Add --insecure option to fix bug #1077869
If enable this option , swift CLI is allowed to access a keystone server with self signed certificate. Change-Id: I5e219fe875b246b68ac51a077e7ff15e95463adf
This commit is contained in:
You Yamagata
parent
4efe3bfa7e
commit
6a4dc039ff
@ -41,7 +41,8 @@ def get_conn(options):
|
||||
options.key,
|
||||
auth_version=options.auth_version,
|
||||
os_options=options.os_options,
|
||||
snet=options.snet)
|
||||
snet=options.snet,
|
||||
insecure=options.insecure)
|
||||
|
||||
|
||||
def mkdirs(path):
|
||||
@ -1146,6 +1147,11 @@ Example:
|
||||
default=environ.get('OS_ENDPOINT_TYPE'),
|
||||
help='Openstack Endpoint type. ' \
|
||||
'Defaults to env[OS_ENDPOINT_TYPE]')
|
||||
parser.add_option('--insecure',
|
||||
action="store_true", dest="insecure", default=False,
|
||||
help='Allow swiftclient to access insecure keystone '
|
||||
'server. The keystone\'s certificate will not '
|
||||
'be verified.')
|
||||
parser.disable_interspersed_args()
|
||||
(options, args) = parse_args(parser, argv[1:], enforce_requires=False)
|
||||
parser.enable_interspersed_args()
|
||||
|
||||
@ -232,12 +232,15 @@ def get_auth_1_0(url, user, key, snet):
|
||||
resp.getheader('x-auth-token'))
|
||||
|
||||
|
||||
def get_keystoneclient_2_0(auth_url, user, key, os_options):
|
||||
def get_keystoneclient_2_0(auth_url, user, key, os_options, **kwargs):
|
||||
"""
|
||||
Authenticate against a auth 2.0 server.
|
||||
|
||||
We are using the keystoneclient library for our 2.0 authentication.
|
||||
"""
|
||||
|
||||
insecure = kwargs.get('insecure', False)
|
||||
|
||||
from keystoneclient.v2_0 import client as ksclient
|
||||
from keystoneclient import exceptions
|
||||
try:
|
||||
@ -245,7 +248,7 @@ def get_keystoneclient_2_0(auth_url, user, key, os_options):
|
||||
password=key,
|
||||
tenant_name=os_options.get('tenant_name'),
|
||||
tenant_id=os_options.get('tenant_id'),
|
||||
auth_url=auth_url)
|
||||
auth_url=auth_url, insecure=insecure)
|
||||
except exceptions.Unauthorized:
|
||||
raise ClientException('Unauthorised. Check username, password'
|
||||
' and tenant name/id')
|
||||
@ -308,8 +311,10 @@ def get_auth(auth_url, user, key, **kwargs):
|
||||
if (not 'tenant_name' in os_options):
|
||||
raise ClientException('No tenant specified')
|
||||
|
||||
insecure = kwargs.get('insecure', False)
|
||||
(auth_url, token) = get_keystoneclient_2_0(auth_url, user,
|
||||
key, os_options)
|
||||
key, os_options,
|
||||
insecure=insecure)
|
||||
return (auth_url, token)
|
||||
|
||||
raise ClientException('Unknown auth_version %s specified.'
|
||||
@ -927,7 +932,7 @@ class Connection(object):
|
||||
def __init__(self, authurl=None, user=None, key=None, retries=5,
|
||||
preauthurl=None, preauthtoken=None, snet=False,
|
||||
starting_backoff=1, tenant_name=None, os_options=None,
|
||||
auth_version="1"):
|
||||
auth_version="1", insecure=False):
|
||||
"""
|
||||
:param authurl: authentication URL
|
||||
:param user: user name to authenticate as
|
||||
@ -944,6 +949,8 @@ class Connection(object):
|
||||
:param os_options: The OpenStack options which can have tenant_id,
|
||||
auth_token, service_type, endpoint_type,
|
||||
tenant_name, object_storage_url, region_name
|
||||
:param insecure: Allow to access insecure keystone server.
|
||||
The keystone's certificate will not be verified.
|
||||
"""
|
||||
self.authurl = authurl
|
||||
self.user = user
|
||||
@ -959,6 +966,7 @@ class Connection(object):
|
||||
self.os_options = os_options or {}
|
||||
if tenant_name:
|
||||
self.os_options['tenant_name'] = tenant_name
|
||||
self.insecure = insecure
|
||||
|
||||
def get_auth(self):
|
||||
return get_auth(self.authurl,
|
||||
@ -966,7 +974,8 @@ class Connection(object):
|
||||
self.key,
|
||||
snet=self.snet,
|
||||
auth_version=self.auth_version,
|
||||
os_options=self.os_options)
|
||||
os_options=self.os_options,
|
||||
insecure=self.insecure)
|
||||
|
||||
def http_connection(self):
|
||||
return http_connection(self.url)
|
||||
|
||||
@ -265,6 +265,35 @@ class TestGetAuth(MockHttpTest):
|
||||
os_options={},
|
||||
auth_version='2.0')
|
||||
|
||||
def test_auth_v2_insecure(self):
|
||||
os_options = {'tenant_name': 'foo'}
|
||||
c.get_keystoneclient_2_0 = fake_get_keystoneclient_2_0(
|
||||
os_options,
|
||||
None)
|
||||
|
||||
auth_url_secure = 'https://www.tests.com'
|
||||
auth_url_insecure = 'https://www.tests.com/invalid-certificate'
|
||||
|
||||
url, token = c.get_auth(auth_url_secure, 'asdf', 'asdf',
|
||||
os_options=os_options, auth_version='2.0')
|
||||
self.assertTrue(url.startswith("http"))
|
||||
self.assertTrue(token)
|
||||
|
||||
url, token = c.get_auth(auth_url_insecure, 'asdf', 'asdf',
|
||||
os_options=os_options, auth_version='2.0',
|
||||
insecure=True)
|
||||
self.assertTrue(url.startswith("http"))
|
||||
self.assertTrue(token)
|
||||
|
||||
self.assertRaises(c.ClientException, c.get_auth,
|
||||
auth_url_insecure, 'asdf', 'asdf',
|
||||
os_options=os_options, auth_version='2.0')
|
||||
self.assertRaises(c.ClientException, c.get_auth,
|
||||
auth_url_insecure, 'asdf', 'asdf',
|
||||
os_options=os_options, auth_version='2.0',
|
||||
insecure=False)
|
||||
|
||||
|
||||
class TestGetAccount(MockHttpTest):
|
||||
|
||||
def test_no_content(self):
|
||||
|
||||
@ -16,15 +16,22 @@ from httplib import HTTPException
|
||||
|
||||
from eventlet import Timeout, sleep
|
||||
|
||||
def fake_get_keystoneclient_2_0(os_options, exc=None):
|
||||
def fake_get_keystoneclient_2_0(os_options, exc=None, **kwargs):
|
||||
def fake_get_keystoneclient_2_0(auth_url,
|
||||
user,
|
||||
key,
|
||||
actual_os_options):
|
||||
actual_os_options, **actual_kwargs):
|
||||
if exc:
|
||||
raise exc('test')
|
||||
if actual_os_options != os_options:
|
||||
return "", None
|
||||
|
||||
if auth_url.startswith("https") and \
|
||||
auth_url.endswith("invalid-certificate") and \
|
||||
not actual_kwargs['insecure']:
|
||||
from swiftclient import client as c
|
||||
raise c.ClientException("invalid-certificate")
|
||||
|
||||
return ("http://url/", "token")
|
||||
return fake_get_keystoneclient_2_0
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user