openstack/python-glanceclient
Code Issues Proposed changes
cd11833cff
python-glanceclient/glanceclient/common/http.py

514 lines
19 KiB
Python
Raw Normal View History

Add missing copyright headers A few files were missing copyright headers: * glanceclient/common/http.py * glanceclient/v1/__init__.py * glanceclient/exc.py Change-Id: Ibbd53cd49f9367994de66a30601b3aefe1a8d6ee
2012-08-02 14:22:27 -07:00
# Copyright 2012 OpenStack LLC.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
import copy
Show a pretty progressbar when uploading and downloading an image. Add a new module that contain generic wrapper for file and iterator, which are used to wrap image to upload and the request body iterator in upload and download cases repectively, to show and advance a pretty progress bar when this laters are consumed, The progress bar is triggered by adding a --progress command line argument to commands: image-create, image-download or image-update. Change-Id: I2ba42fd0c58f4fa087adb568ec3f08246cae3759 bug fix: LP#1112309 blueprint: progressbar-when-uploading
2013-07-08 21:18:16 +02:00
import errno
import hashlib
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
import httplib
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
import logging
Fix regression bug after removing posixpath in http.py After removing posixpath.normpath(url) in http.py, the code has a regression bug that the url like 'http://example.com:80/test' can not work. The code urlparse.urljoin() can not work as '%s%s' % (self.endpoint_path, url). Fixes bug #1230032 Change-Id: Ie7266fc3a067b92dfeed169086b4bf6a87dedbd6
2013-09-25 10:39:36 -05:00
import posixpath
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
import socket
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
import StringIO
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
import struct
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
import urlparse
try:
import json
except ImportError:
import simplejson as json
# Python 2.5 compat fix
if not hasattr(urlparse, 'parse_qsl'):
import cgi
urlparse.parse_qsl = cgi.parse_qsl
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
import OpenSSL
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Establish the supported importable interface * Consumers of this client should not depend on being able to import any module other than glanceclient and glanceclient * The only attributs of the glanceclient module are Client and __version__ * The attributes of the glanceclient.exc modules have yet to be locked down * glanceclient.common.exceptions was replaced with a placeholder module until consumers of it are updated Change-Id: Iea9648cd06906d65764987c1f2ee5a88ebeee748
2012-07-12 18:30:54 -07:00
from glanceclient import exc
Decode input and encode output Currently glanceclient doesn't support non-ASCII characters for images names and properties (names and values as well). This patch introduces 2 functions (utils.py) that will help encoding and decoding strings in a more "secure" way. About the ensure_(str|unicode) functions: They both try to use first the encoding used in stdin (or python's default encoding if that's None) and fallback to utf-8 if those encodings fail to decode a given text. About the changes in glanceclient: The major change is that all inputs will be decoded and will kept as such inside the client's functions and will then be encoded before being printed / sent out the client. There are other small changes, all related to encoding to str, around in order to avoid fails during some conversions. i.e: quoting url encoded parameters. Fixes bug: 1061150 Change-Id: I5c3ea93a716edfe284d19f6291d4e36028f91eb2
2013-01-30 15:18:44 +01:00
from glanceclient.common import utils
Replace utils.ensure_(str|unicode) with strutils.safe(decode|encode) Glanceclient implemented both functions before they landed into oslo. Since both functions are already in oslo, it is now possible to pull them in. There's a small difference between glance's implementation and oslo's, that is the later does not convert non-str objects - int, bool - to str before trying to decode / encode them. This patch takes care of that where necessary, more precisely, while encoding headers before doing a new request. Fixes bug: #1172253 Change-Id: I9a0dca31140bae28d8ec6aede515c5bb852b701b
2013-05-22 11:31:25 +02:00
from glanceclient.openstack.common import strutils
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Prevent WantReadError when using https If the glance client is instantiated when the socket module has been monkey patched requests to the server can yield a WantReadError because the socket has been set to non-blocking but this is not being handled correctly. When this is the case use eventlet's GreenConnection which handles non-blocking sockets correctly. Also, for now, add a required getsockopt method to GreenConnection. This can be removed once the eventlet fix (https://bitbucket.org/eventlet/eventlet/commits/609f230) lands. Fixes bug 1157864. Change-Id: I187b69f75b8bcfe16facd41e69b1cd0490dae605
2013-03-20 18:00:39 +00:00
try:
from eventlet import patcher
# Handle case where we are running in a monkey patched environment
if patcher.is_monkey_patched('socket'):
from eventlet.green.httplib import HTTPSConnection
from eventlet.green.OpenSSL.SSL import GreenConnection as Connection
from eventlet.greenio import GreenSocket
# TODO(mclaren): A getsockopt workaround: see 'getsockopt' doc string
GreenSocket.getsockopt = utils.getsockopt
else:
raise ImportError
except ImportError:
from httplib import HTTPSConnection
from OpenSSL.SSL import Connection as Connection
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
LOG = logging.getLogger(__name__)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
USER_AGENT = 'python-glanceclient'
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
CHUNKSIZE = 1024 * 64 # 64kB
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
class HTTPClient(object):
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
def __init__(self, endpoint, **kwargs):
self.endpoint = endpoint
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
endpoint_parts = self.parse_endpoint(self.endpoint)
self.endpoint_scheme = endpoint_parts.scheme
self.endpoint_hostname = endpoint_parts.hostname
self.endpoint_port = endpoint_parts.port
self.endpoint_path = endpoint_parts.path
self.connection_class = self.get_connection_class(self.endpoint_scheme)
self.connection_kwargs = self.get_connection_kwargs(
Pin pep8 to 1.3.3 Standardize pep8 to 1.3.3 and cleared up any errors found by pep8 tests. Change-Id: Ib7eb97d0789556d1676ccad58b5d3364065b7d15 Signed-off-by: Chuck Short <chuck.short@canonical.com>
2012-11-21 12:03:07 -06:00
self.endpoint_scheme, **kwargs)
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
Pass all identity headers received to glance There is an upcoming patch in nova which passes identity headers to glance client. We want to ensure that these get passed to glance, which in turn with help the no auth option in glance. Resolves bug 1200761 Change-Id: Ifbef582aa4e64a2e7a46db43a9cc6cf8c3531dbd
2013-07-12 20:23:54 +00:00
self.identity_headers = kwargs.get('identity_headers')
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
self.auth_token = kwargs.get('token')
Pass all identity headers received to glance There is an upcoming patch in nova which passes identity headers to glance client. We want to ensure that these get passed to glance, which in turn with help the no auth option in glance. Resolves bug 1200761 Change-Id: Ifbef582aa4e64a2e7a46db43a9cc6cf8c3531dbd
2013-07-12 20:23:54 +00:00
if self.identity_headers:
if self.identity_headers.get('X-Auth-Token'):
self.auth_token = self.identity_headers.get('X-Auth-Token')
del self.identity_headers['X-Auth-Token']
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
@staticmethod
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
def parse_endpoint(endpoint):
return urlparse.urlparse(endpoint)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
@staticmethod
def get_connection_class(scheme):
if scheme == 'https':
return VerifiedHTTPSConnection
else:
return httplib.HTTPConnection
@staticmethod
def get_connection_kwargs(scheme, **kwargs):
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
_kwargs = {'timeout': float(kwargs.get('timeout', 600))}
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
if scheme == 'https':
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
_kwargs['cacert'] = kwargs.get('cacert', None)
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
_kwargs['cert_file'] = kwargs.get('cert_file', None)
_kwargs['key_file'] = kwargs.get('key_file', None)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
_kwargs['insecure'] = kwargs.get('insecure', False)
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
_kwargs['ssl_compression'] = kwargs.get('ssl_compression', True)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
return _kwargs
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
def get_connection(self):
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
_class = self.connection_class
Handle communication failures cleanly Expand exceptions to cover more failures cases. This adds CommunicationFailure to represent any failures while attempting to communicate with the remote endpoint. This also adds a new base exception class BaseException which should be used for all non-HTTP related failures. Change-Id: Ie3e1d45c520d816a3f491a85fde94a6c4edf295e
2012-08-08 13:45:38 -07:00
try:
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
return _class(self.endpoint_hostname, self.endpoint_port,
**self.connection_kwargs)
get_connection should raise httplib.InvalidURL In http.py the exception raised in get_connection should be httplib.InvalidURL rather than httplib.InvalidUrl. Fix for bug 1048698. Change-Id: I7f18321fe7d8669b3b95bf823273ee8ae6961661
2012-09-10 14:57:45 +00:00
except httplib.InvalidURL:
Handle communication failures cleanly Expand exceptions to cover more failures cases. This adds CommunicationFailure to represent any failures while attempting to communicate with the remote endpoint. This also adds a new base exception class BaseException which should be used for all non-HTTP related failures. Change-Id: Ie3e1d45c520d816a3f491a85fde94a6c4edf295e
2012-08-08 13:45:38 -07:00
raise exc.InvalidEndpoint()
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
def log_curl_request(self, method, url, kwargs):
curl = ['curl -i -X %s' % method]
for (key, value) in kwargs['headers'].items():
header = '-H \'%s: %s\'' % (key, value)
curl.append(header)
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
conn_params_fmt = [
('key_file', '--key %s'),
('cert_file', '--cert %s'),
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
('cacert', '--cacert %s'),
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
]
for (key, fmt) in conn_params_fmt:
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
value = self.connection_kwargs.get(key)
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
if value:
curl.append(fmt % value)
Simplify http(s) connection instantiation The endpoint parsing and connection instantiation code was too complicated and easily broken. This assigns human-readable names to instance variables and breaks up the parsing into more understandable chunks. Fixes bug 1060316. Change-Id: I5c5236f90d88b9e797cf0a476aabe8cc7cfa1cc9
2012-10-03 13:52:55 -07:00
if self.connection_kwargs.get('insecure'):
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
curl.append('-k')
Fix inconsistent --debug messages on image-update image-update --debug message no longer adds '-d "None"' to the curl command that is output. This keeps the curl output consistent with the client request. Fixes bug #1172702 Change-Id: I34ceeb6f4a67c753ca3a805ec11240a99ce38ec4
2013-04-25 13:59:54 +01:00
if kwargs.get('body') is not None:
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
curl.append('-d \'%s\'' % kwargs['body'])
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
curl.append('%s%s' % (self.endpoint, url))
Replace utils.ensure_(str|unicode) with strutils.safe(decode|encode) Glanceclient implemented both functions before they landed into oslo. Since both functions are already in oslo, it is now possible to pull them in. There's a small difference between glance's implementation and oslo's, that is the later does not convert non-str objects - int, bool - to str before trying to decode / encode them. This patch takes care of that where necessary, more precisely, while encoding headers before doing a new request. Fixes bug: #1172253 Change-Id: I9a0dca31140bae28d8ec6aede515c5bb852b701b
2013-05-22 11:31:25 +02:00
LOG.debug(strutils.safe_encode(' '.join(curl)))
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
@staticmethod
def log_http_response(resp, body=None):
status = (resp.version / 10.0, resp.status, resp.reason)
dump = ['\nHTTP/%.1f %s %s' % status]
dump.extend(['%s: %s' % (k, v) for k, v in resp.getheaders()])
dump.append('')
if body:
dump.extend([body, ''])
Replace utils.ensure_(str|unicode) with strutils.safe(decode|encode) Glanceclient implemented both functions before they landed into oslo. Since both functions are already in oslo, it is now possible to pull them in. There's a small difference between glance's implementation and oslo's, that is the later does not convert non-str objects - int, bool - to str before trying to decode / encode them. This patch takes care of that where necessary, more precisely, while encoding headers before doing a new request. Fixes bug: #1172253 Change-Id: I9a0dca31140bae28d8ec6aede515c5bb852b701b
2013-05-22 11:31:25 +02:00
LOG.debug(strutils.safe_encode('\n'.join(dump)))
Decode input and encode output Currently glanceclient doesn't support non-ASCII characters for images names and properties (names and values as well). This patch introduces 2 functions (utils.py) that will help encoding and decoding strings in a more "secure" way. About the ensure_(str|unicode) functions: They both try to use first the encoding used in stdin (or python's default encoding if that's None) and fallback to utf-8 if those encodings fail to decode a given text. About the changes in glanceclient: The major change is that all inputs will be decoded and will kept as such inside the client's functions and will then be encoded before being printed / sent out the client. There are other small changes, all related to encoding to str, around in order to avoid fails during some conversions. i.e: quoting url encoded parameters. Fixes bug: 1061150 Change-Id: I5c3ea93a716edfe284d19f6291d4e36028f91eb2
2013-01-30 15:18:44 +01:00
@staticmethod
def encode_headers(headers):
Start using Pyflakes and Hacking Instead of globally ignoring pyflakes and hacking warnings, only blacklist those that trigger very frequently so far, in order to clean them up in followup commits. Fix and start gating on the rest already. Change-Id: Ied7c7250061e3bf379e8286e8ce3b9e4af817faf
2013-06-09 11:07:27 +02:00
"""Encodes headers.
Decode input and encode output Currently glanceclient doesn't support non-ASCII characters for images names and properties (names and values as well). This patch introduces 2 functions (utils.py) that will help encoding and decoding strings in a more "secure" way. About the ensure_(str|unicode) functions: They both try to use first the encoding used in stdin (or python's default encoding if that's None) and fallback to utf-8 if those encodings fail to decode a given text. About the changes in glanceclient: The major change is that all inputs will be decoded and will kept as such inside the client's functions and will then be encoded before being printed / sent out the client. There are other small changes, all related to encoding to str, around in order to avoid fails during some conversions. i.e: quoting url encoded parameters. Fixes bug: 1061150 Change-Id: I5c3ea93a716edfe284d19f6291d4e36028f91eb2
2013-01-30 15:18:44 +01:00
Note: This should be used right before
sending anything out.
:param headers: Headers to encode
:returns: Dictionary with encoded headers'
names and values
"""
Replace utils.ensure_(str|unicode) with strutils.safe(decode|encode) Glanceclient implemented both functions before they landed into oslo. Since both functions are already in oslo, it is now possible to pull them in. There's a small difference between glance's implementation and oslo's, that is the later does not convert non-str objects - int, bool - to str before trying to decode / encode them. This patch takes care of that where necessary, more precisely, while encoding headers before doing a new request. Fixes bug: #1172253 Change-Id: I9a0dca31140bae28d8ec6aede515c5bb852b701b
2013-05-22 11:31:25 +02:00
to_str = strutils.safe_encode
Decode input and encode output Currently glanceclient doesn't support non-ASCII characters for images names and properties (names and values as well). This patch introduces 2 functions (utils.py) that will help encoding and decoding strings in a more "secure" way. About the ensure_(str|unicode) functions: They both try to use first the encoding used in stdin (or python's default encoding if that's None) and fallback to utf-8 if those encodings fail to decode a given text. About the changes in glanceclient: The major change is that all inputs will be decoded and will kept as such inside the client's functions and will then be encoded before being printed / sent out the client. There are other small changes, all related to encoding to str, around in order to avoid fails during some conversions. i.e: quoting url encoded parameters. Fixes bug: 1061150 Change-Id: I5c3ea93a716edfe284d19f6291d4e36028f91eb2
2013-01-30 15:18:44 +01:00
return dict([(to_str(h), to_str(v)) for h, v in headers.iteritems()])
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
def _http_request(self, url, method, **kwargs):
Start using Pyflakes and Hacking Instead of globally ignoring pyflakes and hacking warnings, only blacklist those that trigger very frequently so far, in order to clean them up in followup commits. Fix and start gating on the rest already. Change-Id: Ied7c7250061e3bf379e8286e8ce3b9e4af817faf
2013-06-09 11:07:27 +02:00
"""Send an http request with the specified characteristics.
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
Wrapper around httplib.HTTP(S)Connection.request to handle tasks such
as setting headers and error handling.
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
"""
# Copy the kwargs so we can reuse the original in case of redirects
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
kwargs['headers'] = copy.deepcopy(kwargs.get('headers', {}))
kwargs['headers'].setdefault('User-Agent', USER_AGENT)
if self.auth_token:
kwargs['headers'].setdefault('X-Auth-Token', self.auth_token)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Pass all identity headers received to glance There is an upcoming patch in nova which passes identity headers to glance client. We want to ensure that these get passed to glance, which in turn with help the no auth option in glance. Resolves bug 1200761 Change-Id: Ifbef582aa4e64a2e7a46db43a9cc6cf8c3531dbd
2013-07-12 20:23:54 +00:00
if self.identity_headers:
for k, v in self.identity_headers.iteritems():
kwargs['headers'].setdefault(k, v)
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
self.log_curl_request(method, url, kwargs)
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
conn = self.get_connection()
Handle communication failures cleanly Expand exceptions to cover more failures cases. This adds CommunicationFailure to represent any failures while attempting to communicate with the remote endpoint. This also adds a new base exception class BaseException which should be used for all non-HTTP related failures. Change-Id: Ie3e1d45c520d816a3f491a85fde94a6c4edf295e
2012-08-08 13:45:38 -07:00
Decode input and encode output Currently glanceclient doesn't support non-ASCII characters for images names and properties (names and values as well). This patch introduces 2 functions (utils.py) that will help encoding and decoding strings in a more "secure" way. About the ensure_(str|unicode) functions: They both try to use first the encoding used in stdin (or python's default encoding if that's None) and fallback to utf-8 if those encodings fail to decode a given text. About the changes in glanceclient: The major change is that all inputs will be decoded and will kept as such inside the client's functions and will then be encoded before being printed / sent out the client. There are other small changes, all related to encoding to str, around in order to avoid fails during some conversions. i.e: quoting url encoded parameters. Fixes bug: 1061150 Change-Id: I5c3ea93a716edfe284d19f6291d4e36028f91eb2
2013-01-30 15:18:44 +01:00
# Note(flaper87): Before letting headers / url fly,
# they should be encoded otherwise httplib will
# complain. If we decide to rely on python-request
# this wont be necessary anymore.
kwargs['headers'] = self.encode_headers(kwargs['headers'])
Handle communication failures cleanly Expand exceptions to cover more failures cases. This adds CommunicationFailure to represent any failures while attempting to communicate with the remote endpoint. This also adds a new base exception class BaseException which should be used for all non-HTTP related failures. Change-Id: Ie3e1d45c520d816a3f491a85fde94a6c4edf295e
2012-08-08 13:45:38 -07:00
try:
Removes extra slash on endpoints without a path Change-Id: I5ce54117c5ac276fb9629c71eb16db88e078c947 Fixes: bug #1179984
2013-05-14 10:31:45 -05:00
if self.endpoint_path:
Fix regression bug after removing posixpath in http.py After removing posixpath.normpath(url) in http.py, the code has a regression bug that the url like 'http://example.com:80/test' can not work. The code urlparse.urljoin() can not work as '%s%s' % (self.endpoint_path, url). Fixes bug #1230032 Change-Id: Ie7266fc3a067b92dfeed169086b4bf6a87dedbd6
2013-09-25 10:39:36 -05:00
# NOTE(yuyangbj): this method _http_request could either be
# called by API layer, or be called recursively with
# redirection. For example, url would be '/v1/images/detail'
# from API layer, but url would be 'https://example.com:92/
# v1/images/detail' from recursion.
# See bug #1230032 and bug #1208618.
if url is not None:
all_parts = urlparse.urlparse(url)
if not (all_parts.scheme and all_parts.netloc):
norm_parse = posixpath.normpath
url = norm_parse('/'.join([self.endpoint_path, url]))
else:
url = self.endpoint_path
Don't use posixpath for URLs Use URL functions instead. Fixes bug #1208618 Change-Id: I27bb29a6422200a1a522c50335e5d93d495ec429
2013-08-05 14:42:19 -07:00
conn_url = urlparse.urlsplit(url).geturl()
Decode input and encode output Currently glanceclient doesn't support non-ASCII characters for images names and properties (names and values as well). This patch introduces 2 functions (utils.py) that will help encoding and decoding strings in a more "secure" way. About the ensure_(str|unicode) functions: They both try to use first the encoding used in stdin (or python's default encoding if that's None) and fallback to utf-8 if those encodings fail to decode a given text. About the changes in glanceclient: The major change is that all inputs will be decoded and will kept as such inside the client's functions and will then be encoded before being printed / sent out the client. There are other small changes, all related to encoding to str, around in order to avoid fails during some conversions. i.e: quoting url encoded parameters. Fixes bug: 1061150 Change-Id: I5c3ea93a716edfe284d19f6291d4e36028f91eb2
2013-01-30 15:18:44 +01:00
# Note(flaper87): Ditto, headers / url
# encoding to make httplib happy.
Replace utils.ensure_(str|unicode) with strutils.safe(decode|encode) Glanceclient implemented both functions before they landed into oslo. Since both functions are already in oslo, it is now possible to pull them in. There's a small difference between glance's implementation and oslo's, that is the later does not convert non-str objects - int, bool - to str before trying to decode / encode them. This patch takes care of that where necessary, more precisely, while encoding headers before doing a new request. Fixes bug: #1172253 Change-Id: I9a0dca31140bae28d8ec6aede515c5bb852b701b
2013-05-22 11:31:25 +02:00
conn_url = strutils.safe_encode(conn_url)
Handle create/update of images with unknown size It may not be possible to know in advance the total size of image data which is to be uploaded, for example if the data is being piped to stdin. To handle this we use HTTP Transfer-Encoding: chunked and do not set any image size headers. Various subtly different cases needed to be handled for both image-create and image-update, including: * input from named pipe * piped input of zero size * regular file of zero length Fix for bug 1056220. Change-Id: I0c7f0a64d883e058993b954a1c465c5b057f2bcf
2012-09-26 12:56:51 +00:00
if kwargs['headers'].get('Transfer-Encoding') == 'chunked':
conn.putrequest(method, conn_url)
for header, value in kwargs['headers'].items():
conn.putheader(header, value)
conn.endheaders()
chunk = kwargs['body'].read(CHUNKSIZE)
# Chunk it, baby...
while chunk:
conn.send('%x\r\n%s\r\n' % (len(chunk), chunk))
chunk = kwargs['body'].read(CHUNKSIZE)
conn.send('0\r\n\r\n')
else:
conn.request(method, conn_url, **kwargs)
Handle communication failures cleanly Expand exceptions to cover more failures cases. This adds CommunicationFailure to represent any failures while attempting to communicate with the remote endpoint. This also adds a new base exception class BaseException which should be used for all non-HTTP related failures. Change-Id: Ie3e1d45c520d816a3f491a85fde94a6c4edf295e
2012-08-08 13:45:38 -07:00
resp = conn.getresponse()
socket errors and timeouts should be CommunicationErrors Also include extra information about socket errors within the exceptions. Change-Id: I9464a484460d40be5727e18ca6f057df9076766e
2012-08-10 21:06:44 +00:00
except socket.gaierror as e:
Report name resolution errors properly Errors in name resolution have been logged previously with the url path rather than the hostname. That resulted in incorrect errors like: InvalidEndpoint: Error finding address for /v1/images/detail?is_public=none&limit=20: [Errno -2] Name or service not known rather than one mentioning hostname itself. This patch changes the log message to fit the situation. Change-Id: I1eecbcb22d41b1341c214937b9cbfd046fd301a0
2013-02-19 15:40:16 +00:00
message = "Error finding address for %s: %s" % (
self.endpoint_hostname, e)
socket errors and timeouts should be CommunicationErrors Also include extra information about socket errors within the exceptions. Change-Id: I9464a484460d40be5727e18ca6f057df9076766e
2012-08-10 21:06:44 +00:00
raise exc.InvalidEndpoint(message=message)
except (socket.error, socket.timeout) as e:
Make ConnectionRefused error more informative. When the server refuses the connection the error message displayed now lists the endpoint that refused the connection. Fixes: bug 1043067 Change-Id: I62797106732bbb6eec8c99e491fd38850ad58ff8
2012-09-12 09:40:04 -04:00
endpoint = self.endpoint
message = "Error communicating with %(endpoint)s %(e)s" % locals()
socket errors and timeouts should be CommunicationErrors Also include extra information about socket errors within the exceptions. Change-Id: I9464a484460d40be5727e18ca6f057df9076766e
2012-08-10 21:06:44 +00:00
raise exc.CommunicationError(message=message)
Replace httplib2 with httplib as http driver * This allows us to send truly chunked responses to users * Handle bad connection url schemes with a new InvalidEndpoint exception * Fixes bug 1023240 Change-Id: I34500987f51d4e0c6e1f89ecf93853de3fcbb1c3
2012-07-10 20:51:00 -07:00
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
body_iter = ResponseBodyIterator(resp)
# Read body into string if it isn't obviously image data
if resp.getheader('content-type', None) != 'application/octet-stream':
body_str = ''.join([chunk for chunk in body_iter])
self.log_http_response(resp, body_str)
body_iter = StringIO.StringIO(body_str)
else:
self.log_http_response(resp)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
if 400 <= resp.status < 600:
Fix weird "None" displayed on some errors logging.exception() should only be called from an exception handler, which is not the case here. Part of bug 1050260. Change-Id: I591a68c458cd733c04cea7d2d640afdbb7dd19f6
2012-09-13 11:12:00 +02:00
LOG.error("Request returned failure status.")
Add details to stdout error message. Current glance command does not show the details of error message. For example, the glance command shows HTTPBadRequest only if some necessary parameter is not specified. $ glance image-create --file root-fs.img --name cirros-0.3.0-x86_64-uec Request returned failure status. HTTPBadRequest (HTTP 400) $ By only the above message, it is not easy that a user understand the reason of an error. glance-api server returns the details of reason, but glance command does not show it. This patch adds details, which is gotten from glance-api server, to error message. And a user will be able to understand the reason of a error like the following: $ glance image-create --file root-fs.img --name cirros-0.3.0-x86_64-uec Request returned failure status. 400 Bad Request Invalid disk format 'None' for image. (HTTP 400) $ Fixes bug 1094917 Change-Id: I49192c3ebbc8a70b63dcfcede9fd13f1688388cf
2013-01-01 22:33:15 +09:00
raise exc.from_response(resp, body_str)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
elif resp.status in (301, 302, 305):
# Redirected. Reissue the request to the new location.
Fix getting header in redirect processing The code for processing an HTTP redirect included an incorrect method of getting the Location header from an HTTPResponse. It needs to use the getheader() method on the response, instead. This patch fixes that and includes a unit test that covers this code path. Change-Id: I0952fabad581b020dee07bdc4007b55b47c906aa Closes-Bug: #1231524
2013-09-26 11:43:29 -04:00
return self._http_request(resp.getheader('location', None), method,
**kwargs)
Catches HTTP 300 while printing responses If glance v1 api is not enabled, and a request is made to it, it gives a KeyError. This patch catches the 300 error and displays error message. Fixes bug 1046607 Change-Id: I0009a5deca3b5dd5ccaeaea90feee21274bfe090
2012-09-07 20:54:09 +00:00
elif resp.status == 300:
raise exc.from_response(resp)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
return resp, body_iter
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
def json_request(self, method, url, **kwargs):
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
kwargs.setdefault('headers', {})
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
kwargs['headers'].setdefault('Content-Type', 'application/json')
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
if 'body' in kwargs:
kwargs['body'] = json.dumps(kwargs['body'])
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
resp, body_iter = self._http_request(url, method, **kwargs)
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Fix default value for a header This code specified None as the default value, but it would raise an exception if that was ever returned. An empty string causes the code to work as intended. This came up while I was writing a unit test for another bug fix. Change-Id: I658bb8a9b5124f281988fb60b645182ea0ccf99f Related-bug: #1231524
2013-09-26 11:42:16 -04:00
if 'application/json' in resp.getheader('content-type', ''):
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
body = ''.join([chunk for chunk in body_iter])
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
try:
body = json.loads(body)
except ValueError:
Refactor http request/response logging Using the --debug flag or the GLANCECLIENT_DEBUG env var, a user will see http requests and responses in great detail. Requests are formed into proper curl commands while responses are printed just as they would as if the curl request provided were executed. Response bodies will not be printed if they are application/octet-stream. Change-Id: I9c9c5d6ec9f481091c944e596d073da3739795b6
2012-07-29 22:12:37 -07:00
LOG.error('Could not decode response body as JSON')
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
else:
body = None
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
return resp, body
Basic get/list operations work * 'glance image-list' and 'glance image-show' work * Set up tests, pep8, venv
2012-03-26 22:48:48 -07:00
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
def raw_request(self, method, url, **kwargs):
kwargs.setdefault('headers', {})
kwargs['headers'].setdefault('Content-Type',
'application/octet-stream')
Handle create/update of images with unknown size It may not be possible to know in advance the total size of image data which is to be uploaded, for example if the data is being piped to stdin. To handle this we use HTTP Transfer-Encoding: chunked and do not set any image size headers. Various subtly different cases needed to be handled for both image-create and image-update, including: * input from named pipe * piped input of zero size * regular file of zero length Fix for bug 1056220. Change-Id: I0c7f0a64d883e058993b954a1c465c5b057f2bcf
2012-09-26 12:56:51 +00:00
if 'body' in kwargs:
if (hasattr(kwargs['body'], 'read')
Pin pep8 to 1.3.3 Standardize pep8 to 1.3.3 and cleared up any errors found by pep8 tests. Change-Id: Ib7eb97d0789556d1676ccad58b5d3364065b7d15 Signed-off-by: Chuck Short <chuck.short@canonical.com>
2012-11-21 12:03:07 -06:00
and method.lower() in ('post', 'put')):
Handle create/update of images with unknown size It may not be possible to know in advance the total size of image data which is to be uploaded, for example if the data is being piped to stdin. To handle this we use HTTP Transfer-Encoding: chunked and do not set any image size headers. Various subtly different cases needed to be handled for both image-create and image-update, including: * input from named pipe * piped input of zero size * regular file of zero length Fix for bug 1056220. Change-Id: I0c7f0a64d883e058993b954a1c465c5b057f2bcf
2012-09-26 12:56:51 +00:00
# We use 'Transfer-Encoding: chunked' because
# body size may not always be known in advance.
kwargs['headers']['Transfer-Encoding'] = 'chunked'
Refactor HTTPClient to use two request methods Rather than depend on magic, I would prefer that we explicitly call two different request methods: json_request and raw_request. The former will encode/decode request bodies to and from JSON, while the latter will not. Change-Id: I6a429a5975993f71df85df55f11c5d51c050c289
2012-05-15 10:01:47 -07:00
return self._http_request(url, method, **kwargs)
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
class OpenSSLConnectionDelegator(object):
"""
An OpenSSL.SSL.Connection delegator.
Supplies an additional 'makefile' method which httplib requires
and is not present in OpenSSL.SSL.Connection.
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
Note: Since it is not possible to inherit from OpenSSL.SSL.Connection
a delegator must be used.
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
"""
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
def __init__(self, *args, **kwargs):
Prevent WantReadError when using https If the glance client is instantiated when the socket module has been monkey patched requests to the server can yield a WantReadError because the socket has been set to non-blocking but this is not being handled correctly. When this is the case use eventlet's GreenConnection which handles non-blocking sockets correctly. Also, for now, add a required getsockopt method to GreenConnection. This can be removed once the eventlet fix (https://bitbucket.org/eventlet/eventlet/commits/609f230) lands. Fixes bug 1157864. Change-Id: I187b69f75b8bcfe16facd41e69b1cd0490dae605
2013-03-20 18:00:39 +00:00
self.connection = Connection(*args, **kwargs)
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
def __getattr__(self, name):
return getattr(self.connection, name)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
def makefile(self, *args, **kwargs):
HTTPS response issues Fixes bug 1179392 glanceclient.common.http.HTTPClient.get_connection_kwargs method explicitly sets the timeout to be a float, while struc.pack is still using LL as the format string which means 2 Long Integers. Setting format string to fL which mean a float followed by Long Integer. Also, Bad file descriptor error is caused by socket being closed to soon. Added a close() implementation to VerifiedHTTPSConnection which will remove reference to socket before returning call to base HTTPConnection.close(). This will avoid socket to be closed before response body is read. Socket will close when response close is called. Change-Id: I3a973da3b962c7572ae0f61f6996bdd1f0048339
2013-06-20 20:53:08 +00:00
# Making sure socket is closed when this file is closed
# since we now avoid closing socket on connection close
# see new close method under VerifiedHTTPSConnection
kwargs['close'] = True
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
return socket._fileobject(self.connection, *args, **kwargs)
Prevent WantReadError when using https If the glance client is instantiated when the socket module has been monkey patched requests to the server can yield a WantReadError because the socket has been set to non-blocking but this is not being handled correctly. When this is the case use eventlet's GreenConnection which handles non-blocking sockets correctly. Also, for now, add a required getsockopt method to GreenConnection. This can be removed once the eventlet fix (https://bitbucket.org/eventlet/eventlet/commits/609f230) lands. Fixes bug 1157864. Change-Id: I187b69f75b8bcfe16facd41e69b1cd0490dae605
2013-03-20 18:00:39 +00:00
class VerifiedHTTPSConnection(HTTPSConnection):
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
"""
Extended HTTPSConnection which uses the OpenSSL library
for enhanced SSL support.
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
Note: Much of this functionality can eventually be replaced
with native Python 3.3 code.
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
"""
Change https port to be an optional parameter VerifiedHTTPSConnection inherits from HTTPSConnection so 'port' should be an optional argument. If not present it will be set by HTTPSConnection in the usual way: by parsing the host string (eg 'localhost:8443') or setting to the default of '443'. Addresses bug 1102944. Change-Id: I2c2cb92f824acf15b0ff54590b5614cf206b57e0
2013-01-22 11:42:42 +00:00
def __init__(self, host, port=None, key_file=None, cert_file=None,
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
cacert=None, timeout=None, insecure=False,
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
ssl_compression=True):
Prevent WantReadError when using https If the glance client is instantiated when the socket module has been monkey patched requests to the server can yield a WantReadError because the socket has been set to non-blocking but this is not being handled correctly. When this is the case use eventlet's GreenConnection which handles non-blocking sockets correctly. Also, for now, add a required getsockopt method to GreenConnection. This can be removed once the eventlet fix (https://bitbucket.org/eventlet/eventlet/commits/609f230) lands. Fixes bug 1157864. Change-Id: I187b69f75b8bcfe16facd41e69b1cd0490dae605
2013-03-20 18:00:39 +00:00
HTTPSConnection.__init__(self, host, port,
key_file=key_file,
cert_file=cert_file)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
self.key_file = key_file
self.cert_file = cert_file
self.timeout = timeout
self.insecure = insecure
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
self.ssl_compression = ssl_compression
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
self.cacert = cacert
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
self.setcontext()
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
@staticmethod
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
def host_matches_cert(host, x509):
"""
Verify that the the x509 certificate we have received
from 'host' correctly identifies the server we are
connecting to, ie that the certificate's Common Name
or a Subject Alternative Name matches 'host'.
"""
Allow single-wildcard SSL common name matching Fix bug 1212463 Change-Id: I168601fd9847497c2261c77ce6c856bca187c6c8
2013-08-14 15:37:45 -07:00
common_name = x509.get_subject().commonName
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
# First see if we can match the CN
Allow single-wildcard SSL common name matching Fix bug 1212463 Change-Id: I168601fd9847497c2261c77ce6c856bca187c6c8
2013-08-14 15:37:45 -07:00
if common_name == host:
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
return True
Allow single-wildcard SSL common name matching Fix bug 1212463 Change-Id: I168601fd9847497c2261c77ce6c856bca187c6c8
2013-08-14 15:37:45 -07:00
# Support single wildcard matching
if common_name.startswith('*.') and host.find('.') > 0:
if common_name[2:] == host.split('.', 1)[1]:
return True
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
# Also try Subject Alternative Names for a match
san_list = None
for i in xrange(x509.get_extension_count()):
ext = x509.get_extension(i)
if ext.get_short_name() == 'subjectAltName':
san_list = str(ext)
for san in ''.join(san_list.split()).split(','):
if san == "DNS:%s" % host:
return True
# Server certificate does not match host
msg = ('Host "%s" does not match x509 certificate contents: '
Allow single-wildcard SSL common name matching Fix bug 1212463 Change-Id: I168601fd9847497c2261c77ce6c856bca187c6c8
2013-08-14 15:37:45 -07:00
'CommonName "%s"' % (host, common_name))
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
if san_list is not None:
msg = msg + ', subjectAltName "%s"' % san_list
raise exc.SSLCertificateError(msg)
def verify_callback(self, connection, x509, errnum,
depth, preverify_ok):
Fix SSL certificate CNAME checking Currently, accessing a host via ip address will pass SSL verification; the CNAME is not checked as intended as part of verify_callback. 'preverify_ok is True' will always return false (int/bool comparison). preverify_ok will be 1 if preverification has passed. Fixes bug 1192229 Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
2013-06-18 15:34:45 +00:00
# NOTE(leaman): preverify_ok may be a non-boolean type
preverify_ok = bool(preverify_ok)
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
if x509.has_expired():
msg = "SSL Certificate expired on '%s'" % x509.get_notAfter()
raise exc.SSLCertificateError(msg)
Fix SSL certificate CNAME checking Currently, accessing a host via ip address will pass SSL verification; the CNAME is not checked as intended as part of verify_callback. 'preverify_ok is True' will always return false (int/bool comparison). preverify_ok will be 1 if preverification has passed. Fixes bug 1192229 Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
2013-06-18 15:34:45 +00:00
if depth == 0 and preverify_ok:
Verify that host matches certificate When using https verify that the Common Name (CN) or the Subject Alternative Name listed in the server's certificate match the host we are connected to. Addresses LP bug 1079692. Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
2012-11-16 13:46:59 +00:00
# We verify that the host matches against the last
# certificate in the chain
return self.host_matches_cert(self.host, x509)
else:
# Pass through OpenSSL's default result
return preverify_ok
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
def setcontext(self):
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
"""
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
Set up the OpenSSL context.
"""
self.context = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
if self.ssl_compression is False:
self.context.set_options(0x20000) # SSL_OP_NO_COMPRESSION
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
if self.insecure is not True:
self.context.set_verify(OpenSSL.SSL.VERIFY_PEER,
self.verify_callback)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
else:
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
self.context.set_verify(OpenSSL.SSL.VERIFY_NONE,
Make effective ssl callback behaviour more obvious When using 'insecure' no callback is executed. Make it more obvious that the set_verify callback won't be called by replacing it with a lambda. Fixes bug 1112361. Change-Id: Ib5d43a8883f7ed76383971d8154e2111f5ab2869
2013-02-01 10:02:01 +00:00
lambda *args: True)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
if self.cert_file:
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
try:
self.context.use_certificate_file(self.cert_file)
Improve Python 3.x compatibility Some mechanical translation of the deprecated except x,y construct. Should work with Python >= 2.6 just fine Change-Id: I394f9956b9e3e3d9f5f1e9ad50c35b13200af2a1
2013-04-22 16:38:55 +02:00
except Exception as e:
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
msg = 'Unable to load cert from "%s" %s' % (self.cert_file, e)
raise exc.SSLConfigurationError(msg)
if self.key_file is None:
# We support having key and cert in same file
try:
self.context.use_privatekey_file(self.cert_file)
Improve Python 3.x compatibility Some mechanical translation of the deprecated except x,y construct. Should work with Python >= 2.6 just fine Change-Id: I394f9956b9e3e3d9f5f1e9ad50c35b13200af2a1
2013-04-22 16:38:55 +02:00
except Exception as e:
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
msg = ('No key file specified and unable to load key '
'from "%s" %s' % (self.cert_file, e))
raise exc.SSLConfigurationError(msg)
if self.key_file:
try:
self.context.use_privatekey_file(self.key_file)
Improve Python 3.x compatibility Some mechanical translation of the deprecated except x,y construct. Should work with Python >= 2.6 just fine Change-Id: I394f9956b9e3e3d9f5f1e9ad50c35b13200af2a1
2013-04-22 16:38:55 +02:00
except Exception as e:
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
msg = 'Unable to load key from "%s" %s' % (self.key_file, e)
raise exc.SSLConfigurationError(msg)
Client-side SSL Connection This allows a user to pass a cert and a key to use in HTTPS connections. The flags --cert-file and --key-file are added to the CLI. Addiionally, update the debug curl logging to print --cacert and -k when ca_file and insecure are set. Related to bp glance-client-parity. Change-Id: Ibaea51419a903afb7939a6b5b848f7a6667893bf
2012-08-02 15:30:50 -07:00
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
if self.cacert:
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
try:
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
self.context.load_verify_locations(self.cacert)
Improve Python 3.x compatibility Some mechanical translation of the deprecated except x,y construct. Should work with Python >= 2.6 just fine Change-Id: I394f9956b9e3e3d9f5f1e9ad50c35b13200af2a1
2013-04-22 16:38:55 +02:00
except Exception as e:
Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
2012-12-07 11:21:11 -06:00
msg = 'Unable to load CA from "%s"' % (self.cacert, e)
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
raise exc.SSLConfigurationError(msg)
else:
self.context.set_default_verify_paths()
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
def connect(self):
"""
Connect to an SSL port using the OpenSSL library and apply
per-connection parameters.
"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if self.timeout is not None:
# '0' microseconds
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVTIMEO,
HTTPS response issues Fixes bug 1179392 glanceclient.common.http.HTTPClient.get_connection_kwargs method explicitly sets the timeout to be a float, while struc.pack is still using LL as the format string which means 2 Long Integers. Setting format string to fL which mean a float followed by Long Integer. Also, Bad file descriptor error is caused by socket being closed to soon. Added a close() implementation to VerifiedHTTPSConnection which will remove reference to socket before returning call to base HTTPConnection.close(). This will avoid socket to be closed before response body is read. Socket will close when response close is called. Change-Id: I3a973da3b962c7572ae0f61f6996bdd1f0048339
2013-06-20 20:53:08 +00:00
struct.pack('fL', self.timeout, 0))
Implement blueprint ssl-connect-rework Use pyOpenSSL for HTTPS connections. This allows: * Neater loading of system CA files * Optional disabling of SSL compression The performance gain from disabling SSL compression is significant in cases where the image being uploaded/downloaded is in an already compressed format (eg qcow2). Related to bp ssl-connect-rework. Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
2012-09-21 14:18:22 +00:00
self.sock = OpenSSLConnectionDelegator(self.context, sock)
self.sock.connect((self.host, self.port))
Use system CA certificate file When SSL is being used and the --ca-file option is not specified use an available system CA file to verify the server's certificate. Change-Id: Id5c9fda6fd9bd05cde3c2a9160a6e72cef086a44
2012-08-10 18:32:07 +00:00
HTTPS response issues Fixes bug 1179392 glanceclient.common.http.HTTPClient.get_connection_kwargs method explicitly sets the timeout to be a float, while struc.pack is still using LL as the format string which means 2 Long Integers. Setting format string to fL which mean a float followed by Long Integer. Also, Bad file descriptor error is caused by socket being closed to soon. Added a close() implementation to VerifiedHTTPSConnection which will remove reference to socket before returning call to base HTTPConnection.close(). This will avoid socket to be closed before response body is read. Socket will close when response close is called. Change-Id: I3a973da3b962c7572ae0f61f6996bdd1f0048339
2013-06-20 20:53:08 +00:00
def close(self):
if self.sock:
# Removing reference to socket but don't close it yet.
# Response close will close both socket and associated
# file. Closing socket too soon will cause response
# reads to fail with socket IO error 'Bad file descriptor'.
self.sock = None
# Calling close on HTTPConnection to continue doing that cleanup.
HTTPSConnection.close(self)
SSL Certificate Validation This adds support for validation of ssl certs returned by remote servers over SSL. The --ca-file param represents the CA cert used to sign the remote server's cert. Use --insecure if the remote server is using a self-signed cert or you don't have the CA cert. Related to bp glance-client-parity Change-Id: I45253a6e2d88da599addfcc464571e62ae920166
2012-08-02 14:16:13 -07:00
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
class ResponseBodyIterator(object):
Show a pretty progressbar when uploading and downloading an image. Add a new module that contain generic wrapper for file and iterator, which are used to wrap image to upload and the request body iterator in upload and download cases repectively, to show and advance a pretty progress bar when this laters are consumed, The progress bar is triggered by adding a --progress command line argument to commands: image-create, image-download or image-update. Change-Id: I2ba42fd0c58f4fa087adb568ec3f08246cae3759 bug fix: LP#1112309 blueprint: progressbar-when-uploading
2013-07-08 21:18:16 +02:00
"""
A class that acts as an iterator over an HTTP response.
This class will also check response body integrity when iterating over
the instance and if a checksum was supplied using `set_checksum` method,
else by default the class will not do any integrity check.
"""
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
def __init__(self, resp):
Show a pretty progressbar when uploading and downloading an image. Add a new module that contain generic wrapper for file and iterator, which are used to wrap image to upload and the request body iterator in upload and download cases repectively, to show and advance a pretty progress bar when this laters are consumed, The progress bar is triggered by adding a --progress command line argument to commands: image-create, image-download or image-update. Change-Id: I2ba42fd0c58f4fa087adb568ec3f08246cae3759 bug fix: LP#1112309 blueprint: progressbar-when-uploading
2013-07-08 21:18:16 +02:00
self._resp = resp
self._checksum = None
self._size = int(resp.getheader('content-length', 0))
self._end_reached = False
def set_checksum(self, checksum):
"""
Set checksum to check against when iterating over this instance.
:raise: AttributeError if iterator is already consumed.
"""
if self._end_reached:
raise AttributeError("Can't set checksum for an already consumed"
" iterator")
self._checksum = checksum
def __len__(self):
return int(self._size)
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
def __iter__(self):
Show a pretty progressbar when uploading and downloading an image. Add a new module that contain generic wrapper for file and iterator, which are used to wrap image to upload and the request body iterator in upload and download cases repectively, to show and advance a pretty progress bar when this laters are consumed, The progress bar is triggered by adding a --progress command line argument to commands: image-create, image-download or image-update. Change-Id: I2ba42fd0c58f4fa087adb568ec3f08246cae3759 bug fix: LP#1112309 blueprint: progressbar-when-uploading
2013-07-08 21:18:16 +02:00
md5sum = hashlib.md5()
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
while True:
Show a pretty progressbar when uploading and downloading an image. Add a new module that contain generic wrapper for file and iterator, which are used to wrap image to upload and the request body iterator in upload and download cases repectively, to show and advance a pretty progress bar when this laters are consumed, The progress bar is triggered by adding a --progress command line argument to commands: image-create, image-download or image-update. Change-Id: I2ba42fd0c58f4fa087adb568ec3f08246cae3759 bug fix: LP#1112309 blueprint: progressbar-when-uploading
2013-07-08 21:18:16 +02:00
try:
chunk = self.next()
except StopIteration:
self._end_reached = True
# NOTE(mouad): Check image integrity when the end of response
# body is reached.
md5sum = md5sum.hexdigest()
if self._checksum is not None and md5sum != self._checksum:
raise IOError(errno.EPIPE,
'Corrupted image. Checksum was %s '
'expected %s' % (md5sum, self._checksum))
raise
else:
yield chunk
md5sum.update(chunk)
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
def next(self):
Show a pretty progressbar when uploading and downloading an image. Add a new module that contain generic wrapper for file and iterator, which are used to wrap image to upload and the request body iterator in upload and download cases repectively, to show and advance a pretty progress bar when this laters are consumed, The progress bar is triggered by adding a --progress command line argument to commands: image-create, image-download or image-update. Change-Id: I2ba42fd0c58f4fa087adb568ec3f08246cae3759 bug fix: LP#1112309 blueprint: progressbar-when-uploading
2013-07-08 21:18:16 +02:00
chunk = self._resp.read(CHUNKSIZE)
Wrap image data in iterator This is establishing the API for a future optimization. We want to be able to offer true socket-level caching, but can't do that with httplib2 right now. For now, we will just fake the optimization by returning an iterator over the image body, which happens to already be fully loaded into a string. Change-Id: I2d36e3cdd45b26d7c7c27ba050bf6a4b5765df6c
2012-07-11 19:34:28 -07:00
if chunk:
return chunk
else:
raise StopIteration()
Copy Permalink