Support SSL verification in creating Blazar client

Adds support for SSL verification when ``OPENSTACK_SSL_CACERT`` is set. Explicitly skips verification if ``OPENSTACK_SSL_NO_VERIFY`` is set. This also switches to Session-based instantiation for the Blazar client, away from the deprecated url+token method. Closes-Bug: #2045281 Change-Id: I94aad7590b1e42ddfa1a20fdb184ca4d73587cd6
2024-02-09 10:33:15 +00:00 · 2024-02-09 10:33:15 +00:00 · 86f5b9012e
commit 86f5b9012e
parent 6c6caa3be6
2 changed files with 29 additions and 6 deletions
--- a/blazar_dashboard/api/client.py
+++ b/blazar_dashboard/api/client.py
@ -17,8 +17,11 @@ import logging
 from pytz import UTC

 from blazar_dashboard import conf
+from django.conf import settings
 from horizon import exceptions
 from horizon.utils.memoized import memoized
+from keystoneauth1.identity import v3
+from keystoneauth1 import session
 from openstack_dashboard.api import base

 from blazarclient import client as blazar_client
@ -69,16 +72,26 @@ class Allocation(base.APIDictWrapper):
@memoized
 def blazarclient(request):
    try:
-        api_url = base.url_for(request, 'reservation')
+        _ = base.url_for(request, 'reservation')
    except exceptions.ServiceCatalogException:
        LOG.debug('No Reservation service is configured.')
        return None

-    LOG.debug('blazarclient connection created using the token "%s" and url'
-              '"%s"' % (request.user.token.id, api_url))
-    return blazar_client.Client(
-        blazar_url=api_url,
-        auth_token=request.user.token.id)
+    auth_url = settings.OPENSTACK_KEYSTONE_URL
+    project_id = request.user.project_id
+    domain_id = request.session.get('domain_context')
+    auth = v3.Token(auth_url,
+                    request.user.token.id,
+                    project_id=project_id,
+                    project_domain_id=domain_id)
+    insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
+    cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
+    # If 'insecure' is True, 'verify' is False in all cases; otherwise
+    # pass the cacert path if it is present, or True if no cacert.
+    verify = not insecure and (cacert or True)
+    sess = session.Session(auth=auth, verify=verify)
+
+    return blazar_client.Client(session=sess)


 def lease_list(request):
--- a/releasenotes/notes/support-ssl-verification-when-creating-the-blazar-client-603ee30a4356ab52.yaml
+++ b/releasenotes/notes/support-ssl-verification-when-creating-the-blazar-client-603ee30a4356ab52.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds support for specifying a CA certificate to use to verify SSL
+    connections with ``OPENSTACK_SSL_CACERT`` and for disabling SSL certificate
+    checks with ``OPENSTACK_SSL_NO_VERIFY``.
+fixes:
+  - |
+    Fixes the dashboard not working when ``OPENSTACK_SSL_CACERT`` is set.
+    `LP#2045281 <https://launchpad.net/bugs/2045281>`__