From 6a63ec6ef647fd976f17e436108e3d10ca5be1d9 Mon Sep 17 00:00:00 2001
From: Mike Fedosin <mikhail.fedosin.ext@nokia.com>
Date: Wed, 30 Aug 2017 09:45:24 +0300
Subject: [PATCH] Enable ssl support for keycloak auth module

Currently cacert param is not used in the code and ssl
is not supported. This code fixes this and also eliminates
several related issues.

Change-Id: I30b8673bc64039897a8fea49aad65548cd52063f
Closes-bug: #1713918
---
 mistralclient/auth/keycloak.py | 45 ++++++++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/mistralclient/auth/keycloak.py b/mistralclient/auth/keycloak.py
index 2f5bc7df..6c00079a 100644
--- a/mistralclient/auth/keycloak.py
+++ b/mistralclient/auth/keycloak.py
@@ -13,8 +13,11 @@
 #    limitations under the License.
 
 import logging
+import os
 import pprint
+
 import requests
+from six.moves import urllib
 
 from mistralclient import auth
 
@@ -111,11 +114,13 @@ class KeycloakAuthHandler(auth.AuthHandler):
 
         return response
 
+    @staticmethod
     def _authenticate_with_token(auth_url, client_id, client_secret,
                                  auth_token, cacert=None, insecure=None):
         # TODO(rakhmerov): Implement.
         raise NotImplementedError
 
+    @staticmethod
     def _authenticate_with_password(auth_url, client_id, client_secret,
                                     realm_name, username, password,
                                     cacert=None, insecure=None):
@@ -124,6 +129,10 @@ class KeycloakAuthHandler(auth.AuthHandler):
             (auth_url, realm_name)
         )
 
+        verify = None
+        if urllib.parse.urlparse(access_token_endpoint).scheme == "https":
+            verify = False if insecure else cacert
+
         client_auth = (client_id, client_secret)
 
         body = {
@@ -137,7 +146,7 @@ class KeycloakAuthHandler(auth.AuthHandler):
             access_token_endpoint,
             auth=client_auth,
             data=body,
-            verify=not insecure
+            verify=verify
         )
 
         try:
@@ -151,6 +160,24 @@ class KeycloakAuthHandler(auth.AuthHandler):
         return resp.json()['access_token']
 
 
+def get_system_ca_file():
+    """Return path to system default CA file."""
+    # Standard CA file locations for Debian/Ubuntu, RedHat/Fedora,
+    # Suse, FreeBSD/OpenBSD, MacOSX, and the bundled ca
+    ca_path = ['/etc/ssl/certs/ca-certificates.crt',
+               '/etc/pki/tls/certs/ca-bundle.crt',
+               '/etc/ssl/ca-bundle.pem',
+               '/etc/ssl/cert.pem',
+               '/System/Library/OpenSSL/certs/cacert.pem',
+               requests.certs.where()]
+    for ca in ca_path:
+        LOG.debug("Looking for ca file %s", ca)
+        if os.path.exists(ca):
+            LOG.debug("Using ca file %s", ca)
+            return ca
+    LOG.warning("System ca file could not be found.")
+
+
 # An example of using KeyCloak OpenID authentication.
 if __name__ == '__main__':
     print("Using username/password to get access token from KeyCloak...")
@@ -158,13 +185,15 @@ if __name__ == '__main__':
     auth_handler = KeycloakAuthHandler()
 
     a_token = auth_handler.authenticate(
-        "https://my.keycloak:8443/auth",
-        client_id="mistral_client",
-        client_secret="4a080907-921b-409a-b793-c431609c3a47",
-        realm_name="mistral",
-        username="user",
-        password="secret",
-        insecure=True
+        dict(
+            "https://my.keycloak:8443/auth",
+            client_id="mistral_client",
+            client_secret="4a080907-921b-409a-b793-c431609c3a47",
+            realm_name="mistral",
+            username="user",
+            password="secret",
+            insecure=True
+        )
     )
 
     print("Access token: %s" % a_token)