Add --os-cacert

Add support to specify a ca certificate bundle to verify
keystone TLS (https) certificates.  This only verifies
certificates on the keystone connection, swift https
connections are unchanged.

Change-Id: I14351b405af4fd3d1970ba6656c1282a5d0a1082

bin/swift

@@ -42,6 +42,7 @@ def get_conn(options):
                       auth_version=options.auth_version,
                       os_options=options.os_options,
                       snet=options.snet,
+                      cacert=options.os_cacert,
                       insecure=options.insecure)
 
 
@@ -1144,6 +1145,12 @@ Example:
                       default=environ.get('OS_ENDPOINT_TYPE'),
                       help='Openstack Endpoint type. ' \
                            'Defaults to env[OS_ENDPOINT_TYPE]')
+    parser.add_option('--os-cacert',
+                      metavar='<ca-certificate>',
+                      default=environ.get('OS_CACERT'),
+                      help='Specify a CA bundle file to use in verifying a '
+                      'TLS (https) server certificate. '
+                      'Defaults to env[OS_CACERT]')
     parser.add_option('--insecure',
                       action="store_true", dest="insecure", default=False,
                       help='Allow swiftclient to access insecure keystone '

swiftclient/client.py

@@ -248,6 +248,7 @@ def get_keystoneclient_2_0(auth_url, user, key, os_options, **kwargs):
                                     password=key,
                                     tenant_name=os_options.get('tenant_name'),
                                     tenant_id=os_options.get('tenant_id'),
+                                    cacert=kwargs.get('cacert'),
                                     auth_url=auth_url, insecure=insecure)
     except exceptions.Unauthorized:
         raise ClientException('Unauthorised. Check username, password'
@@ -312,8 +313,10 @@ def get_auth(auth_url, user, key, **kwargs):
             raise ClientException('No tenant specified')
 
         insecure = kwargs.get('insecure', False)
+        cacert = kwargs.get('cacert', None)
         (auth_url, token) = get_keystoneclient_2_0(auth_url, user,
                                                    key, os_options,
+                                                   cacert=cacert,
                                                    insecure=insecure)
         return (auth_url, token)
 
@@ -932,7 +935,7 @@ class Connection(object):
     def __init__(self, authurl=None, user=None, key=None, retries=5,
                  preauthurl=None, preauthtoken=None, snet=False,
                  starting_backoff=1, tenant_name=None, os_options=None,
-                 auth_version="1", insecure=False):
+                 auth_version="1", cacert=None, insecure=False):
         """
         :param authurl: authentication URL
         :param user: user name to authenticate as
@@ -966,6 +969,7 @@ class Connection(object):
         self.os_options = os_options or {}
         if tenant_name:
             self.os_options['tenant_name'] = tenant_name
+        self.cacert = cacert
         self.insecure = insecure
 
     def get_auth(self):
@@ -975,6 +979,7 @@ class Connection(object):
                         snet=self.snet,
                         auth_version=self.auth_version,
                         os_options=self.os_options,
+                        cacert=self.cacert,
                         insecure=self.insecure)
 
     def http_connection(self):

tests/test_swiftclient.py

@@ -265,6 +265,35 @@ class TestGetAuth(MockHttpTest):
                           os_options={},
                           auth_version='2.0')
 
+    def test_auth_v2_cacert(self):
+        os_options = {'tenant_name': 'foo'}
+        c.get_keystoneclient_2_0 = fake_get_keystoneclient_2_0(
+                                       os_options,
+                                       None)
+
+        auth_url_secure   = 'https://www.tests.com'
+        auth_url_insecure = 'https://www.tests.com/self-signed-certificate'
+
+        url, token = c.get_auth(auth_url_secure, 'asdf', 'asdf',
+                                os_options=os_options, auth_version='2.0',
+                                insecure=False)
+        self.assertTrue(url.startswith("http"))
+        self.assertTrue(token)
+
+        url, token = c.get_auth(auth_url_insecure, 'asdf', 'asdf',
+                                os_options=os_options, auth_version='2.0',
+                                cacert='ca.pem', insecure=False)
+        self.assertTrue(url.startswith("http"))
+        self.assertTrue(token)
+
+        self.assertRaises(c.ClientException, c.get_auth,
+                          auth_url_insecure, 'asdf', 'asdf',
+                          os_options=os_options, auth_version='2.0')
+        self.assertRaises(c.ClientException, c.get_auth,
+                          auth_url_insecure, 'asdf', 'asdf',
+                          os_options=os_options, auth_version='2.0',
+                          insecure=False)
+
     def test_auth_v2_insecure(self):
         os_options = {'tenant_name': 'foo'}
         c.get_keystoneclient_2_0 = fake_get_keystoneclient_2_0(

tests/utils.py

@@ -31,6 +31,12 @@ def fake_get_keystoneclient_2_0(os_options, exc=None, **kwargs):
            not actual_kwargs['insecure']:
             from swiftclient import client as c
             raise c.ClientException("invalid-certificate")
+        if auth_url.startswith("https") and \
+           auth_url.endswith("self-signed-certificate") and \
+           not actual_kwargs['insecure'] and \
+           actual_kwargs['cacert'] is None:
+            from swiftclient import client as c
+            raise c.ClientException("unverified-certificate")
 
         return ("http://url/", "token")
     return fake_get_keystoneclient_2_0