From 0e4fc55097b3dfde8fa41282c03d9ad8622aa153 Mon Sep 17 00:00:00 2001 From: Craig Tracey Date: Wed, 20 Nov 2013 15:55:24 -0500 Subject: [PATCH 1/2] Adding the --insecure cli argument There are times when testing against insecure endpoints makes sense. Therefore, provide a mechanism similar to how the other OpenStack cli tools allow for insecure SSL connections. --- barbicanclient/client.py | 14 +++++++++----- barbicanclient/common/auth.py | 5 +++-- barbicanclient/keep.py | 17 ++++++++++++++--- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/barbicanclient/client.py b/barbicanclient/client.py index 81d2c6f9..22573f75 100644 --- a/barbicanclient/client.py +++ b/barbicanclient/client.py @@ -50,7 +50,8 @@ class HTTPAuthError(HTTPError): class Client(object): - def __init__(self, auth_plugin=None, endpoint=None, tenant_id=None): + def __init__(self, auth_plugin=None, endpoint=None, tenant_id=None, + insecure=False): """ Barbican client object used to interact with barbican service. @@ -66,6 +67,7 @@ class Client(object): LOG.debug(_("Creating Client object")) self._session = requests.Session() + self.verify = not insecure self.auth_plugin = auth_plugin if self.auth_plugin is not None: @@ -93,23 +95,25 @@ class Client(object): def get(self, href, params=None): headers = {'Accept': 'application/json'} - resp = self._session.get(href, params=params, headers=headers) + resp = self._session.get(href, params=params, headers=headers, + verify=self.verify) self._check_status_code(resp) return resp.json() def get_raw(self, href, headers): - resp = self._session.get(href, headers=headers) + resp = self._session.get(href, headers=headers, verify=self.verify) self._check_status_code(resp) return resp.content def delete(self, href): - resp = self._session.delete(href) + resp = self._session.delete(href, verify=self.verify) self._check_status_code(resp) def post(self, path, data): url = '{0}/{1}/'.format(self.base_url, path) headers = {'content-type': 'application/json'} - resp = self._session.post(url, data=json.dumps(data), headers=headers) + resp = self._session.post(url, data=json.dumps(data), headers=headers, + verify=self.verify) self._check_status_code(resp) return resp.json() diff --git a/barbicanclient/common/auth.py b/barbicanclient/common/auth.py index 4fd29f61..144076db 100644 --- a/barbicanclient/common/auth.py +++ b/barbicanclient/common/auth.py @@ -24,14 +24,15 @@ class AuthException(Exception): class KeystoneAuthV2(object): def __init__(self, auth_url='', username='', password='', - tenant_name='', tenant_id=''): + tenant_name='', tenant_id='', insecure=False): if not all([auth_url, username, password, tenant_name or tenant_id]): raise ValueError('Please provide auth_url, username, password,' ' and tenant_id or tenant_name)') self._keystone = ksclient.Client(username=username, password=password, tenant_name=tenant_name, - auth_url=auth_url) + auth_url=auth_url, + insecure=insecure) self._barbican_url = None #TODO(dmend): make these configurable self._service_type = 'keystore' diff --git a/barbicanclient/keep.py b/barbicanclient/keep.py index 3dff3a67..ef935086 100644 --- a/barbicanclient/keep.py +++ b/barbicanclient/keep.py @@ -71,6 +71,14 @@ class Keep: metavar='', default=client.env('BARBICAN_ENDPOINT'), help='Defaults to env[BARBICAN_ENDPOINT].') + parser.add_argument('--insecure', + default=False, + action="store_true", + help='Explicitly allow barbicanclient to perform ' + '"insecure" TLS (https) requests. The ' + 'server\'s certificate will not be verified ' + 'against any certificate authorities. This ' + 'option should be used with caution.') return parser def _add_create_args(self): @@ -227,18 +235,21 @@ class Keep: args = self.parser.parse_args(kwargs.get('argv')) if args.no_auth: self.client = client.Client(endpoint=args.endpoint, - tenant_id=args.os_tenant_id) + tenant_id=args.os_tenant_id, + insecure=args.insecure) elif all([args.os_auth_url, args.os_username, args.os_password, args.os_tenant_name]): self._keystone = auth.KeystoneAuthV2( auth_url=args.os_auth_url, username=args.os_username, password=args.os_password, - tenant_name=args.os_tenant_name + tenant_name=args.os_tenant_name, + insecure=args.insecure ) self.client = client.Client(auth_plugin=self._keystone, endpoint=args.endpoint, - tenant_id=args.os_tenant_id) + tenant_id=args.os_tenant_id, + insecure=args.insecure) else: self.parser.exit( status=1, From 0deaa0ab843179039e7ce72b7455f7b0e6922ddc Mon Sep 17 00:00:00 2001 From: Craig Tracey Date: Mon, 25 Nov 2013 12:49:19 -0500 Subject: [PATCH 2/2] Rework logging to support importing externally Right now barbican client is not usable when importing from other OpenStack modules. This is due to the fact that logging under barbican.openstack.common wants to do things like register default CONF options. And, as these have already been registered, this will fail with exceptions like ArgsAlreadyParsedError. Therefore, move this client to follow the examples provided by the other python-*client modules. Namely, import standard logging module and move the setup into the keep client itself. Now when called from places like Nova, we will not encounter import issues. Additionally, this change fixes a bug in barbicanclient.common.auth where LOG was used but not defined. --- barbicanclient/client.py | 3 +-- barbicanclient/common/auth.py | 4 ++++ barbicanclient/keep.py | 3 +++ barbicanclient/orders.py | 3 ++- barbicanclient/secrets.py | 3 ++- 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/barbicanclient/client.py b/barbicanclient/client.py index 22573f75..e5de7c11 100644 --- a/barbicanclient/client.py +++ b/barbicanclient/client.py @@ -13,18 +13,17 @@ # See the License for the specific language governing permissions and # limitations under the License. import json +import logging import os import requests -from barbicanclient.openstack.common import log as logging from barbicanclient.openstack.common.gettextutils import _ from barbicanclient import orders from barbicanclient import secrets LOG = logging.getLogger(__name__) -logging.setup('barbicanclient') class HTTPError(Exception): diff --git a/barbicanclient/common/auth.py b/barbicanclient/common/auth.py index 144076db..2c91c58d 100644 --- a/barbicanclient/common/auth.py +++ b/barbicanclient/common/auth.py @@ -12,9 +12,13 @@ # implied. # See the License for the specific language governing permissions and # limitations under the License. +import logging + from keystoneclient.v2_0 import client as ksclient from keystoneclient import exceptions +LOG = logging.getLogger(__name__) + class AuthException(Exception): """Raised when authorization fails.""" diff --git a/barbicanclient/keep.py b/barbicanclient/keep.py index ef935086..eead1919 100644 --- a/barbicanclient/keep.py +++ b/barbicanclient/keep.py @@ -19,6 +19,9 @@ import argparse from barbicanclient.common import auth from barbicanclient import client +from barbicanclient.openstack.common import log as logging + +logging.setup('barbicanclient') class Keep: diff --git a/barbicanclient/orders.py b/barbicanclient/orders.py index 27d52a59..3747306f 100644 --- a/barbicanclient/orders.py +++ b/barbicanclient/orders.py @@ -12,9 +12,10 @@ # implied. # See the License for the specific language governing permissions and # limitations under the License. +import logging + from barbicanclient import base from barbicanclient.openstack.common.gettextutils import _ -from barbicanclient.openstack.common import log as logging from barbicanclient.openstack.common import timeutils diff --git a/barbicanclient/secrets.py b/barbicanclient/secrets.py index f4dda80e..a479f2c4 100644 --- a/barbicanclient/secrets.py +++ b/barbicanclient/secrets.py @@ -12,8 +12,9 @@ # implied. # See the License for the specific language governing permissions and # limitations under the License. +import logging + from barbicanclient import base -from barbicanclient.openstack.common import log as logging from barbicanclient.openstack.common.timeutils import parse_isotime