Merge "[NetApp] Fix hard-coded CA cert path for SSL" into stable/victoria

manila/share/drivers/netapp/dataontap/client/api.py

@@ -65,7 +65,6 @@ class NaServer(object):
 
     TRANSPORT_TYPE_HTTP = 'http'
     TRANSPORT_TYPE_HTTPS = 'https'
-    SSL_CERT_DEFAULT = "/etc/ssl/certs/"
     SERVER_TYPE_FILER = 'filer'
     SERVER_TYPE_DFM = 'dfm'
     URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer'
@@ -76,7 +75,7 @@ class NaServer(object):
 
     def __init__(self, host, server_type=SERVER_TYPE_FILER,
                  transport_type=TRANSPORT_TYPE_HTTP,
-                 style=STYLE_LOGIN_PASSWORD, username=None,
+                 style=STYLE_LOGIN_PASSWORD, ssl_cert_path=None, username=None,
                  password=None, port=None, trace=False,
                  api_trace_pattern=utils.API_TRACE_PATTERN):
         self._host = host
@@ -90,6 +89,12 @@ class NaServer(object):
         self._trace = trace
         self._api_trace_pattern = api_trace_pattern
         self._refresh_conn = True
+        if ssl_cert_path is not None:
+            self._ssl_verify = ssl_cert_path
+        else:
+            # Note(felipe_rodrigues): it will verify with the mozila CA roots,
+            # given by certifi package.
+            self._ssl_verify = True
 
         LOG.debug('Using NetApp controller: %s', self._host)
 
@@ -353,7 +358,7 @@ class NaServer(object):
 
         self._session = requests.Session()
         self._session.auth = auth_handler
-        self._session.verify = NaServer.SSL_CERT_DEFAULT
+        self._session.verify = self._ssl_verify
         self._session.headers = {
             'Content-Type': 'text/xml', 'charset': 'utf-8'}
 

manila/share/drivers/netapp/dataontap/client/client_base.py

@@ -29,6 +29,7 @@ class NetAppBaseClient(object):
         self.connection = netapp_api.NaServer(
             host=kwargs['hostname'],
             transport_type=kwargs['transport_type'],
+            ssl_cert_path=kwargs['ssl_cert_path'],
             port=kwargs['port'],
             username=kwargs['username'],
             password=kwargs['password'],

manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py

@@ -74,6 +74,7 @@ def get_client_for_backend(backend_name, vserver_name=None):
     config = get_backend_configuration(backend_name)
     client = client_cmode.NetAppCmodeClient(
         transport_type=config.netapp_transport_type,
+        ssl_cert_path=config.netapp_ssl_cert_path,
         username=config.netapp_login,
         password=config.netapp_password,
         hostname=config.netapp_server_hostname,

manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py

@@ -196,6 +196,7 @@ class NetAppCmodeFileStorageLibrary(object):
         if not client:
             client = client_cmode.NetAppCmodeClient(
                 transport_type=self.configuration.netapp_transport_type,
+                ssl_cert_path=self.configuration.netapp_ssl_cert_path,
                 username=self.configuration.netapp_login,
                 password=self.configuration.netapp_password,
                 hostname=self.configuration.netapp_server_hostname,

manila/share/drivers/netapp/options.py

@@ -45,7 +45,15 @@ netapp_transport_opts = [
                default='http',
                help=('The transport protocol used when communicating with '
                      'the storage system or proxy server. Valid values are '
-                     'http or https.')), ]
+                     'http or https.')),
+    cfg.StrOpt('netapp_ssl_cert_path',
+               help=('The path to a CA_BUNDLE file or directory with '
+                     'certificates of trusted CA. If set to a directory, it '
+                     'must have been processed using the c_rehash utility '
+                     'supplied with OpenSSL. If not informed, it will use the '
+                     'Mozilla’s carefully curated collection of Root '
+                     'Certificates for validating the trustworthiness of SSL '
+                     'certificates.')), ]
 
 netapp_basicauth_opts = [
     cfg.StrOpt('netapp_login',

manila/tests/share/drivers/netapp/dataontap/client/fakes.py

@@ -23,6 +23,7 @@ from manila.share.drivers.netapp.dataontap.client import api
 CONNECTION_INFO = {
     'hostname': 'hostname',
     'transport_type': 'https',
+    'ssl_cert_path': '/etc/ssl/certs/',
     'port': 443,
     'username': 'admin',
     'password': 'passw0rd',

manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py

@@ -64,6 +64,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
                           group=self.backend)
         CONF.set_override("netapp_server_port", 8866,
                           group=self.backend)
+        CONF.set_override("netapp_ssl_cert_path", "/etc/ssl/certs",
+                          group=self.backend)
 
     def test_get_client_for_backend(self):
         self.mock_object(data_motion, "get_backend_configuration",
@@ -74,7 +76,7 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
         self.mock_cmode_client.assert_called_once_with(
             hostname='fake.hostname', password='fake_password',
             username='fake_user', transport_type='https', port=8866,
-            trace=mock.ANY, vserver=None)
+            ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, vserver=None)
 
     def test_get_client_for_backend_with_vserver(self):
         self.mock_object(data_motion, "get_backend_configuration",
@@ -88,7 +90,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
         self.mock_cmode_client.assert_called_once_with(
             hostname='fake.hostname', password='fake_password',
             username='fake_user', transport_type='https', port=8866,
-            trace=mock.ANY, vserver='fake_vserver')
+            ssl_cert_path='/etc/ssl/certs', trace=mock.ANY,
+            vserver='fake_vserver')
 
     def test_get_config_for_backend(self):
         self.mock_object(data_motion, "CONF")

manila/tests/share/drivers/netapp/dataontap/fakes.py

@@ -99,6 +99,7 @@ CLIENT_KWARGS = {
     'hostname': '127.0.0.1',
     'vserver': None,
     'transport_type': 'https',
+    'ssl_cert_path': '/etc/ssl/certs/',
     'password': 'pass',
     'port': '443',
     'api_trace_pattern': '(.*)',
@@ -1599,6 +1600,7 @@ def get_config_cmode():
     config.netapp_password = CLIENT_KWARGS['password']
     config.netapp_server_hostname = CLIENT_KWARGS['hostname']
     config.netapp_transport_type = CLIENT_KWARGS['transport_type']
+    config.netapp_ssl_cert_path = CLIENT_KWARGS['ssl_cert_path']
     config.netapp_server_port = CLIENT_KWARGS['port']
     config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE
     config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN

releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - Added a new config option `netapp_ssl_cert_path` for NetApp driver.
+    This option enables the user to choose the directory with certificates of
+    trusted CA or the CA bundle. If set to a directory, it must have been
+    processed using the c_rehash utility supplied with OpenSSL. If not
+    informed, it will use the Mozilla's carefully curated collection of Root
+    Certificates for validating the trustworthiness of SSL certificates.
+fixes:
+  - |
+    Fixed an issue on ONTAP NetApp driver that was forcing the location of
+    CA certificates for SSL verification during HTTPS requests. It adds the
+    `netapp_ssl_cert_path` configuration, enabling the user to choose the
+    directory with certificates of trusted CA or the CA bundle. If set to a
+    directory, it must have been processed using the c_rehash utility supplied
+    with OpenSSL. If not informed, it will use the Mozilla's carefully curated
+    collection of Root Certificates for validating the trustworthiness of SSL
+    certificates. Please refer to the
+    `Launchpad bug #1900191 <https://bugs.launchpad.net/manila/+bug/1900191>`_
+    for more details.