openstack/python-glanceclient
Code Issues Proposed changes

Support --os-cacert

Browse Source 
* Rename --ca-file to --os-cacert (--ca-file deprecated for
  backward compatibility)
* Add cacert to keystoneclient initialization to verify the
  keystone server certificate

This aligns glanceclient with keystoneclient for option naming
and the use of TLS for the keystone auth connection.  It does not
change the use of TLS/SSL for the glance connection.

Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
This commit is contained in:
Dean Troyer
2012-12-07 11:21:11 -06:00
committed by Brian Waldon
parent 2500e69b22
commit 4781da7007
3 changed files with 30 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
glanceclient/common/http.py
View File

@@ -74,7 +74,7 @@ class HTTPClient(object):
_kwargs = {'timeout': float(kwargs.get('timeout', 600))} _kwargs = {'timeout': float(kwargs.get('timeout', 600))}
if scheme == 'https': if scheme == 'https':
_kwargs['ca_file'] = kwargs.get('ca_file', None) _kwargs['cacert'] = kwargs.get('cacert', None)
_kwargs['cert_file'] = kwargs.get('cert_file', None) _kwargs['cert_file'] = kwargs.get('cert_file', None)
_kwargs['key_file'] = kwargs.get('key_file', None) _kwargs['key_file'] = kwargs.get('key_file', None)
_kwargs['insecure'] = kwargs.get('insecure', False) _kwargs['insecure'] = kwargs.get('insecure', False)
@@ -100,7 +100,7 @@ class HTTPClient(object):
conn_params_fmt = [ conn_params_fmt = [
('key_file', '--key %s'), ('key_file', '--key %s'),
('cert_file', '--cert %s'), ('cert_file', '--cert %s'),
('ca_file', '--cacert %s'), ('cacert', '--cacert %s'),
] ]
for (key, fmt) in conn_params_fmt: for (key, fmt) in conn_params_fmt:
value = self.connection_kwargs.get(key) value = self.connection_kwargs.get(key)
@@ -247,7 +247,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
with native Python 3.3 code. with native Python 3.3 code.
""" """
def __init__(self, host, port, key_file=None, cert_file=None, def __init__(self, host, port, key_file=None, cert_file=None,
ca_file=None, timeout=None, insecure=False, cacert=None, timeout=None, insecure=False,
ssl_compression=True): ssl_compression=True):
httplib.HTTPSConnection.__init__(self, host, port, httplib.HTTPSConnection.__init__(self, host, port,
key_file=key_file, key_file=key_file,
@@ -257,7 +257,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.timeout = timeout self.timeout = timeout
self.insecure = insecure self.insecure = insecure
self.ssl_compression = ssl_compression self.ssl_compression = ssl_compression
self.ca_file = ca_file self.cacert = cacert
self.setcontext() self.setcontext()
@staticmethod @staticmethod
@@ -341,11 +341,11 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
msg = 'Unable to load key from "%s" %s' % (self.key_file, e) msg = 'Unable to load key from "%s" %s' % (self.key_file, e)
raise exc.SSLConfigurationError(msg) raise exc.SSLConfigurationError(msg)
if self.ca_file: if self.cacert:
try: try:
self.context.load_verify_locations(self.ca_file) self.context.load_verify_locations(self.cacert)
except Exception, e: except Exception, e:
msg = 'Unable to load CA from "%s"' % (self.ca_file, e) msg = 'Unable to load CA from "%s"' % (self.cacert, e)
raise exc.SSLConfigurationError(msg) raise exc.SSLConfigurationError(msg)
else: else:
self.context.set_default_verify_paths() self.context.set_default_verify_paths()

14
glanceclient/shell.py
View File

@@ -79,11 +79,17 @@ class OpenStackImagesShell(object):
'connection. This option is not necessary ' 'connection. This option is not necessary '
'if your key is prepended to your cert file.') 'if your key is prepended to your cert file.')
parser.add_argument('--ca-file', parser.add_argument('--os-cacert',
help='Path of CA SSL certificate(s) used to verify' metavar='<ca-certificate-file>',
dest='os_cacert',
default=utils.env('OS_CACERT'),
help='Path of CA TLS certificate(s) used to verify'
'the remote server\'s certificate. Without this ' 'the remote server\'s certificate. Without this '
'option glance looks for the default system ' 'option glance looks for the default system '
'CA certificates.') 'CA certificates.')
parser.add_argument('--ca-file',
dest='os_cacert',
help='DEPRECATED! Use --os-cacert.')
parser.add_argument('--timeout', parser.add_argument('--timeout',
default=600, default=600,
@@ -314,6 +320,7 @@ class OpenStackImagesShell(object):
tenant_id=kwargs.get('tenant_id'), tenant_id=kwargs.get('tenant_id'),
tenant_name=kwargs.get('tenant_name'), tenant_name=kwargs.get('tenant_name'),
auth_url=kwargs.get('auth_url'), auth_url=kwargs.get('auth_url'),
cacert=kwargs.get('cacert'),
insecure=kwargs.get('insecure')) insecure=kwargs.get('insecure'))
def _get_endpoint(self, client, **kwargs): def _get_endpoint(self, client, **kwargs):
@@ -407,6 +414,7 @@ class OpenStackImagesShell(object):
'auth_url': args.os_auth_url, 'auth_url': args.os_auth_url,
'service_type': args.os_service_type, 'service_type': args.os_service_type,
'endpoint_type': args.os_endpoint_type, 'endpoint_type': args.os_endpoint_type,
'cacert': args.os_cacert,
'insecure': args.insecure, 'insecure': args.insecure,
'region_name': args.os_region_name, 'region_name': args.os_region_name,
} }
@@ -420,7 +428,7 @@ class OpenStackImagesShell(object):
'token': token, 'token': token,
'insecure': args.insecure, 'insecure': args.insecure,
'timeout': args.timeout, 'timeout': args.timeout,
'ca_file': args.ca_file, 'cacert': args.os_cacert,
'cert_file': args.cert_file, 'cert_file': args.cert_file,
'key_file': args.key_file, 'key_file': args.key_file,
'ssl_compression': args.ssl_compression 'ssl_compression': args.ssl_compression

24
tests/test_ssl.py
View File

@@ -33,12 +33,12 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
""" """
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
try: try:
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
key_file=key_file, key_file=key_file,
cert_file=cert_file, cert_file=cert_file,
ca_file=ca_file) cacert=cacert)
except exc.SSLConfigurationError: except exc.SSLConfigurationError:
self.fail('Failed to init VerifiedHTTPSConnection.') self.fail('Failed to init VerifiedHTTPSConnection.')
@@ -47,11 +47,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
Test VerifiedHTTPSConnection: absense of SSL key file. Test VerifiedHTTPSConnection: absense of SSL key file.
""" """
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
try: try:
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
cert_file=cert_file, cert_file=cert_file,
ca_file=ca_file) cacert=cacert)
self.fail('Failed to raise assertion.') self.fail('Failed to raise assertion.')
except exc.SSLConfigurationError: except exc.SSLConfigurationError:
pass pass
@@ -61,11 +61,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
Test VerifiedHTTPSConnection: absense of SSL cert file. Test VerifiedHTTPSConnection: absense of SSL cert file.
""" """
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
try: try:
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
key_file=key_file, key_file=key_file,
ca_file=ca_file) cacert=cacert)
except: except:
self.fail('Failed to init VerifiedHTTPSConnection.') self.fail('Failed to init VerifiedHTTPSConnection.')
@@ -75,11 +75,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
""" """
key_file = os.path.join(TEST_VAR_DIR, 'badkey.key') key_file = os.path.join(TEST_VAR_DIR, 'badkey.key')
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
try: try:
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
cert_file=cert_file, cert_file=cert_file,
ca_file=ca_file) cacert=cacert)
self.fail('Failed to raise assertion.') self.fail('Failed to raise assertion.')
except exc.SSLConfigurationError: except exc.SSLConfigurationError:
pass pass
@@ -90,11 +90,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
""" """
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
cert_file = os.path.join(TEST_VAR_DIR, 'badcert.crt') cert_file = os.path.join(TEST_VAR_DIR, 'badcert.crt')
ca_file = os.path.join(TEST_VAR_DIR, 'ca.crt') cacert = os.path.join(TEST_VAR_DIR, 'ca.crt')
try: try:
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
cert_file=cert_file, cert_file=cert_file,
ca_file=ca_file) cacert=cacert)
self.fail('Failed to raise assertion.') self.fail('Failed to raise assertion.')
except exc.SSLConfigurationError: except exc.SSLConfigurationError:
pass pass
@@ -105,11 +105,11 @@ class TestVerifiedHTTPSConnection(unittest.TestCase):
""" """
key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key') key_file = os.path.join(TEST_VAR_DIR, 'privatekey.key')
cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt') cert_file = os.path.join(TEST_VAR_DIR, 'certificate.crt')
ca_file = os.path.join(TEST_VAR_DIR, 'badca.crt') cacert = os.path.join(TEST_VAR_DIR, 'badca.crt')
try: try:
conn = http.VerifiedHTTPSConnection('127.0.0.1', 0, conn = http.VerifiedHTTPSConnection('127.0.0.1', 0,
cert_file=cert_file, cert_file=cert_file,
ca_file=ca_file) cacert=cacert)
self.fail('Failed to raise assertion.') self.fail('Failed to raise assertion.')
except exc.SSLConfigurationError: except exc.SSLConfigurationError:
pass pass