assertConnAddrForModel(c, conn, serverAddr, s.State.ModelUUID())
 }
 
-func (s *apiclientSuite) TestConnectWebsocketMultipleError(c *gc.C) {
+func (s *apiclientSuite) TestDialAPIMultipleError(c *gc.C) {
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	c.Assert(err, jc.ErrorIsNil)
 	defer listener.Close()
@@ -94,7 +94,7 @@ func (s *apiclientSuite) TestConnectWebsocketMultipleError(c *gc.C) {
 	info := s.APIInfo(c)
 	addr := listener.Addr().String()
 	info.Addrs = []string{addr, addr, addr}
-	_, _, err = api.ConnectWebsocket(info, api.DialOpts{})
+	_, _, err = api.DialAPI(info, api.DialOpts{})
 	c.Assert(err, gc.ErrorMatches, `unable to connect to API: websocket.Dial wss://.*/model/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/api: .*`)
 	c.Assert(atomic.LoadInt32(&count), gc.Equals, int32(3))
 }
@@ -153,14 +153,95 @@ func (s *apiclientSuite) TestServerRoot(c *gc.C) {
 }
 
 func (s *apiclientSuite) TestDialWebsocketStopped(c *gc.C) {
-	stopped := make(chan struct{})
 	f := api.NewWebsocketDialer(nil, api.DialOpts{})
+	stopped := make(chan struct{})
 	close(stopped)
 	result, err := f(stopped)
 	c.Assert(err, gc.Equals, parallel.ErrStopped)
 	c.Assert(result, gc.IsNil)
 }
 
+func (s *apiclientSuite) TestOpenWithSNIHostNameEmptyCert(c *gc.C) {
+	info := &api.Info{
+		Addrs:       []string{"foo.com:1234", "0.1.2.3:1234"},
+		SNIHostName: "foo.com",
+		SkipLogin:   true,
+	}
+	// When we dial with an SNI name and no CA certificate, the connection should
+	// always be made with the provided SNI name.
+	s.testSNIHostName(c, info, []apiDialInfo{{
+		location:   "wss://foo.com:1234/api",
+		hasRootCAs: false,
+		serverName: "foo.com",
+	}, {
+		location:   "wss://0.1.2.3:1234/api",
+		hasRootCAs: false,
+		serverName: "foo.com",
+	}})
+}
+
+func (s *apiclientSuite) TestOpenWithSNIHostNameWithCACert(c *gc.C) {
+	info := &api.Info{
+		Addrs:       []string{"foo.com:1234", "0.1.2.3:1234"},
+		SNIHostName: "foo.com",
+		SkipLogin:   true,
+		CACert:      jtesting.CACert,
+	}
+	// When we dial with an SNI name and a CA cert, the SNI name
+	// should be ignored.
+	s.testSNIHostName(c, info, []apiDialInfo{{
+		location:   "wss://foo.com:1234/api",
+		hasRootCAs: true,
+		serverName: "juju-apiserver",
+	}, {
+		location:   "wss://0.1.2.3:1234/api",
+		hasRootCAs: true,
+		serverName: "juju-apiserver",
+	}})
+}
+
+type apiDialInfo struct {
+	location   string
+	hasRootCAs bool
+	serverName string
+}
+
+// testSNIHostName tests that when the API is dialed with the given info,
+// api.newWebsocketDialer is called with the expected information
+// (one element for each call to newWebsocketDialer)
+func (s *apiclientSuite) testSNIHostName(c *gc.C, info *api.Info, expectDials []apiDialInfo) {
+	dialed := make(chan *websocket.Config)
+	fakeDialer := func(cfg *websocket.Config) (*websocket.Conn, error) {
+		dialed <- cfg
+		return nil, errors.New("nope")
+	}
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		conn, err := api.Open(info, api.DialOpts{
+			DialWebsocket: fakeDialer,
+		})
+		c.Check(conn, gc.Equals, nil)
+		c.Check(err, gc.ErrorMatches, `unable to connect to API: nope`)
+	}()
+	for _, expect := range expectDials {
+		select {
+		case cfg := <-dialed:
+			c.Check(cfg.Location.String(), gc.Equals, expect.location)
+			c.Assert(cfg.TlsConfig, gc.NotNil)
+			c.Check(cfg.TlsConfig.RootCAs != nil, gc.Equals, expect.hasRootCAs)
+			c.Check(cfg.TlsConfig.ServerName, gc.Equals, expect.serverName)
+		case <-time.After(jtesting.LongWait):
+			c.Fatalf("timed out waiting for dial")
+		}
+	}
+	select {
+	case <-done:
+	case <-time.After(jtesting.LongWait):
+		c.Fatalf("timed out waiting for API open")
+	}
+}
+
 func (s *apiclientSuite) TestOpenWithNoCACert(c *gc.C) {
 	// This is hard to test as we have no way of affecting the system roots,
 	// so instead we check that the error that we get implies that
@@ -405,10 +486,10 @@ func (a *redirectAPIAdmin) RedirectInfo() (params.RedirectInfoResult, error) {
 	}, nil
 }
 
-func assertConnAddrForEnv(c *gc.C, conn *websocket.Conn, addr, modelUUID, tail string) {
-	c.Assert(conn.RemoteAddr(), gc.Matches, "^wss://"+addr+"/model/"+modelUUID+tail+"$")
+func assertConnAddrForModel(c *gc.C, conn *websocket.Conn, addr, modelUUID string) {
+	c.Assert(conn.RemoteAddr().String(), gc.Equals, "wss://"+addr+"/model/"+modelUUID+"/api")
 }
 
 func assertConnAddrForRoot(c *gc.C, conn *websocket.Conn, addr string) {
-	c.Assert(conn.RemoteAddr(), gc.Matches, "^wss://"+addr+"/api$")
+	c.Assert(conn.RemoteAddr().String(), gc.Matches, "wss://"+addr+"/api")
 }
@@ -27,7 +27,7 @@ func CreateCertPool(caCert string) (*x509.CertPool, error) {
 	if caCert != "" {
 		xcert, err := cert.ParseCert(caCert)
 		if err != nil {
-			return nil, errors.Trace(err)
+			return nil, errors.Annotatef(err, "cannot parse certificate %q", caCert)
 		}
 		pool.AddCert(xcert)
 	}
 
@@ -12,14 +12,13 @@ import (
 )
 
 var (
-	CertDir               = &certDir
-	NewWebsocketDialer    = newWebsocketDialer
-	NewWebsocketDialerPtr = &newWebsocketDialer
-	WebsocketDialConfig   = &websocketDialConfig
-	SlideAddressToFront   = slideAddressToFront
-	BestVersion           = bestVersion
-	FacadeVersions        = &facadeVersions
-	ConnectWebsocket      = connectWebsocket
+	CertDir             = &certDir
+	NewWebsocketDialer  = newWebsocketDialer
+	WebsocketDialConfig = &websocketDialConfig
+	SlideAddressToFront = slideAddressToFront
+	BestVersion         = bestVersion
+	FacadeVersions      = &facadeVersions
+	DialAPI             = dialAPI
 )
 
 // RPCConnection defines the methods that are called on the rpc.Conn instance.
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ func CreateCertPool(caCert string) (*x509.CertPool, error) {`
`27`	`27`	`if caCert != "" {`
`28`	`28`	`xcert, err := cert.ParseCert(caCert)`
`29`	`29`	`if err != nil {`
`30`		`- return nil, errors.Trace(err)`
	`30`	`+ return nil, errors.Annotatef(err, "cannot parse certificate %q", caCert)`
`31`	`31`	`}`
`32`	`32`	`pool.AddCert(xcert)`
`33`	`33`	`}`