From 4781da7007b69e63b18083ea58d46316201c6477 Mon Sep 17 00:00:00 2001 From: Dean Troyer Date: Fri, 7 Dec 2012 11:21:11 -0600 Subject: [PATCH] Support --os-cacert * Rename --ca-file to --os-cacert (--ca-file deprecated for backward compatibility) * Add cacert to keystoneclient initialization to verify the keystone server certificate This aligns glanceclient with keystoneclient for option naming and the use of TLS for the keystone auth connection. It does not change the use of TLS/SSL for the glance connection. Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf --- glanceclient/common/http.py | 14 +++++++------- glanceclient/shell.py | 14 +++++++++++--- tests/test_ssl.py | 24 ++++++++++++------------ 3 files changed, 30 insertions(+), 22 deletions(-) diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py index 2f35dac4..f905b0d3 100644 --- a/glanceclient/common/http.py +++ b/glanceclient/common/http.py @@ -74,7 +74,7 @@ class HTTPClient(object): _kwargs = {'timeout': float(kwargs.get('timeout', 600))} if scheme == 'https': - _kwargs['ca_file'] = kwargs.get('ca_file', None) + _kwargs['cacert'] = kwargs.get('cacert', None) _kwargs['cert_file'] = kwargs.get('cert_file', None) _kwargs['key_file'] = kwargs.get('key_file', None) _kwargs['insecure'] = kwargs.get('insecure', False) @@ -100,7 +100,7 @@ class HTTPClient(object): conn_params_fmt = [ ('key_file', '--key %s'), ('cert_file', '--cert %s'), - ('ca_file', '--cacert %s'), + ('cacert', '--cacert %s'), ] for (key, fmt) in conn_params_fmt: value = self.connection_kwargs.get(key) @@ -247,7 +247,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): with native Python 3.3 code. """ def __init__(self, host, port, key_file=None, cert_file=None, - ca_file=None, timeout=None, insecure=False, + cacert=None, timeout=None, insecure=False, ssl_compression=True): httplib.HTTPSConnection.__init__(self, host, port, key_file=key_file, @@ -257,7 +257,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.timeout = timeout self.insecure = insecure self.ssl_compression = ssl_compression - self.ca_file = ca_file + self.cacert = cacert self.setcontext() @staticmethod @@ -341,11 +341,11 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): msg = 'Unable to load key from "%s" %s' % (self.key_file, e) raise exc.SSLConfigurationError(msg) - if self.ca_file: + if self.cacert: try: - self.context.load_verify_locations(self.ca_file) + self.context.load_verify_locations(self.cacert) except Exception, e: - msg = 'Unable to load CA from "%s"' % (self.ca_file, e) + msg = 'Unable to load CA from "%s"' % (self.cacert, e) raise exc.SSLConfigurationError(msg) else: self.context.set_default_verify_paths() diff --git a/glanceclient/shell.py b/glanceclient/shell.py index 48112110..142c03aa 100644 --- a/glanceclient/shell.py +++ b/glanceclient/shell.py @@ -79,11 +79,17 @@ class OpenStackImagesShell(object): 'connection. This option is not necessary ' 'if your key is prepended to your cert file.') - parser.add_argument('--ca-file', - help='Path of CA SSL certificate(s) used to verify' + parser.add_argument('--os-cacert', + metavar='', + dest='os_cacert', + default=utils.env('OS_CACERT'), + help='Path of CA TLS certificate(s) used to verify' 'the remote server\'s certificate. Without this ' 'option glance looks for the default system ' 'CA certificates.') + parser.add_argument('--ca-file', + dest='os_cacert', + help='DEPRECATED! Use --os-cacert.') parser.add_argument('--timeout', default=600, @@ -314,6 +320,7 @@ class OpenStackImagesShell(object): tenant_id=kwargs.get('tenant_id'), tenant_name=kwargs.get('tenant_name'), auth_url=kwargs.get('auth_url'), + cacert=kwargs.get('cacert'), insecure=kwargs.get('insecure')) def _get_endpoint(self, client, **kwargs): @@ -407,6 +414,7 @@ class OpenStackImagesShell(object): 'auth_url': args.os_auth_url, 'service_type': args.os_service_type, 'endpoint_type': args.os_endpoint_type, + 'cacert': args.os_cacert, 'insecure': args.insecure, 'region_name': args.os_region_name, } @@ -420,7 +428,7 @@ class OpenStackImagesShell(object): 'token': token, 'insecure': args.insecure, 'timeout': args.timeout, - 'ca_file': args.ca_file, + 'cacert': args.os_cacert, 'cert_file': args.cert_file, 'key_file': args.key_file, 'ssl_compression': args.ssl_compression diff --git a/tests/test_ssl.py b/tests/test_ssl.py index efe8851c..14afcc61 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -33,12 +33,12 @@ class TestVerifiedHTTPSConnection(unittest.TestCase): """ key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') - ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') + cacert = os.path.join(TEST_VAR_DIR, 'ca.crt') try: conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, key_file=key_file, cert_file=cert_file, - ca_file=ca_file) + cacert=cacert) except exc.SSLConfigurationError: self.fail('Failed to init VerifiedHTTPSConnection.') @@ -47,11 +47,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase): Test VerifiedHTTPSConnection: absense of SSL key file. """ cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') - ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') + cacert = os.path.join(TEST_VAR_DIR, 'ca.crt') try: conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, cert_file=cert_file, - ca_file=ca_file) + cacert=cacert) self.fail('Failed to raise assertion.') except exc.SSLConfigurationError: pass @@ -61,11 +61,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase): Test VerifiedHTTPSConnection: absense of SSL cert file. """ key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') - ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') + cacert = os.path.join(TEST_VAR_DIR, 'ca.crt') try: conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, key_file=key_file, - ca_file=ca_file) + cacert=cacert) except: self.fail('Failed to init VerifiedHTTPSConnection.') @@ -75,11 +75,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase): """ key_file = os.path.join(TEST_VAR_DIR, 'badkey.key') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') - ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') + cacert = os.path.join(TEST_VAR_DIR, 'ca.crt') try: conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, cert_file=cert_file, - ca_file=ca_file) + cacert=cacert) self.fail('Failed to raise assertion.') except exc.SSLConfigurationError: pass @@ -90,11 +90,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase): """ key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') cert_file = os.path.join(TEST_VAR_DIR, 'badcert.crt') - ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') + cacert = os.path.join(TEST_VAR_DIR, 'ca.crt') try: conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, cert_file=cert_file, - ca_file=ca_file) + cacert=cacert) self.fail('Failed to raise assertion.') except exc.SSLConfigurationError: pass @@ -105,11 +105,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase): """ key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') - ca_file = os.path.join(TEST_VAR_DIR, 'badca.crt') + cacert = os.path.join(TEST_VAR_DIR, 'badca.crt') try: conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, cert_file=cert_file, - ca_file=ca_file) + cacert=cacert) self.fail('Failed to raise assertion.') except exc.SSLConfigurationError: pass