Fix and improve SSL configuration
Previously --insecure argument didn't have any effect on discover-tempest-config's behavior which lead to to failing requests due to certificates verify failures. That is fixed now. Due to the change discover-tempest-config can now automatically set the following 2 tempest options: * CONF.identity.disable_ssl_certificate_validation - previously always set to True by default. * CONF.identity.ca_certificates_file - previously not set at all. Change-Id: Iafcc9720e45190e6bd1046540d7c4a640c043023
This commit is contained in:
parent
fb040d110f
commit
f146f81069
|
@ -88,7 +88,7 @@ class ClientManager(object):
|
||||||
self.identity_region = creds.identity_region
|
self.identity_region = creds.identity_region
|
||||||
self.auth_provider = creds.get_auth_provider()
|
self.auth_provider = creds.get_auth_provider()
|
||||||
|
|
||||||
default_params = self._get_default_params(conf)
|
default_params = creds.get_ssl_certificate_validation()
|
||||||
compute_params = self._get_compute_params(conf)
|
compute_params = self._get_compute_params(conf)
|
||||||
compute_params.update(default_params)
|
compute_params.update(default_params)
|
||||||
|
|
||||||
|
@ -177,15 +177,6 @@ class ClientManager(object):
|
||||||
project = self.projects.get_project_by_name(creds.project_name)
|
project = self.projects.get_project_by_name(creds.project_name)
|
||||||
conf.set('auth', 'admin_project_id', project['id'])
|
conf.set('auth', 'admin_project_id', project['id'])
|
||||||
|
|
||||||
def _get_default_params(self, conf):
|
|
||||||
default_params = {
|
|
||||||
'disable_ssl_certificate_validation':
|
|
||||||
conf.get_defaulted('identity',
|
|
||||||
'disable_ssl_certificate_validation'),
|
|
||||||
'ca_certs': conf.get_defaulted('identity', 'ca_certificates_file')
|
|
||||||
}
|
|
||||||
return default_params
|
|
||||||
|
|
||||||
def _get_compute_params(self, conf):
|
def _get_compute_params(self, conf):
|
||||||
compute_params = {
|
compute_params = {
|
||||||
'service': conf.get_defaulted('compute', 'catalog_type'),
|
'service': conf.get_defaulted('compute', 'catalog_type'),
|
||||||
|
|
|
@ -25,7 +25,7 @@ class Credentials(object):
|
||||||
Wrapps credentials obtained from TempestConf object and Tempest
|
Wrapps credentials obtained from TempestConf object and Tempest
|
||||||
credentialsfrom auth library.
|
credentialsfrom auth library.
|
||||||
"""
|
"""
|
||||||
def __init__(self, conf, admin):
|
def __init__(self, conf, admin, **kwargs):
|
||||||
"""Init method of Credentials.
|
"""Init method of Credentials.
|
||||||
|
|
||||||
:type conf: TempestConf object
|
:type conf: TempestConf object
|
||||||
|
@ -34,20 +34,43 @@ class Credentials(object):
|
||||||
"""
|
"""
|
||||||
self.admin = admin
|
self.admin = admin
|
||||||
self._conf = conf
|
self._conf = conf
|
||||||
|
self.verify = kwargs.get('verify', True)
|
||||||
|
self.cert = kwargs.get('cert', None)
|
||||||
self.username = self.get_credential('username')
|
self.username = self.get_credential('username')
|
||||||
self.password = self.get_credential('password')
|
self.password = self.get_credential('password')
|
||||||
self.project_name = self.get_credential('project_name')
|
self.project_name = self.get_credential('project_name')
|
||||||
self.identity_version = self._get_identity_version()
|
self.identity_version = self._get_identity_version()
|
||||||
self.api_version = 3 if self.identity_version == "v3" else 2
|
self.api_version = 3 if self.identity_version == "v3" else 2
|
||||||
self.identity_region = self._conf.get_defaulted('identity', 'region')
|
self.identity_region = self._conf.get_defaulted('identity', 'region')
|
||||||
self.disable_ssl_certificate_validation = self._conf.get_defaulted(
|
self.set_ssl_certificate_validation()
|
||||||
'identity',
|
|
||||||
'disable_ssl_certificate_validation'
|
|
||||||
)
|
|
||||||
self.ca_certs = self._conf.get_defaulted('identity',
|
|
||||||
'ca_certificates_file')
|
|
||||||
self.set_credentials()
|
self.set_credentials()
|
||||||
|
|
||||||
|
def set_ssl_certificate_validation(self):
|
||||||
|
# is there a specific CA bundle to use?
|
||||||
|
# self.verify is either a boolean, in which case it controls whether
|
||||||
|
# server's TLS certificates are verified, or a string, in which case
|
||||||
|
# it is a path to a CA bundle to use, default in requests package
|
||||||
|
# is True.
|
||||||
|
if isinstance(self.verify, str):
|
||||||
|
self.disable_ssl_certificate_validation = False
|
||||||
|
self.ca_certs = self.verify
|
||||||
|
self._conf.set('identity', 'ca_certificates_file', self.ca_certs)
|
||||||
|
else:
|
||||||
|
self.disable_ssl_certificate_validation = self._conf.get_defaulted(
|
||||||
|
'identity', 'disable_ssl_certificate_validation'
|
||||||
|
)
|
||||||
|
self.ca_certs = self._conf.get_defaulted('identity',
|
||||||
|
'ca_certificates_file')
|
||||||
|
self._conf.set('identity', 'disable_ssl_certificate_validation',
|
||||||
|
str(self.disable_ssl_certificate_validation))
|
||||||
|
|
||||||
|
def get_ssl_certificate_validation(self):
|
||||||
|
return {
|
||||||
|
'disable_ssl_certificate_validation':
|
||||||
|
self.disable_ssl_certificate_validation,
|
||||||
|
'ca_certs': self.ca_certs,
|
||||||
|
}
|
||||||
|
|
||||||
def get_credential(self, key):
|
def get_credential(self, key):
|
||||||
"""Helper for getting credential by its name.
|
"""Helper for getting credential by its name.
|
||||||
|
|
||||||
|
@ -65,8 +88,8 @@ class Credentials(object):
|
||||||
# tool keeps them in identity section for further usage
|
# tool keeps them in identity section for further usage
|
||||||
return self._conf.get_defaulted('identity', key)
|
return self._conf.get_defaulted('identity', key)
|
||||||
|
|
||||||
def _list_versions(self, base_url):
|
def _list_versions(self, base_url, **kwargs):
|
||||||
resp = requests.get(base_url)
|
resp = requests.get(base_url, **kwargs)
|
||||||
data = resp.json()
|
data = resp.json()
|
||||||
return data["versions"]["values"]
|
return data["versions"]["values"]
|
||||||
|
|
||||||
|
@ -77,7 +100,11 @@ class Credentials(object):
|
||||||
:rtype: string
|
:rtype: string
|
||||||
"""
|
"""
|
||||||
base_url = utils.get_base_url(self._conf.get("identity", "uri"))
|
base_url = utils.get_base_url(self._conf.get("identity", "uri"))
|
||||||
versions = self._list_versions(base_url)
|
kwargs = {
|
||||||
|
'verify': self.verify,
|
||||||
|
'cert': self.cert,
|
||||||
|
}
|
||||||
|
versions = self._list_versions(base_url, **kwargs)
|
||||||
for version in versions:
|
for version in versions:
|
||||||
if version["status"] == "stable" and "v3" in version["id"]:
|
if version["status"] == "stable" and "v3" in version["id"]:
|
||||||
return "v3"
|
return "v3"
|
||||||
|
|
|
@ -488,10 +488,15 @@ def get_cloud_creds(args_namespace):
|
||||||
|
|
||||||
cloud_creds = cloud.config.get_auth_args()
|
cloud_creds = cloud.config.get_auth_args()
|
||||||
region_name = cloud.config.config['region_name']
|
region_name = cloud.config.config['region_name']
|
||||||
|
|
||||||
if region_name:
|
if region_name:
|
||||||
cloud_creds['region_name'] = region_name
|
cloud_creds['region_name'] = region_name
|
||||||
|
|
||||||
|
request_args = cloud.config.get_requests_verify_args()
|
||||||
|
cloud_creds['request_args'] = {
|
||||||
|
'verify': request_args[0],
|
||||||
|
'cert': request_args[1],
|
||||||
|
}
|
||||||
|
|
||||||
return cloud_creds
|
return cloud_creds
|
||||||
|
|
||||||
|
|
||||||
|
@ -512,7 +517,9 @@ def config_tempest(**kwargs):
|
||||||
accounts_path,
|
accounts_path,
|
||||||
kwargs.get('cloud_creds'))
|
kwargs.get('cloud_creds'))
|
||||||
|
|
||||||
credentials = Credentials(conf, not kwargs.get('non_admin', False))
|
request_args = kwargs.get('cloud_creds', {}).get('request_args', {})
|
||||||
|
credentials = Credentials(conf, not kwargs.get('non_admin', False),
|
||||||
|
**request_args)
|
||||||
clients = ClientManager(conf, credentials)
|
clients = ClientManager(conf, credentials)
|
||||||
|
|
||||||
if kwargs.get('create', False) and kwargs.get('test_accounts') is None:
|
if kwargs.get('create', False) and kwargs.get('test_accounts') is None:
|
||||||
|
|
|
@ -42,7 +42,7 @@ class TestProjectsClient(BaseConfigTempestTest):
|
||||||
self.client_manager.identity_region,
|
self.client_manager.identity_region,
|
||||||
'publicURL',
|
'publicURL',
|
||||||
identity_version,
|
identity_version,
|
||||||
**self.client_manager._get_default_params(self.conf))
|
**self.creds.get_ssl_certificate_validation())
|
||||||
|
|
||||||
def test_init(self):
|
def test_init(self):
|
||||||
resp = self._get_projects_client('v2')
|
resp = self._get_projects_client('v2')
|
||||||
|
@ -130,7 +130,7 @@ class TestClientManager(BaseConfigTempestTest):
|
||||||
self.creds.identity_version,
|
self.creds.identity_version,
|
||||||
self.conf.get_defaulted('identity', 'catalog_type'),
|
self.conf.get_defaulted('identity', 'catalog_type'),
|
||||||
'publicURL',
|
'publicURL',
|
||||||
self.client_manager._get_default_params(self.conf))
|
self.creds.get_ssl_certificate_validation())
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
type(self.client_manager.users).__name__,
|
type(self.client_manager.users).__name__,
|
||||||
'UsersClient')
|
'UsersClient')
|
||||||
|
@ -142,7 +142,7 @@ class TestClientManager(BaseConfigTempestTest):
|
||||||
self.creds.identity_version,
|
self.creds.identity_version,
|
||||||
self.conf.get_defaulted('identity', 'catalog_type'),
|
self.conf.get_defaulted('identity', 'catalog_type'),
|
||||||
'publicURL',
|
'publicURL',
|
||||||
self.client_manager._get_default_params(self.conf))
|
self.creds.get_ssl_certificate_validation())
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
type(self.client_manager.roles).__name__,
|
type(self.client_manager.roles).__name__,
|
||||||
'RolesClient')
|
'RolesClient')
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
discover-tempest-config can now automatically set the following 2 tempest
|
||||||
|
options:
|
||||||
|
* CONF.identity.disable_ssl_certificate_validation
|
||||||
|
* CONF.identity.ca_certificates_file
|
||||||
|
The mentioned options are set based on cloud's request verify arguments
|
||||||
|
(verify and cert) read (either set as environent variables or passed via
|
||||||
|
CLI) by openstack package.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Passing a value from --insecure argument is fixed. Previously --insecure
|
||||||
|
didn't have any effect on discover-tempest-config and its behavior which
|
||||||
|
lead to failing requests due to certificates verify failures. That is fixed
|
||||||
|
now. Now the --insecure's value will be stored in the internal Credentials
|
||||||
|
class and safely pased in requests querying the cloud.
|
Loading…
Reference in New Issue