From 9d428206cd7326ffc29101745dc4a2b12461760f Mon Sep 17 00:00:00 2001 From: Gyorgy Szombathelyi Date: Thu, 16 Jun 2016 17:01:35 +0200 Subject: [PATCH] Fix the ca certificate handling in the client sessions The verify parameter is a 3 state parameter: - it can be False if disabling CA checking is requested (insecure TLS) - it can be set to True to check CA with the system CA bundle - finally the path to the CA cert can be passed which must be used to check the session The cert parameter used currently is a client certificate, which is obviously wrong in this case. Change-Id: I100163713236a6096197e011963d08e994312dcd Closes-Bug: #1593268 --- .../notes/ca-cert-fix-5c434a82f9347039.yaml | 4 ++++ sahara/service/sessions.py | 16 ++++++++-------- sahara/tests/unit/service/test_sessions.py | 12 ++++-------- 3 files changed, 16 insertions(+), 16 deletions(-) create mode 100644 releasenotes/notes/ca-cert-fix-5c434a82f9347039.yaml diff --git a/releasenotes/notes/ca-cert-fix-5c434a82f9347039.yaml b/releasenotes/notes/ca-cert-fix-5c434a82f9347039.yaml new file mode 100644 index 00000000..09e0d319 --- /dev/null +++ b/releasenotes/notes/ca-cert-fix-5c434a82f9347039.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - CA certificate handling in keystone, nova, neutron and + cinder clients are fixed (#330635) diff --git a/sahara/service/sessions.py b/sahara/service/sessions.py index c2ee3d9e..3a0247b8 100644 --- a/sahara/service/sessions.py +++ b/sahara/service/sessions.py @@ -103,9 +103,9 @@ class SessionCache(object): def get_cinder_session(self): session = self._sessions.get(SESSION_TYPE_CINDER) if not session: - if not CONF.cinder.api_insecure and CONF.cinder.ca_file: + if not CONF.cinder.api_insecure: session = keystone.Session( - cert=CONF.cinder.ca_file, verify=True) + verify=CONF.cinder.ca_file or True) else: session = self.get_insecure_session() self._set_session(SESSION_TYPE_CINDER, session) @@ -114,9 +114,9 @@ class SessionCache(object): def get_keystone_session(self): session = self._sessions.get(SESSION_TYPE_KEYSTONE) if not session: - if not CONF.keystone.api_insecure and CONF.keystone.ca_file: + if not CONF.keystone.api_insecure: session = keystone.Session( - cert=CONF.keystone.ca_file, verify=True) + verify=CONF.keystone.ca_file or True) else: session = self.get_insecure_session() self._set_session(SESSION_TYPE_KEYSTONE, session) @@ -125,9 +125,9 @@ class SessionCache(object): def get_neutron_session(self): session = self._sessions.get(SESSION_TYPE_NEUTRON) if not session: - if not CONF.neutron.api_insecure and CONF.neutron.ca_file: + if not CONF.neutron.api_insecure: session = keystone.Session( - cert=CONF.neutron.ca_file, verify=True) + verify=CONF.neutron.ca_file or True) else: session = self.get_insecure_session() self._set_session(SESSION_TYPE_NEUTRON, session) @@ -136,9 +136,9 @@ class SessionCache(object): def get_nova_session(self): session = self._sessions.get(SESSION_TYPE_NOVA) if not session: - if not CONF.nova.api_insecure and CONF.nova.ca_file: + if not CONF.nova.api_insecure: session = keystone.Session( - cert=CONF.nova.ca_file, verify=True) + verify=CONF.nova.ca_file or True) else: session = self.get_insecure_session() self._set_session(SESSION_TYPE_NOVA, session) diff --git a/sahara/tests/unit/service/test_sessions.py b/sahara/tests/unit/service/test_sessions.py index 5f26dd9c..39882833 100644 --- a/sahara/tests/unit/service/test_sessions.py +++ b/sahara/tests/unit/service/test_sessions.py @@ -38,8 +38,7 @@ class TestSessionCache(base.SaharaTestCase): self.override_config('ca_file', '/some/cacert', group='keystone') self.override_config('api_insecure', False, group='keystone') sc.get_session(sessions.SESSION_TYPE_KEYSTONE) - keystone_session.assert_called_once_with(cert='/some/cacert', - verify=True) + keystone_session.assert_called_once_with(verify='/some/cacert') sc = sessions.SessionCache() keystone_session.reset_mock() @@ -58,8 +57,7 @@ class TestSessionCache(base.SaharaTestCase): self.override_config('ca_file', '/some/cacert', group='nova') self.override_config('api_insecure', False, group='nova') sc.get_session(sessions.SESSION_TYPE_NOVA) - keystone_session.assert_called_once_with(cert='/some/cacert', - verify=True) + keystone_session.assert_called_once_with(verify='/some/cacert') sc = sessions.SessionCache() keystone_session.reset_mock() @@ -78,8 +76,7 @@ class TestSessionCache(base.SaharaTestCase): self.override_config('ca_file', '/some/cacert', group='cinder') self.override_config('api_insecure', False, group='cinder') sc.get_session(sessions.SESSION_TYPE_CINDER) - keystone_session.assert_called_once_with(cert='/some/cacert', - verify=True) + keystone_session.assert_called_once_with(verify='/some/cacert') sc = sessions.SessionCache() keystone_session.reset_mock() @@ -98,8 +95,7 @@ class TestSessionCache(base.SaharaTestCase): self.override_config('ca_file', '/some/cacert', group='neutron') self.override_config('api_insecure', False, group='neutron') sc.get_session(sessions.SESSION_TYPE_NEUTRON) - keystone_session.assert_called_once_with(cert='/some/cacert', - verify=True) + keystone_session.assert_called_once_with(verify='/some/cacert') sc = sessions.SessionCache() keystone_session.reset_mock()