diff --git a/barbicanclient/client.py b/barbicanclient/client.py index 81d2c6f9..22573f75 100644 --- a/barbicanclient/client.py +++ b/barbicanclient/client.py @@ -50,7 +50,8 @@ class HTTPAuthError(HTTPError): class Client(object): - def __init__(self, auth_plugin=None, endpoint=None, tenant_id=None): + def __init__(self, auth_plugin=None, endpoint=None, tenant_id=None, + insecure=False): """ Barbican client object used to interact with barbican service. @@ -66,6 +67,7 @@ class Client(object): LOG.debug(_("Creating Client object")) self._session = requests.Session() + self.verify = not insecure self.auth_plugin = auth_plugin if self.auth_plugin is not None: @@ -93,23 +95,25 @@ class Client(object): def get(self, href, params=None): headers = {'Accept': 'application/json'} - resp = self._session.get(href, params=params, headers=headers) + resp = self._session.get(href, params=params, headers=headers, + verify=self.verify) self._check_status_code(resp) return resp.json() def get_raw(self, href, headers): - resp = self._session.get(href, headers=headers) + resp = self._session.get(href, headers=headers, verify=self.verify) self._check_status_code(resp) return resp.content def delete(self, href): - resp = self._session.delete(href) + resp = self._session.delete(href, verify=self.verify) self._check_status_code(resp) def post(self, path, data): url = '{0}/{1}/'.format(self.base_url, path) headers = {'content-type': 'application/json'} - resp = self._session.post(url, data=json.dumps(data), headers=headers) + resp = self._session.post(url, data=json.dumps(data), headers=headers, + verify=self.verify) self._check_status_code(resp) return resp.json() diff --git a/barbicanclient/common/auth.py b/barbicanclient/common/auth.py index 4fd29f61..144076db 100644 --- a/barbicanclient/common/auth.py +++ b/barbicanclient/common/auth.py @@ -24,14 +24,15 @@ class AuthException(Exception): class KeystoneAuthV2(object): def __init__(self, auth_url='', username='', password='', - tenant_name='', tenant_id=''): + tenant_name='', tenant_id='', insecure=False): if not all([auth_url, username, password, tenant_name or tenant_id]): raise ValueError('Please provide auth_url, username, password,' ' and tenant_id or tenant_name)') self._keystone = ksclient.Client(username=username, password=password, tenant_name=tenant_name, - auth_url=auth_url) + auth_url=auth_url, + insecure=insecure) self._barbican_url = None #TODO(dmend): make these configurable self._service_type = 'keystore' diff --git a/barbicanclient/keep.py b/barbicanclient/keep.py index 3dff3a67..ef935086 100644 --- a/barbicanclient/keep.py +++ b/barbicanclient/keep.py @@ -71,6 +71,14 @@ class Keep: metavar='', default=client.env('BARBICAN_ENDPOINT'), help='Defaults to env[BARBICAN_ENDPOINT].') + parser.add_argument('--insecure', + default=False, + action="store_true", + help='Explicitly allow barbicanclient to perform ' + '"insecure" TLS (https) requests. The ' + 'server\'s certificate will not be verified ' + 'against any certificate authorities. This ' + 'option should be used with caution.') return parser def _add_create_args(self): @@ -227,18 +235,21 @@ class Keep: args = self.parser.parse_args(kwargs.get('argv')) if args.no_auth: self.client = client.Client(endpoint=args.endpoint, - tenant_id=args.os_tenant_id) + tenant_id=args.os_tenant_id, + insecure=args.insecure) elif all([args.os_auth_url, args.os_username, args.os_password, args.os_tenant_name]): self._keystone = auth.KeystoneAuthV2( auth_url=args.os_auth_url, username=args.os_username, password=args.os_password, - tenant_name=args.os_tenant_name + tenant_name=args.os_tenant_name, + insecure=args.insecure ) self.client = client.Client(auth_plugin=self._keystone, endpoint=args.endpoint, - tenant_id=args.os_tenant_id) + tenant_id=args.os_tenant_id, + insecure=args.insecure) else: self.parser.exit( status=1,