From 57edaadac18de5bcf6cc5564e2ca8ece2228d10d Mon Sep 17 00:00:00 2001 From: Felipe Rodrigues Date: Tue, 6 Oct 2020 13:39:58 +0000 Subject: [PATCH] [NetApp] Fix hard-coded CA cert path for SSL NetApp driver is hard-coding the location of CA certificates for SSL verification during HTTPS requests. This location may change depending on the environment or/and backend. This patch adds the `netapp_ssl_cert_path` configuration, enabling each backend to choose the directory with certificates of trusted CA or the CA bundle. If set to a directory, it must have been processed using the c_rehash utility supplied with OpenSSL. If not informed, it will use the Mozilla's carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates. Closes-Bug: #1900191 Change-Id: Idbed4745104de26af99bb16e07c6890637dfcfd1 (cherry picked from commit 70f7859f986a48e53b117a3e16a11cb5454f74e3) --- .../drivers/netapp/dataontap/client/api.py | 11 +++++++--- .../netapp/dataontap/client/client_base.py | 1 + .../dataontap/cluster_mode/data_motion.py | 1 + .../netapp/dataontap/cluster_mode/lib_base.py | 1 + manila/share/drivers/netapp/options.py | 10 +++++++++- .../drivers/netapp/dataontap/client/fakes.py | 1 + .../cluster_mode/test_data_motion.py | 7 +++++-- .../share/drivers/netapp/dataontap/fakes.py | 2 ++ ...ssl-cert-path-option-35354c9b7a9c37e6.yaml | 20 +++++++++++++++++++ 9 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml diff --git a/manila/share/drivers/netapp/dataontap/client/api.py b/manila/share/drivers/netapp/dataontap/client/api.py index b022a63546..1bfd397a03 100644 --- a/manila/share/drivers/netapp/dataontap/client/api.py +++ b/manila/share/drivers/netapp/dataontap/client/api.py @@ -65,7 +65,6 @@ class NaServer(object): TRANSPORT_TYPE_HTTP = 'http' TRANSPORT_TYPE_HTTPS = 'https' - SSL_CERT_DEFAULT = "/etc/ssl/certs/" SERVER_TYPE_FILER = 'filer' SERVER_TYPE_DFM = 'dfm' URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer' @@ -76,7 +75,7 @@ class NaServer(object): def __init__(self, host, server_type=SERVER_TYPE_FILER, transport_type=TRANSPORT_TYPE_HTTP, - style=STYLE_LOGIN_PASSWORD, username=None, + style=STYLE_LOGIN_PASSWORD, ssl_cert_path=None, username=None, password=None, port=None, trace=False, api_trace_pattern=utils.API_TRACE_PATTERN): self._host = host @@ -90,6 +89,12 @@ class NaServer(object): self._trace = trace self._api_trace_pattern = api_trace_pattern self._refresh_conn = True + if ssl_cert_path is not None: + self._ssl_verify = ssl_cert_path + else: + # Note(felipe_rodrigues): it will verify with the mozila CA roots, + # given by certifi package. + self._ssl_verify = True LOG.debug('Using NetApp controller: %s', self._host) @@ -353,7 +358,7 @@ class NaServer(object): self._session = requests.Session() self._session.auth = auth_handler - self._session.verify = NaServer.SSL_CERT_DEFAULT + self._session.verify = self._ssl_verify self._session.headers = { 'Content-Type': 'text/xml', 'charset': 'utf-8'} diff --git a/manila/share/drivers/netapp/dataontap/client/client_base.py b/manila/share/drivers/netapp/dataontap/client/client_base.py index b97d270aff..131294e8bb 100644 --- a/manila/share/drivers/netapp/dataontap/client/client_base.py +++ b/manila/share/drivers/netapp/dataontap/client/client_base.py @@ -29,6 +29,7 @@ class NetAppBaseClient(object): self.connection = netapp_api.NaServer( host=kwargs['hostname'], transport_type=kwargs['transport_type'], + ssl_cert_path=kwargs['ssl_cert_path'], port=kwargs['port'], username=kwargs['username'], password=kwargs['password'], diff --git a/manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py b/manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py index 9650d87236..556b1f58af 100644 --- a/manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py +++ b/manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py @@ -74,6 +74,7 @@ def get_client_for_backend(backend_name, vserver_name=None): config = get_backend_configuration(backend_name) client = client_cmode.NetAppCmodeClient( transport_type=config.netapp_transport_type, + ssl_cert_path=config.netapp_ssl_cert_path, username=config.netapp_login, password=config.netapp_password, hostname=config.netapp_server_hostname, diff --git a/manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py b/manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py index ca1779afa4..1f8269e363 100644 --- a/manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py +++ b/manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py @@ -196,6 +196,7 @@ class NetAppCmodeFileStorageLibrary(object): if not client: client = client_cmode.NetAppCmodeClient( transport_type=self.configuration.netapp_transport_type, + ssl_cert_path=self.configuration.netapp_ssl_cert_path, username=self.configuration.netapp_login, password=self.configuration.netapp_password, hostname=self.configuration.netapp_server_hostname, diff --git a/manila/share/drivers/netapp/options.py b/manila/share/drivers/netapp/options.py index d607d9abbf..faab89a21c 100644 --- a/manila/share/drivers/netapp/options.py +++ b/manila/share/drivers/netapp/options.py @@ -45,7 +45,15 @@ netapp_transport_opts = [ default='http', help=('The transport protocol used when communicating with ' 'the storage system or proxy server. Valid values are ' - 'http or https.')), ] + 'http or https.')), + cfg.StrOpt('netapp_ssl_cert_path', + help=('The path to a CA_BUNDLE file or directory with ' + 'certificates of trusted CA. If set to a directory, it ' + 'must have been processed using the c_rehash utility ' + 'supplied with OpenSSL. If not informed, it will use the ' + 'Mozilla’s carefully curated collection of Root ' + 'Certificates for validating the trustworthiness of SSL ' + 'certificates.')), ] netapp_basicauth_opts = [ cfg.StrOpt('netapp_login', diff --git a/manila/tests/share/drivers/netapp/dataontap/client/fakes.py b/manila/tests/share/drivers/netapp/dataontap/client/fakes.py index 7652189938..c35a42914e 100644 --- a/manila/tests/share/drivers/netapp/dataontap/client/fakes.py +++ b/manila/tests/share/drivers/netapp/dataontap/client/fakes.py @@ -23,6 +23,7 @@ from manila.share.drivers.netapp.dataontap.client import api CONNECTION_INFO = { 'hostname': 'hostname', 'transport_type': 'https', + 'ssl_cert_path': '/etc/ssl/certs/', 'port': 443, 'username': 'admin', 'password': 'passw0rd', diff --git a/manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py b/manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py index 9e58818298..21ec4c2f31 100644 --- a/manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py +++ b/manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py @@ -64,6 +64,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase): group=self.backend) CONF.set_override("netapp_server_port", 8866, group=self.backend) + CONF.set_override("netapp_ssl_cert_path", "/etc/ssl/certs", + group=self.backend) def test_get_client_for_backend(self): self.mock_object(data_motion, "get_backend_configuration", @@ -74,7 +76,7 @@ class NetAppCDOTDataMotionTestCase(test.TestCase): self.mock_cmode_client.assert_called_once_with( hostname='fake.hostname', password='fake_password', username='fake_user', transport_type='https', port=8866, - trace=mock.ANY, vserver=None) + ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, vserver=None) def test_get_client_for_backend_with_vserver(self): self.mock_object(data_motion, "get_backend_configuration", @@ -88,7 +90,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase): self.mock_cmode_client.assert_called_once_with( hostname='fake.hostname', password='fake_password', username='fake_user', transport_type='https', port=8866, - trace=mock.ANY, vserver='fake_vserver') + ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, + vserver='fake_vserver') def test_get_config_for_backend(self): self.mock_object(data_motion, "CONF") diff --git a/manila/tests/share/drivers/netapp/dataontap/fakes.py b/manila/tests/share/drivers/netapp/dataontap/fakes.py index e2e47d4e57..bbf7bc9d8e 100644 --- a/manila/tests/share/drivers/netapp/dataontap/fakes.py +++ b/manila/tests/share/drivers/netapp/dataontap/fakes.py @@ -99,6 +99,7 @@ CLIENT_KWARGS = { 'hostname': '127.0.0.1', 'vserver': None, 'transport_type': 'https', + 'ssl_cert_path': '/etc/ssl/certs/', 'password': 'pass', 'port': '443', 'api_trace_pattern': '(.*)', @@ -1599,6 +1600,7 @@ def get_config_cmode(): config.netapp_password = CLIENT_KWARGS['password'] config.netapp_server_hostname = CLIENT_KWARGS['hostname'] config.netapp_transport_type = CLIENT_KWARGS['transport_type'] + config.netapp_ssl_cert_path = CLIENT_KWARGS['ssl_cert_path'] config.netapp_server_port = CLIENT_KWARGS['port'] config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN diff --git a/releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml b/releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml new file mode 100644 index 0000000000..0e1a6c17fd --- /dev/null +++ b/releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - Added a new config option `netapp_ssl_cert_path` for NetApp driver. + This option enables the user to choose the directory with certificates of + trusted CA or the CA bundle. If set to a directory, it must have been + processed using the c_rehash utility supplied with OpenSSL. If not + informed, it will use the Mozilla's carefully curated collection of Root + Certificates for validating the trustworthiness of SSL certificates. +fixes: + - | + Fixed an issue on ONTAP NetApp driver that was forcing the location of + CA certificates for SSL verification during HTTPS requests. It adds the + `netapp_ssl_cert_path` configuration, enabling the user to choose the + directory with certificates of trusted CA or the CA bundle. If set to a + directory, it must have been processed using the c_rehash utility supplied + with OpenSSL. If not informed, it will use the Mozilla's carefully curated + collection of Root Certificates for validating the trustworthiness of SSL + certificates. Please refer to the + `Launchpad bug #1900191 `_ + for more details.