Support --os-cacert
* Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
This commit is contained in:
Dean Troyer
committed by
Brian Waldon
Brian Waldon
parent
2500e69b22
commit
4781da7007
@@ -74,7 +74,7 @@ class HTTPClient(object):
|
||||
_kwargs = {'timeout': float(kwargs.get('timeout', 600))}
|
||||
|
||||
if scheme == 'https':
|
||||
_kwargs['ca_file'] = kwargs.get('ca_file', None)
|
||||
_kwargs['cacert'] = kwargs.get('cacert', None)
|
||||
_kwargs['cert_file'] = kwargs.get('cert_file', None)
|
||||
_kwargs['key_file'] = kwargs.get('key_file', None)
|
||||
_kwargs['insecure'] = kwargs.get('insecure', False)
|
||||
@@ -100,7 +100,7 @@ class HTTPClient(object):
|
||||
conn_params_fmt = [
|
||||
('key_file', '--key %s'),
|
||||
('cert_file', '--cert %s'),
|
||||
('ca_file', '--cacert %s'),
|
||||
('cacert', '--cacert %s'),
|
||||
]
|
||||
for (key, fmt) in conn_params_fmt:
|
||||
value = self.connection_kwargs.get(key)
|
||||
@@ -247,7 +247,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
|
||||
with native Python 3.3 code.
|
||||
"""
|
||||
def __init__(self, host, port, key_file=None, cert_file=None,
|
||||
ca_file=None, timeout=None, insecure=False,
|
||||
cacert=None, timeout=None, insecure=False,
|
||||
ssl_compression=True):
|
||||
httplib.HTTPSConnection.__init__(self, host, port,
|
||||
key_file=key_file,
|
||||
@@ -257,7 +257,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
|
||||
self.timeout = timeout
|
||||
self.insecure = insecure
|
||||
self.ssl_compression = ssl_compression
|
||||
self.ca_file = ca_file
|
||||
self.cacert = cacert
|
||||
self.setcontext()
|
||||
|
||||
@staticmethod
|
||||
@@ -341,11 +341,11 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
|
||||
msg = 'Unable to load key from "%s" %s' % (self.key_file, e)
|
||||
raise exc.SSLConfigurationError(msg)
|
||||
|
||||
if self.ca_file:
|
||||
if self.cacert:
|
||||
try:
|
||||
self.context.load_verify_locations(self.ca_file)
|
||||
self.context.load_verify_locations(self.cacert)
|
||||
except Exception, e:
|
||||
msg = 'Unable to load CA from "%s"' % (self.ca_file, e)
|
||||
msg = 'Unable to load CA from "%s"' % (self.cacert, e)
|
||||
raise exc.SSLConfigurationError(msg)
|
||||
else:
|
||||
self.context.set_default_verify_paths()
|
||||
|
||||
@@ -79,11 +79,17 @@ class OpenStackImagesShell(object):
|
||||
'connection. This option is not necessary '
|
||||
'if your key is prepended to your cert file.')
|
||||
|
||||
parser.add_argument('--ca-file',
|
||||
help='Path of CA SSL certificate(s) used to verify'
|
||||
parser.add_argument('--os-cacert',
|
||||
metavar='<ca-certificate-file>',
|
||||
dest='os_cacert',
|
||||
default=utils.env('OS_CACERT'),
|
||||
help='Path of CA TLS certificate(s) used to verify'
|
||||
'the remote server\'s certificate. Without this '
|
||||
'option glance looks for the default system '
|
||||
'CA certificates.')
|
||||
parser.add_argument('--ca-file',
|
||||
dest='os_cacert',
|
||||
help='DEPRECATED! Use --os-cacert.')
|
||||
|
||||
parser.add_argument('--timeout',
|
||||
default=600,
|
||||
@@ -314,6 +320,7 @@ class OpenStackImagesShell(object):
|
||||
tenant_id=kwargs.get('tenant_id'),
|
||||
tenant_name=kwargs.get('tenant_name'),
|
||||
auth_url=kwargs.get('auth_url'),
|
||||
cacert=kwargs.get('cacert'),
|
||||
insecure=kwargs.get('insecure'))
|
||||
|
||||
def _get_endpoint(self, client, **kwargs):
|
||||
@@ -407,6 +414,7 @@ class OpenStackImagesShell(object):
|
||||
'auth_url': args.os_auth_url,
|
||||
'service_type': args.os_service_type,
|
||||
'endpoint_type': args.os_endpoint_type,
|
||||
'cacert': args.os_cacert,
|
||||
'insecure': args.insecure,
|
||||
'region_name': args.os_region_name,
|
||||
}
|
||||
@@ -420,7 +428,7 @@ class OpenStackImagesShell(object):
|
||||
'token': token,
|
||||
'insecure': args.insecure,
|
||||
'timeout': args.timeout,
|
||||
'ca_file': args.ca_file,
|
||||
'cacert': args.os_cacert,
|
||||
'cert_file': args.cert_file,
|
||||
'key_file': args.key_file,
|
||||
'ssl_compression': args.ssl_compression
|
||||
|
||||
@@ -33,12 +33,12 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
|
||||
"""
|
||||
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
|
||||
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
|
||||
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
try:
|
||||
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
|
||||
key_file=key_file,
|
||||
cert_file=cert_file,
|
||||
ca_file=ca_file)
|
||||
cacert=cacert)
|
||||
except exc.SSLConfigurationError:
|
||||
self.fail('Failed to init VerifiedHTTPSConnection.')
|
||||
|
||||
@@ -47,11 +47,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
|
||||
Test VerifiedHTTPSConnection: absense of SSL key file.
|
||||
"""
|
||||
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
|
||||
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
try:
|
||||
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
|
||||
cert_file=cert_file,
|
||||
ca_file=ca_file)
|
||||
cacert=cacert)
|
||||
self.fail('Failed to raise assertion.')
|
||||
except exc.SSLConfigurationError:
|
||||
pass
|
||||
@@ -61,11 +61,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
|
||||
Test VerifiedHTTPSConnection: absense of SSL cert file.
|
||||
"""
|
||||
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
|
||||
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
try:
|
||||
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
|
||||
key_file=key_file,
|
||||
ca_file=ca_file)
|
||||
cacert=cacert)
|
||||
except:
|
||||
self.fail('Failed to init VerifiedHTTPSConnection.')
|
||||
|
||||
@@ -75,11 +75,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
|
||||
"""
|
||||
key_file = os.path.join(TEST_VAR_DIR, 'badkey.key')
|
||||
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
|
||||
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
try:
|
||||
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
|
||||
cert_file=cert_file,
|
||||
ca_file=ca_file)
|
||||
cacert=cacert)
|
||||
self.fail('Failed to raise assertion.')
|
||||
except exc.SSLConfigurationError:
|
||||
pass
|
||||
@@ -90,11 +90,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
|
||||
"""
|
||||
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
|
||||
cert_file = os.path.join(TEST_VAR_DIR, 'badcert.crt')
|
||||
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
|
||||
try:
|
||||
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
|
||||
cert_file=cert_file,
|
||||
ca_file=ca_file)
|
||||
cacert=cacert)
|
||||
self.fail('Failed to raise assertion.')
|
||||
except exc.SSLConfigurationError:
|
||||
pass
|
||||
@@ -105,11 +105,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
|
||||
"""
|
||||
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
|
||||
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
|
||||
ca_file = os.path.join(TEST_VAR_DIR, 'badca.crt')
|
||||
cacert = os.path.join(TEST_VAR_DIR, 'badca.crt')
|
||||
try:
|
||||
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
|
||||
cert_file=cert_file,
|
||||
ca_file=ca_file)
|
||||
cacert=cacert)
|
||||
self.fail('Failed to raise assertion.')
|
||||
except exc.SSLConfigurationError:
|
||||
pass
|
||||
|
||||
Reference in New Issue
Block a user