add insecure flag

docs/index.md

@@ -56,4 +56,5 @@ See the following pages for advanced usage and reference information for the fla
 - [Span attributes and span attribute types](reference/span-attribute-types.md)
 - [Span events](reference/span-events.md)
 - [Span status](reference/span-status.md)
+- [Insecure Flag](reference/insecure-flag.md)
 - [tracepusher flag reference pages](reference/index.md)

docs/reference/index.md

@@ -12,4 +12,5 @@
 - [Span Events](span-events.md)
 - [Span Kind](span-kind.md)
 - [Span Durations and Duration Types](duration-type.md)
-- [Span Status](span-status.md)
+- [Span Status](span-status.md)
+- [Insecure flag](insecure-flag.md)

docs/reference/insecure-flag.md

@@ -0,0 +1,47 @@
+## Insecure Flag
+
+> Introduced in v0.9.0
+
+Default: `false`
+
+The optional `-ins [false|true]` or `--insecure [false|true]` flag exists to encourage "secure by default" practices by encouraging the sending of span only to `https://` endpoints. However, tracepusher **does** still work with `http://` endpoints.
+
+The `--insecure` flag affects whether or not tracepusher will connect to insecure `http://` endpoints or not.
+
+The `--insecure` flag operation differs by version.
+
+### v0.8.*
+
+The `--insecure` is not available
+
+### v0.9.*
+
+The `--insecure` flag defaults to `false` with the intention of meaning insecure endpoints are not allowed. However, to provide ample migration time for end users, the behaviour is as follows:
+
+- `--insecure` flag is omitted
+
+  This is the expected behaviour of everyone migrating from v0.8 to v0.9.
+  The flag defaults to `false` BUT will still allow `http://` endpoints, just like before.
+
+  Tracepusher will emit a soft `WARNING` message to inform users of the upcoming breaking change, like this:
+
+  ```
+  WARN: --insecure flag is omitted or is set to false. Prior to v1.0 tracepusher still works as expected (span is sent). In v1.0 and above, you MUST set '--insecure true' if you want to send to an http:// endpoint. See https://github.com/agardnerIT/tracepusher/issues/78
+  ```
+
+- `--insecure` flag is explicitly set to false
+
+  From v0.9 upwards, users are encouraged to get into the best practice habit of explicitly setting this to `false` or `true`.
+
+  Otherwise, for v0.9.*, the behaviour is as above.
+
+### v1.0
+
+If the `--insecure` flag is omitted or explicitly set to `false`, calls to `http://` endpoints will be `BLOCKED`.
+
+Calls to `http://` endpoints MUST be accompanied with the `--insecure true` flag or calls will be blocked with this error:
+
+```
+ERROR: Endpoint is http:// (insecure). You MUST set '--insecure true'. Span has NOT been sent.
+```
+

tracepusher.py

@@ -189,6 +189,8 @@ def get_span_status_int(input):
 parser.add_argument('-spnevnts', '--span-events', required=False, nargs='*')
 parser.add_argument('-sk', '--span-kind', required=False, default="INTERNAL")
 parser.add_argument('-ss', '--span-status', required=False, default="OK")
+parser.add_argument('-insec', '--insecure', required=False, default="False")
+
 
 args = parser.parse_args()
 
@@ -205,6 +207,7 @@ def get_span_status_int(input):
 span_id = args.span_id
 span_kind = args.span_kind
 span_status = get_span_status_int(args.span_status)
+allow_insecure = args.insecure
 
 span_attributes_list, dropped_attribute_count = get_span_attributes_list(args.span_attributes)
 span_kind = process_span_kind(span_kind)
@@ -236,6 +239,28 @@ def get_span_status_int(input):
   print(f"> Pushing a child (sub) span with parent span id: {parent_span_id}")
   HAS_PARENT_SPAN = True
 
+# Prior to v1.0
+# This flag will ONLY print a soft WARNING
+# If the flag is False (explicitly or omitted)
+# a warning is given that in v1.0 calls to http:// endpoints
+# will FAIL if "--insecure true" is NOT set
+#
+# In other words, prior to v1.0 no breaking change
+# v1.0 and above, if a user wishes to send to an http:// endpoint
+# --insecure true MUST be set
+#
+# Best practice: Start setting this flag now!
+
+# First convert to boolean
+ALLOW_INSECURE = False
+if allow_insecure.lower() == "true":
+  ALLOW_INSECURE = True
+
+# TODO: Adjust this error message for >=v1.0
+# From v1.0 make this WARN only appear in DEBUG_MODE
+if not ALLOW_INSECURE:
+  print("WARN: --insecure flag is omitted or is set to false. Prior to v1.0 tracepusher still works as expected (span is sent). In v1.0 and above, you MUST set '--insecure true' if you want to send to an http:// endpoint. See https://github.com/agardnerIT/tracepusher/issues/78")
+
 if DEBUG_MODE:
   print(f"Endpoint: {endpoint}")
   print(f"Service Name: {service_name}")
@@ -251,6 +276,12 @@ def get_span_status_int(input):
   print(f"Dropped Attribute Count: {dropped_attribute_count}")
   print(f"Span Kind: {span_kind}")
   print(f"Span Status: {span_status}")
+  print(f"Allow insecure endpoints: {allow_insecure}")
+
+# disable until v1.0
+#if endpoint.startswith("http://") and not ALLOW_INSECURE:
+#  print("ERROR: Endpoint is http:// (insecure). You MUST set '--insecure true'. Span has NOT been sent.")
+#  exit(1)
 
 # Generate random chars for trace and span IDs
 # of 32 chars and 16 chars respectively

tracepusher_test.py

@@ -241,4 +241,35 @@ def test_check_span_status_unset_when_set():
    args = "-ep http://otelcollector:4317 -sen serviceA -spn spanOne -dur 2 --dry-run true --debug true --span-status ABC123"
    output = run_tracepusher(args)
    assert output.returncode == 0
-   assert "'status': {'code': 0}" in output.stdout
+   assert "'status': {'code': 0}" in output.stdout
+
+# Check that --allow-insecure false
+# When flag is omitted
+# Also check that WARN message
+# TODO: Revisit this for v1.0
+def test_check_insecure_flag_false_when_unset():
+   args = "-ep http://otelcollector:4317 -sen serviceA -spn spanOne -dur 2 --dry-run true --debug true"
+   output = run_tracepusher(args)
+   assert output.returncode == 0
+   assert "allow insecure endpoints: false" or "" in output.stdout.lower()
+   assert "WARN: --insecure flag is omitted or is set to false. Prior to v1.0 tracepusher still works as expected (span is sent). In v1.0 and above, you MUST set '--insecure true' if you want to send to an http:// endpoint. See https://github.com/agardnerIT/tracepusher/issues/78" in output.stdout
+
+# Check that --allow-insecure flag false
+# When flag is explicitly set
+# TODO: Revisit this for v1.0
+def test_check_insecure_flag_false_when_set():
+   args = "-ep http://otelcollector:4317 -sen serviceA -spn spanOne -dur 2 --dry-run true --debug true --insecure false"
+   output = run_tracepusher(args)
+   assert output.returncode == 0
+   assert "allow insecure endpoints: false" in output.stdout.lower()
+   assert "WARN: --insecure flag is omitted or is set to false. Prior to v1.0 tracepusher still works as expected (span is sent). In v1.0 and above, you MUST set '--insecure true' if you want to send to an http:// endpoint. See https://github.com/agardnerIT/tracepusher/issues/78" in output.stdout
+
+# Check that --allow-insecure flag false
+# When flag is explicitly set
+# TODO: Revisit this for v1.0
+def test_check_insecure_flag_true_when_set():
+   args = "-ep http://otelcollector:4317 -sen serviceA -spn spanOne -dur 2 --dry-run true --debug true --insecure True"
+   output = run_tracepusher(args)
+   assert output.returncode == 0
+   assert "allow insecure endpoints: true" in output.stdout.lower()
+   #assert "WARN: --insecure flag is omitted or is set to false. Prior to v1.0 tracepusher still works as expected (span is sent). In v1.0 and above, you MUST set '--insecure true' if you want to send to an http:// endpoint. See https://github.com/agardnerIT/tracepusher/issues/78" in output.stdout