diff --git a/openstack_auth/backend.py b/openstack_auth/backend.py index 6b74383..bcfa91e 100644 --- a/openstack_auth/backend.py +++ b/openstack_auth/backend.py @@ -74,6 +74,7 @@ class KeystoneBackend(object): LOG.debug('Beginning user authentication for user "%s".' % username) insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None) endpoint_type = getattr( settings, 'OPENSTACK_ENDPOINT_TYPE', 'publicURL') @@ -85,6 +86,7 @@ class KeystoneBackend(object): password=password, auth_url=auth_url, insecure=insecure, + cacert=ca_cert, debug=settings.DEBUG) unscoped_auth_ref = client.auth_ref @@ -135,6 +137,7 @@ class KeystoneBackend(object): token=unscoped_auth_ref.auth_token, auth_url=auth_url, insecure=insecure, + cacert=ca_cert, debug=settings.DEBUG) auth_ref = client.auth_ref break diff --git a/openstack_auth/tests/tests.py b/openstack_auth/tests/tests.py index 2820ca5..4805e70 100644 --- a/openstack_auth/tests/tests.py +++ b/openstack_auth/tests/tests.py @@ -66,12 +66,14 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.tenants.list().AndReturn(tenants) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -108,6 +110,7 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.tenants.list().AndReturn(tenants) @@ -115,12 +118,14 @@ class OpenStackAuthTestsV2(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndRaise(exc) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_one.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -155,6 +160,7 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.tenants.list().AndReturn(tenants) @@ -162,12 +168,14 @@ class OpenStackAuthTestsV2(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndRaise(exc) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_one.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndRaise(exc) @@ -203,6 +211,7 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.tenants.list().AndReturn([]) @@ -237,6 +246,7 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False).AndRaise(exc) self.mox.ReplayAll() @@ -268,6 +278,7 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False).AndRaise(exc) self.mox.ReplayAll() @@ -308,12 +319,14 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False) \ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.tenants.list().AndReturn(tenants) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -322,6 +335,7 @@ class OpenStackAuthTestsV2(test.TestCase): tenant_id=tenant.id, token=scoped.auth_token, insecure=False, + cacert=None, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -375,12 +389,14 @@ class OpenStackAuthTestsV2(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False) \ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.tenants.list().AndReturn(tenants) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.tenant_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -501,6 +517,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.projects.list(user=user.id) \ @@ -508,6 +525,7 @@ class OpenStackAuthTestsV3(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -543,6 +561,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.projects.list(user=user.id) \ @@ -551,12 +570,14 @@ class OpenStackAuthTestsV3(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndRaise(exc) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_one.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -592,6 +613,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.projects.list(user=user.id) \ @@ -600,12 +622,14 @@ class OpenStackAuthTestsV3(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndRaise(exc) self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_one.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndRaise(exc) @@ -642,6 +666,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False)\ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.projects.list(user=user.id) \ @@ -677,6 +702,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False).AndRaise(exc) self.mox.ReplayAll() @@ -708,6 +734,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False).AndRaise(exc) self.mox.ReplayAll() @@ -749,6 +776,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False) \ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.projects.list(user=user.id) \ @@ -756,6 +784,7 @@ class OpenStackAuthTestsV3(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -763,6 +792,7 @@ class OpenStackAuthTestsV3(test.TestCase): tenant_id=project.id, token=scoped.auth_token, insecure=False, + cacert=None, debug=False) \ .AndReturn(self.keystone_client_scoped) @@ -817,6 +847,7 @@ class OpenStackAuthTestsV3(test.TestCase): username=user.name, user_domain_name=DEFAULT_DOMAIN, insecure=False, + cacert=None, debug=False) \ .AndReturn(self.keystone_client_unscoped) self.keystone_client_unscoped.projects.list(user=user.id) \ @@ -824,6 +855,7 @@ class OpenStackAuthTestsV3(test.TestCase): self.ks_client_module.Client(auth_url=settings.OPENSTACK_KEYSTONE_URL, tenant_id=self.data.project_two.id, insecure=False, + cacert=None, token=unscoped.auth_token, debug=False) \ .AndReturn(self.keystone_client_scoped) diff --git a/openstack_auth/user.py b/openstack_auth/user.py index c5bfde8..da7f0c5 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -219,6 +219,7 @@ class User(AnonymousUser): def authorized_tenants(self): """ Returns a memoized list of tenants this user may access. """ insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None) if self.is_authenticated() and self._authorized_tenants is None: endpoint = self.endpoint @@ -229,6 +230,7 @@ class User(AnonymousUser): auth_url=endpoint, token=token.id, insecure=insecure, + cacert=ca_cert, debug=settings.DEBUG) except (keystone_exceptions.ClientException, keystone_exceptions.AuthorizationFailure): diff --git a/openstack_auth/views.py b/openstack_auth/views.py index 15c7437..83d916f 100644 --- a/openstack_auth/views.py +++ b/openstack_auth/views.py @@ -99,12 +99,14 @@ def delete_token(endpoint, token_id): """Delete a token.""" insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None) try: if get_keystone_version() < 3: client = keystone_client_v2.Client( endpoint=endpoint, token=token_id, insecure=insecure, + cacert=ca_cert, debug=settings.DEBUG ) client.tokens.delete(token=token_id) @@ -123,6 +125,7 @@ def switch(request, tenant_id, redirect_field_name=REDIRECT_FIELD_NAME): LOG.debug('Switching to tenant %s for user "%s".' % (tenant_id, request.user.username)) insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None) endpoint = request.user.endpoint try: if get_keystone_version() >= 3: @@ -131,6 +134,7 @@ def switch(request, tenant_id, redirect_field_name=REDIRECT_FIELD_NAME): token=request.user.token.id, auth_url=endpoint, insecure=insecure, + cacert=ca_cert, debug=settings.DEBUG) auth_ref = client.auth_ref msg = 'Project switch successful for user "%(username)s".' % \