From f65f96bc59599a855f9f2b2cdfa503a8cdb1f758 Mon Sep 17 00:00:00 2001 From: Dean Troyer Date: Wed, 19 Dec 2012 09:52:54 -0600 Subject: [PATCH] Add --os-cacert Add support to specify a ca certificate bundle to verify keystone TLS (https) certificates. This only verifies certificates on the keystone connection, swift https connections are unchanged. Change-Id: I14351b405af4fd3d1970ba6656c1282a5d0a1082 --- bin/swift | 7 +++++++ swiftclient/client.py | 7 ++++++- tests/test_swiftclient.py | 29 +++++++++++++++++++++++++++++ tests/utils.py | 6 ++++++ 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/bin/swift b/bin/swift index 3eed210..7c942f4 100755 --- a/bin/swift +++ b/bin/swift @@ -42,6 +42,7 @@ def get_conn(options): auth_version=options.auth_version, os_options=options.os_options, snet=options.snet, + cacert=options.os_cacert, insecure=options.insecure) @@ -1144,6 +1145,12 @@ Example: default=environ.get('OS_ENDPOINT_TYPE'), help='Openstack Endpoint type. ' \ 'Defaults to env[OS_ENDPOINT_TYPE]') + parser.add_option('--os-cacert', + metavar='', + default=environ.get('OS_CACERT'), + help='Specify a CA bundle file to use in verifying a ' + 'TLS (https) server certificate. ' + 'Defaults to env[OS_CACERT]') parser.add_option('--insecure', action="store_true", dest="insecure", default=False, help='Allow swiftclient to access insecure keystone ' diff --git a/swiftclient/client.py b/swiftclient/client.py index b2a6510..5b0d20a 100644 --- a/swiftclient/client.py +++ b/swiftclient/client.py @@ -248,6 +248,7 @@ def get_keystoneclient_2_0(auth_url, user, key, os_options, **kwargs): password=key, tenant_name=os_options.get('tenant_name'), tenant_id=os_options.get('tenant_id'), + cacert=kwargs.get('cacert'), auth_url=auth_url, insecure=insecure) except exceptions.Unauthorized: raise ClientException('Unauthorised. Check username, password' @@ -312,8 +313,10 @@ def get_auth(auth_url, user, key, **kwargs): raise ClientException('No tenant specified') insecure = kwargs.get('insecure', False) + cacert = kwargs.get('cacert', None) (auth_url, token) = get_keystoneclient_2_0(auth_url, user, key, os_options, + cacert=cacert, insecure=insecure) return (auth_url, token) @@ -932,7 +935,7 @@ class Connection(object): def __init__(self, authurl=None, user=None, key=None, retries=5, preauthurl=None, preauthtoken=None, snet=False, starting_backoff=1, tenant_name=None, os_options=None, - auth_version="1", insecure=False): + auth_version="1", cacert=None, insecure=False): """ :param authurl: authentication URL :param user: user name to authenticate as @@ -966,6 +969,7 @@ class Connection(object): self.os_options = os_options or {} if tenant_name: self.os_options['tenant_name'] = tenant_name + self.cacert = cacert self.insecure = insecure def get_auth(self): @@ -975,6 +979,7 @@ class Connection(object): snet=self.snet, auth_version=self.auth_version, os_options=self.os_options, + cacert=self.cacert, insecure=self.insecure) def http_connection(self): diff --git a/tests/test_swiftclient.py b/tests/test_swiftclient.py index d5a3caa..5100a7a 100644 --- a/tests/test_swiftclient.py +++ b/tests/test_swiftclient.py @@ -265,6 +265,35 @@ class TestGetAuth(MockHttpTest): os_options={}, auth_version='2.0') + def test_auth_v2_cacert(self): + os_options = {'tenant_name': 'foo'} + c.get_keystoneclient_2_0 = fake_get_keystoneclient_2_0( + os_options, + None) + + auth_url_secure = 'https://www.tests.com' + auth_url_insecure = 'https://www.tests.com/self-signed-certificate' + + url, token = c.get_auth(auth_url_secure, 'asdf', 'asdf', + os_options=os_options, auth_version='2.0', + insecure=False) + self.assertTrue(url.startswith("http")) + self.assertTrue(token) + + url, token = c.get_auth(auth_url_insecure, 'asdf', 'asdf', + os_options=os_options, auth_version='2.0', + cacert='ca.pem', insecure=False) + self.assertTrue(url.startswith("http")) + self.assertTrue(token) + + self.assertRaises(c.ClientException, c.get_auth, + auth_url_insecure, 'asdf', 'asdf', + os_options=os_options, auth_version='2.0') + self.assertRaises(c.ClientException, c.get_auth, + auth_url_insecure, 'asdf', 'asdf', + os_options=os_options, auth_version='2.0', + insecure=False) + def test_auth_v2_insecure(self): os_options = {'tenant_name': 'foo'} c.get_keystoneclient_2_0 = fake_get_keystoneclient_2_0( diff --git a/tests/utils.py b/tests/utils.py index 88bca88..414920e 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -31,6 +31,12 @@ def fake_get_keystoneclient_2_0(os_options, exc=None, **kwargs): not actual_kwargs['insecure']: from swiftclient import client as c raise c.ClientException("invalid-certificate") + if auth_url.startswith("https") and \ + auth_url.endswith("self-signed-certificate") and \ + not actual_kwargs['insecure'] and \ + actual_kwargs['cacert'] is None: + from swiftclient import client as c + raise c.ClientException("unverified-certificate") return ("http://url/", "token") return fake_get_keystoneclient_2_0