Specify CA store when making secure connections with urllib3

We have been using FileHandle classes mostly in cases when we have to establish secure connection and we have an SSL thumbprint of the host we connect to. However, there are also cases when we don't have a thumbprint and we need CA store. This patch uses the requests library to provide such CA store. Change-Id: I8567c8c273a3bff41c4b80a77e1fa8af743bf98c
2018-05-18 13:18:58 +03:00 · 2018-05-18 13:18:58 +03:00 · 984efbdfd2
commit 984efbdfd2
parent d9b09a58d5
2 changed files with 7 additions and 3 deletions
--- a/oslo_vmware/rw_handles.py
+++ b/oslo_vmware/rw_handles.py
@ -78,7 +78,7 @@ class FileHandle(object):
                    cert_reqs = ssl.CERT_REQUIRED
                else:
                    cert_reqs = ssl.CERT_NONE
-                cacerts = None
+                cacerts = requests.certs.where()
            conn.set_cert(ca_certs=cacerts, cert_reqs=cert_reqs,
                          assert_fingerprint=ssl_thumbprint)
        else:
--- a/oslo_vmware/tests/test_rw_handles.py
+++ b/oslo_vmware/tests/test_rw_handles.py
@ -20,6 +20,7 @@ Unit tests for read and write handles for image transfer.
 import ssl

 import mock
+import requests
 import six

 from oslo_vmware import exceptions
@ -57,8 +58,10 @@ class FileHandleTest(base.TestCase):
        ret = handle._create_connection('https://localhost/foo?q=bar', 'GET')

        self.assertEqual(conn, ret)
+        ca_store = requests.certs.where()
        conn.set_cert.assert_called_once_with(
-            ca_certs=None, cert_reqs=ssl.CERT_NONE, assert_fingerprint=None)
+            ca_certs=ca_store, cert_reqs=ssl.CERT_NONE,
+            assert_fingerprint=None)
        conn.putrequest.assert_called_once_with('GET', '/foo?q=bar')

    @mock.patch('urllib3.connection.HTTPSConnection')
@ -71,8 +74,9 @@ class FileHandleTest(base.TestCase):
                                        cacerts=True)

        self.assertEqual(conn, ret)
+        ca_store = requests.certs.where()
        conn.set_cert.assert_called_once_with(
-            ca_certs=None, cert_reqs=ssl.CERT_REQUIRED,
+            ca_certs=ca_store, cert_reqs=ssl.CERT_REQUIRED,
            assert_fingerprint=None)

    @mock.patch('urllib3.connection.HTTPSConnection')