Ensure metadata agent doesn't use SSL for UNIX socket

The communication between the ns metadata proxy and the metadata agent
is pure HTTP, and should not switch to HTTPS when neutron is using SSL.

We're therefore telling wsgi.Server to forcefully disable SSL in that
case.

Change-Id: I2cb9fa231193bcd5c721c4d5cf0eb9c16e842349
Closes-Bug: #1514424

neutron/agent/linux/utils.py

@@ -395,7 +395,7 @@ class UnixDomainWSGIServer(wsgi.Server):
         self._socket = None
         self._launcher = None
         self._server = None
-        super(UnixDomainWSGIServer, self).__init__(name)
+        super(UnixDomainWSGIServer, self).__init__(name, disable_ssl=True)
 
     def start(self, application, file_socket, workers, backlog, mode=None):
         self._socket = eventlet.listen(file_socket,

neutron/tests/unit/test_wsgi.py

@@ -175,6 +175,28 @@ class TestWSGIServer(base.BaseTestCase):
 
         server.stop()
 
+    def test_disable_ssl(self):
+        CONF.set_default('use_ssl', True)
+
+        greetings = 'Hello, World!!!'
+
+        def hello_world(env, start_response):
+            if env['PATH_INFO'] != '/':
+                start_response('404 Not Found',
+                               [('Content-Type', 'text/plain')])
+                return ['Not Found\r\n']
+            start_response('200 OK', [('Content-Type', 'text/plain')])
+            return [greetings]
+
+        server = wsgi.Server("test_app", disable_ssl=True)
+        server.start(hello_world, 0, host="127.0.0.1")
+
+        response = open_no_proxy('http://127.0.0.1:%d/' % server.port)
+
+        self.assertEqual(greetings.encode('utf-8'), response.read())
+
+        server.stop()
+
     @mock.patch.object(wsgi, 'eventlet')
     def test__run(self, eventlet_mock):
         server = wsgi.Server('test')

neutron/wsgi.py

@@ -76,9 +76,10 @@ def encode_body(body):
 
 class WorkerService(worker.NeutronWorker):
     """Wraps a worker to be handled by ProcessLauncher"""
-    def __init__(self, service, application):
+    def __init__(self, service, application, disable_ssl=False):
         self._service = service
         self._application = application
+        self._disable_ssl = disable_ssl
         self._server = None
 
     def start(self):
@@ -89,7 +90,7 @@ class WorkerService(worker.NeutronWorker):
         # errors on service restart.
         # Duplicate a socket object to keep a file descriptor usable.
         dup_sock = self._service._socket.dup()
-        if CONF.use_ssl:
+        if CONF.use_ssl and not self._disable_ssl:
             dup_sock = sslutils.wrap(CONF, dup_sock)
         self._server = self._service.pool.spawn(self._service._run,
                                                 self._application,
@@ -112,10 +113,11 @@ class WorkerService(worker.NeutronWorker):
 class Server(object):
     """Server class to manage multiple WSGI sockets and applications."""
 
-    def __init__(self, name, num_threads=1000):
+    def __init__(self, name, num_threads=1000, disable_ssl=False):
         # Raise the default from 8192 to accommodate large tokens
         eventlet.wsgi.MAX_HEADER_LINE = CONF.max_header_line
         self.num_threads = num_threads
+        self.disable_ssl = disable_ssl
         # Pool for a greenthread in which wsgi server will be running
         self.pool = eventlet.GreenPool(1)
         self.name = name
@@ -123,7 +125,7 @@ class Server(object):
         # A value of 0 is converted to None because None is what causes the
         # wsgi server to wait forever.
         self.client_socket_timeout = CONF.client_socket_timeout or None
-        if CONF.use_ssl:
+        if CONF.use_ssl and not self.disable_ssl:
             sslutils.is_enabled(CONF)
 
     def _get_socket(self, host, port, backlog):
@@ -186,7 +188,7 @@ class Server(object):
         self._launch(application, workers)
 
     def _launch(self, application, workers=0):
-        service = WorkerService(self, application)
+        service = WorkerService(self, application, self.disable_ssl)
         if workers < 1:
             # The API service should run in the current process.
             self._server = service