Merge "Disable verification for Keystone session in Swift"

2018-06-19 04:06:15 +00:00 · 2018-06-19 04:06:15 +00:00 · fd2a80a08f
commit fd2a80a08f
parent cc97b94903 54b7ccbb9b
2 changed files with 29 additions and 14 deletions
--- a/glance_store/_drivers/swift/store.py
+++ b/glance_store/_drivers/swift/store.py
@ -1331,7 +1331,7 @@ class SingleTenantStore(BaseStore):
            project_domain_id=self.project_domain_id,
            project_domain_name=self.project_domain_name)

-        sess = ks_session.Session(auth=password)
+        sess = ks_session.Session(auth=password, verify=not self.insecure)
        return ks_client.Client(session=sess)

    def get_manager(self, store_location, context=None, allow_reauth=False):
@ -1452,7 +1452,8 @@ class MultiTenantStore(BaseStore):
        trustor_auth = ks_identity.V3Token(auth_url=auth_address,
                                           token=context.auth_token,
                                           project_id=context.tenant)
-        trustor_sess = ks_session.Session(auth=trustor_auth)
+        trustor_sess = ks_session.Session(auth=trustor_auth,
+                                          verify=not self.insecure)
        trustor_client = ks_client.Client(session=trustor_sess)
        auth_ref = trustor_client.session.auth.get_auth_ref(trustor_sess)
        roles = [t['name'] for t in auth_ref['roles']]
@ -1468,7 +1469,8 @@ class MultiTenantStore(BaseStore):
            user_domain_name=user_domain_name,
            project_domain_id=project_domain_id,
            project_domain_name=project_domain_name)
-        trustee_sess = ks_session.Session(auth=password)
+        trustee_sess = ks_session.Session(auth=password,
+                                          verify=not self.insecure)
        trustee_client = ks_client.Client(session=trustee_sess)

        # request glance user id - we will use it as trustee user
@ -1494,7 +1496,8 @@ class MultiTenantStore(BaseStore):
        )
        # now we can authenticate against KS
        # as trustee of user who provided token
-        client_sess = ks_session.Session(auth=client_password)
+        client_sess = ks_session.Session(auth=client_password,
+                                         verify=not self.insecure)
        return ks_client.Client(session=client_sess)

    def get_manager(self, store_location, context=None, allow_reauth=False):
--- a/glance_store/tests/unit/test_swift_store.py
+++ b/glance_store/tests/unit/test_swift_store.py
@ -1213,17 +1213,27 @@ class SwiftTests(object):
        loc = mock.MagicMock()
        self.assertRaises(NotImplementedError, store.get_manager, loc)

+    def test_init_client_multi_tenant(self):
+        """Test that keystone client was initialized correctly"""
+        self._init_client(verify=True, swift_store_multi_tenant=True,
+                          swift_store_config_file=None)
+
+    def test_init_client_multi_tenant_insecure(self):
+        """
+        Test that keystone client was initialized correctly with no
+        certificate verification.
+        """
+        self._init_client(verify=False, swift_store_multi_tenant=True,
+                          swift_store_auth_insecure=True,
+                          swift_store_config_file=None)
+
    @mock.patch("glance_store._drivers.swift.store.ks_identity")
    @mock.patch("glance_store._drivers.swift.store.ks_session")
    @mock.patch("glance_store._drivers.swift.store.ks_client")
-    def test_init_client_multi_tenant(self,
-                                      mock_client,
-                                      mock_session,
-                                      mock_identity):
-        """Test that keystone client was initialized correctly"""
+    def _init_client(self, mock_client, mock_session, mock_identity, verify,
+                     **kwargs):
        # initialize store and connection parameters
-        self.config(swift_store_config_file=None)
-        self.config(swift_store_multi_tenant=True)
+        self.config(**kwargs)
        store = Store(self.conf)
        store.configure()
        ref_params = sutils.SwiftParams(self.conf).params
@ -1255,7 +1265,8 @@ class SwiftTests(object):
            token=ctxt.auth_token,
            project_id=ctxt.tenant
        )
-        mock_session.Session.assert_any_call(auth=mock_identity.V3Token())
+        mock_session.Session.assert_any_call(auth=mock_identity.V3Token(),
+                                             verify=verify)
        mock_client.Client.assert_any_call(session=trustor_session)
        # test trustee usage and trust creation
        tenant_name, user = default_swift_reference.get('user').split(':')
@ -1270,7 +1281,8 @@ class SwiftTests(object):
            project_domain_name=default_swift_reference.get(
                'project_domain_name')
        )
-        mock_session.Session.assert_any_call(auth=mock_identity.V3Password())
+        mock_session.Session.assert_any_call(auth=mock_identity.V3Password(),
+                                             verify=verify)
        mock_client.Client.assert_any_call(session=trustee_session)
        trustor_client.trusts.create.assert_called_once_with(
            trustee_user='fake_user', trustor_user=ctxt.user,
@ -1380,7 +1392,7 @@ class TestStoreAuthV3(TestStoreAuthV1):
            project_domain_id='default', project_domain_name=None,
            user_domain_id='default', user_domain_name=None,)
        mock_session.Session.assert_called_once_with(
-            auth=mock_identity.V3Password())
+            auth=mock_identity.V3Password(), verify=True)
        mock_client.Client.assert_called_once_with(
            session=mock_session.Session())