openstack/deb-murano
Code Issues Proposed changes

Merge "Adds TLS/SSL Version Support to Murano Engine."

Browse Source
This commit is contained in:
Jenkins 2017-03-15 06:54:26 +00:00 committed by Gerrit Code Review
commit 38346a0db9
3 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
murano/common/config.py
View File

@ -55,6 +55,13 @@ rabbit_opts = [
help='Boolean flag to enable SSL communication through the ' help='Boolean flag to enable SSL communication through the '
'RabbitMQ broker between murano-engine and guest agents.'), 'RabbitMQ broker between murano-engine and guest agents.'),
cfg.StrOpt('ssl_version',
default='',
help='SSL version to use (valid only if SSL enabled). '
'Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, '
'TLSv1_1, and TLSv1_2 may be available on some '
'distributions.'),
cfg.StrOpt('ca_certs', default='', cfg.StrOpt('ca_certs', default='',
help='SSL cert file (valid only if SSL enabled).'), help='SSL cert file (valid only if SSL enabled).'),

13
murano/common/messaging/mqclient.py
View File

@ -17,7 +17,9 @@ import ssl as ssl_module
from eventlet import patcher from eventlet import patcher
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from oslo_service import sslutils
from murano.common.i18n import _
from murano.common.messaging import subscription from murano.common.messaging import subscription
kombu = patcher.import_patched('kombu') kombu = patcher.import_patched('kombu')
@ -25,7 +27,7 @@ kombu = patcher.import_patched('kombu')
class MqClient(object): class MqClient(object):
def __init__(self, login, password, host, port, virtual_host, def __init__(self, login, password, host, port, virtual_host,
ssl=False, ca_certs=None, insecure=False): ssl=False, ssl_version=None, ca_certs=None, insecure=False):
ssl_params = None ssl_params = None
if ssl: if ssl:
@ -35,11 +37,20 @@ class MqClient(object):
cert_reqs = ssl_module.CERT_OPTIONAL cert_reqs = ssl_module.CERT_OPTIONAL
else: else:
cert_reqs = ssl_module.CERT_NONE cert_reqs = ssl_module.CERT_NONE
ssl_params = { ssl_params = {
'ca_certs': ca_certs, 'ca_certs': ca_certs,
'cert_reqs': cert_reqs 'cert_reqs': cert_reqs
} }
if ssl_version:
key = ssl_version.lower()
try:
ssl_params['ssl_version'] = sslutils._SSL_PROTOCOLS[key]
except KeyError:
raise RuntimeError(
_("Invalid SSL version: %s") % ssl_version)
self._connection = kombu.Connection( self._connection = kombu.Connection(
'amqp://{0}:{1}@{2}:{3}/{4}'.format( 'amqp://{0}:{1}@{2}:{3}/{4}'.format(
login, login,

58
murano/tests/unit/common/messaging/test_mqclient.py
View File

@ -14,12 +14,16 @@
# under the License. # under the License.
import mock import mock
from oslo_config import cfg
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
import ssl as ssl_module import ssl as ssl_module
from murano.common.i18n import _
from murano.common.messaging import mqclient from murano.common.messaging import mqclient
from murano.tests.unit import base from murano.tests.unit import base
CONF = cfg.CONF
class MQClientTest(base.MuranoTestCase): class MQClientTest(base.MuranoTestCase):
@ -42,6 +46,60 @@ class MQClientTest(base.MuranoTestCase):
self.assertIsNone(self.ssl_client._channel) self.assertIsNone(self.ssl_client._channel)
self.assertFalse(self.ssl_client._connected) self.assertFalse(self.ssl_client._connected)
@mock.patch('murano.common.messaging.mqclient.kombu', autospec=True)
def test_client_initialization_with_ssl_version(self, mock_kombu):
ssl_versions = (
('tlsv1', getattr(ssl_module, 'PROTOCOL_TLSv1', None)),
('tlsv1_1', getattr(ssl_module, 'PROTOCOL_TLSv1_1', None)),
('tlsv1_2', getattr(ssl_module, 'PROTOCOL_TLSv1_2', None)),
('sslv2', getattr(ssl_module, 'PROTOCOL_SSLv2', None)),
('sslv23', getattr(ssl_module, 'PROTOCOL_SSLv23', None)),
('sslv3', getattr(ssl_module, 'PROTOCOL_SSLv3', None)))
exception_count = 0
for ssl_name, ssl_version in ssl_versions:
ssl_kwargs = {
'login': 'test_login',
'password': 'test_password',
'host': 'test_host',
'port': 'test_port',
'virtual_host': 'test_virtual_host',
'ssl': True,
'ssl_version': ssl_name,
'ca_certs': ['cert1'],
'insecure': False
}
# If a ssl_version is not valid, a RuntimeError is thrown.
# According to the ssl_version docs in config.py, certain versions
# of TLS may be available depending on the system. So, just
# check that at least 1 ssl_version works.
if ssl_version is None:
e = self.assertRaises(RuntimeError, mqclient.MqClient,
**ssl_kwargs)
self.assertEqual(_('Invalid SSL version: %s') % ssl_name,
e.__str__())
exception_count += 1
continue
self.ssl_client = mqclient.MqClient(**ssl_kwargs)
mock_kombu.Connection.assert_called_once_with(
'amqp://{0}:{1}@{2}:{3}/{4}'.format(
'test_login', 'test_password', 'test_host', 'test_port',
'test_virtual_host'),
ssl={'ca_certs': ['cert1'],
'cert_reqs': ssl_module.CERT_REQUIRED,
'ssl_version': ssl_version})
self.assertEqual(
mock_kombu.Connection(), self.ssl_client._connection)
self.assertIsNone(self.ssl_client._channel)
self.assertFalse(self.ssl_client._connected)
mock_kombu.Connection.reset_mock()
# Check that at least one ssl_version worked.
self.assertGreater(len(ssl_versions), exception_count)
@mock.patch('murano.common.messaging.mqclient.kombu') @mock.patch('murano.common.messaging.mqclient.kombu')
def test_alternate_client_initializations(self, mock_kombu): def test_alternate_client_initializations(self, mock_kombu):
for ca_cert in ['cert1', None]: for ca_cert in ['cert1', None]: