openstack/python-swiftclient
Code Issues Proposed changes

Merge "Support client certificate/key"

Browse Source
This commit is contained in:
Jenkins 2016-05-19 22:20:17 +00:00 committed by Gerrit Code Review
commit f9d0657e70
6 changed files with 98 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
swiftclient/client.py
View File

@ -339,7 +339,8 @@ class _RetryBody(_ObjectBody):
class HTTPConnection(object):
def __init__(self, url, proxy=None, cacert=None, insecure=False,
ssl_compression=False, default_user_agent=None, timeout=None):
cert=None, cert_key=None, ssl_compression=False,
default_user_agent=None, timeout=None):
"""
Make an HTTPConnection or HTTPSConnection
@ -350,6 +351,9 @@ class HTTPConnection(object):
certificate.
:param insecure: Allow to access servers without checking SSL certs.
The server's certificate will not be verified.
:param cert: Client certificate file to connect on SSL server
requiring SSL client certificate.
:param cert_key: Client certificate private key file.
:param ssl_compression: SSL compression should be disabled by default
and this setting is not usable as of now. The
parameter is kept for backward compatibility.
@ -379,6 +383,14 @@ class HTTPConnection(object):
# verify requests parameter is used to pass the CA_BUNDLE file
# see: http://docs.python-requests.org/en/latest/user/advanced/
self.requests_args['verify'] = cacert
if cert:
# NOTE(cbrandily): cert requests parameter is used to pass client
# cert path or a tuple with client certificate/key paths.
if cert_key:
self.requests_args['cert'] = cert, cert_key
else:
self.requests_args['cert'] = cert
if proxy:
proxy_parsed = urlparse(proxy)
if not proxy_parsed.scheme:
@ -465,8 +477,11 @@ def http_connection(*arg, **kwarg):
def get_auth_1_0(url, user, key, snet, **kwargs):
cacert = kwargs.get('cacert', None)
insecure = kwargs.get('insecure', False)
cert = kwargs.get('cert')
cert_key = kwargs.get('cert_key')
timeout = kwargs.get('timeout', None)
parsed, conn = http_connection(url, cacert=cacert, insecure=insecure,
cert=cert, cert_key=cert_key,
timeout=timeout)
method = 'GET'
headers = {'X-Auth-User': user, 'X-Auth-Key': key}
@ -547,6 +562,8 @@ def get_auth_keystone(auth_url, user, key, os_options, **kwargs):
project_domain_id=os_options.get('project_domain_id'),
debug=debug,
cacert=kwargs.get('cacert'),
cert=kwargs.get('cert'),
key=kwargs.get('cert_key'),
auth_url=auth_url, insecure=insecure, timeout=timeout)
except exceptions.Unauthorized:
msg = 'Unauthorized. Check username, password and tenant name/id.'
@ -597,6 +614,8 @@ def get_auth(auth_url, user, key, **kwargs):
cacert = kwargs.get('cacert', None)
insecure = kwargs.get('insecure', False)
cert = kwargs.get('cert')
cert_key = kwargs.get('cert_key')
timeout = kwargs.get('timeout', None)
if auth_version in AUTH_VERSIONS_V1:
storage_url, token = get_auth_1_0(auth_url,
@ -605,6 +624,8 @@ def get_auth(auth_url, user, key, **kwargs):
kwargs.get('snet'),
cacert=cacert,
insecure=insecure,
cert=cert,
cert_key=cert_key,
timeout=timeout)
elif auth_version in AUTH_VERSIONS_V2 + AUTH_VERSIONS_V3:
# We are handling a special use case here where the user argument
@ -628,6 +649,8 @@ def get_auth(auth_url, user, key, **kwargs):
key, os_options,
cacert=cacert,
insecure=insecure,
cert=cert,
cert_key=cert_key,
timeout=timeout,
auth_version=auth_version)
else:
@ -1389,8 +1412,9 @@ class Connection(object):
preauthurl=None, preauthtoken=None, snet=False,
starting_backoff=1, max_backoff=64, tenant_name=None,
os_options=None, auth_version="1", cacert=None,
insecure=False, ssl_compression=True,
retry_on_ratelimit=False, timeout=None):
insecure=False, cert=None, cert_key=None,
ssl_compression=True, retry_on_ratelimit=False,
timeout=None):
"""
:param authurl: authentication URL
:param user: user name to authenticate as
@ -1412,6 +1436,9 @@ class Connection(object):
service_username, service_project_name, service_key
:param insecure: Allow to access servers without checking SSL certs.
The server's certificate will not be verified.
:param cert: Client certificate file to connect on SSL server
requiring SSL client certificate.
:param cert_key: Client certificate private key file.
:param ssl_compression: Whether to enable compression at the SSL layer.
If set to 'False' and the pyOpenSSL library is
present an attempt to disable SSL compression
@ -1447,6 +1474,8 @@ class Connection(object):
self.service_token = None
self.cacert = cacert
self.insecure = insecure
self.cert = cert
self.cert_key = cert_key
self.ssl_compression = ssl_compression
self.auth_end_time = 0
self.retry_on_ratelimit = retry_on_ratelimit
@ -1469,6 +1498,8 @@ class Connection(object):
os_options=self.os_options,
cacert=self.cacert,
insecure=self.insecure,
cert=self.cert,
cert_key=self.cert_key,
timeout=self.timeout)
return self.url, self.token
@ -1494,6 +1525,8 @@ class Connection(object):
return http_connection(url if url else self.url,
cacert=self.cacert,
insecure=self.insecure,
cert=self.cert,
cert_key=self.cert_key,
ssl_compression=self.ssl_compression,
timeout=self.timeout)

4
swiftclient/service.py
View File

@ -161,6 +161,8 @@ def _build_default_global_options():
"os_service_type": environ.get('OS_SERVICE_TYPE'),
"os_endpoint_type": environ.get('OS_ENDPOINT_TYPE'),
"os_cacert": environ.get('OS_CACERT'),
"os_cert": environ.get('OS_CERT'),
"os_key": environ.get('OS_KEY'),
"insecure": config_true_value(environ.get('SWIFTCLIENT_INSECURE')),
"ssl_compression": False,
'segment_threads': 10,
@ -253,6 +255,8 @@ def get_conn(options):
snet=options['snet'],
cacert=options['os_cacert'],
insecure=options['insecure'],
cert=options['os_cert'],
cert_key=options['os_key'],
ssl_compression=options['ssl_compression'])

12
swiftclient/shell.py
View File

@ -1253,6 +1253,8 @@ def main(arguments=None):
[--os-service-type <service-type>]
[--os-endpoint-type <endpoint-type>]
[--os-cacert <ca-certificate>] [--insecure]
[--os-cert <client-certificate-file>]
[--os-key <client-certificate-key-file>]
[--no-ssl-compression]
<subcommand> [--help] [<subcommand options>]
@ -1494,6 +1496,16 @@ Examples:
help='Specify a CA bundle file to use in verifying a '
'TLS (https) server certificate. '
'Defaults to env[OS_CACERT].')
os_grp.add_argument('--os-cert',
metavar='<client-certificate-file>',
default=environ.get('OS_CERT'),
help='Specify a client certificate file (for client '
'auth). Defaults to env[OS_CERT].')
os_grp.add_argument('--os-key',
metavar='<client-certificate-key-file>',
default=environ.get('OS_KEY'),
help='Specify a client certificate key file (for '
'client auth). Defaults to env[OS_KEY].')
options, args = parse_args(parser, argv[1:], enforce_requires=False)
if options['help'] or options['os_help']:

4
tests/unit/test_shell.py
View File

@ -1855,7 +1855,9 @@ class TestKeystoneOptions(MockHttpTest):
'project-id': 'projectid',
'project-domain-id': 'projectdomainid',
'project-domain-name': 'projectdomain',
'cacert': 'foo'}
'cacert': 'foo',
'cert': 'minnie',
'key': 'mickey'}
catalog_opts = {'service-type': 'my-object-store',
'endpoint-type': 'public',
'region-name': 'my-region'}

39
tests/unit/test_swiftclient.py
View File

@ -512,6 +512,32 @@ class TestGetAuth(MockHttpTest):
os_options=os_options, auth_version='2.0',
insecure=False)
def test_auth_v2_cert(self):
os_options = {'tenant_name': 'foo'}
c.get_auth_keystone = fake_get_auth_keystone(os_options, None)
auth_url_no_sslauth = 'https://www.tests.com'
auth_url_sslauth = 'https://www.tests.com/client-certificate'
url, token = c.get_auth(auth_url_no_sslauth, 'asdf', 'asdf',
os_options=os_options, auth_version='2.0')
self.assertTrue(url.startswith("http"))
self.assertTrue(token)
url, token = c.get_auth(auth_url_sslauth, 'asdf', 'asdf',
os_options=os_options, auth_version='2.0',
cert='minnie', cert_key='mickey')
self.assertTrue(url.startswith("http"))
self.assertTrue(token)
self.assertRaises(c.ClientException, c.get_auth,
auth_url_sslauth, 'asdf', 'asdf',
os_options=os_options, auth_version='2.0')
self.assertRaises(c.ClientException, c.get_auth,
auth_url_sslauth, 'asdf', 'asdf',
os_options=os_options, auth_version='2.0',
cert='minnie')
def test_auth_v3_with_tenant_name(self):
# check the correct auth version is passed to get_auth_keystone
os_options = {'tenant_name': 'asdf'}
@ -1577,6 +1603,15 @@ class TestHTTPConnection(MockHttpTest):
conn = c.http_connection(u'http://www.test.com/', insecure=True)
self.assertEqual(conn[1].requests_args['verify'], False)
def test_cert(self):
conn = c.http_connection(u'http://www.test.com/', cert='minnie')
self.assertEqual(conn[1].requests_args['cert'], 'minnie')
def test_cert_key(self):
conn = c.http_connection(
u'http://www.test.com/', cert='minnie', cert_key='mickey')
self.assertEqual(conn[1].requests_args['cert'], ('minnie', 'mickey'))
def test_response_connection_released(self):
_parsed_url, conn = c.http_connection(u'http://www.test.com/')
conn.resp = MockHttpResponse()
@ -2084,8 +2119,8 @@ class TestConnection(MockHttpTest):
return ''
def local_http_connection(url, proxy=None, cacert=None,
insecure=False, ssl_compression=True,
timeout=None):
insecure=False, cert=None, cert_key=None,
ssl_compression=True, timeout=None):
parsed = urlparse(url)
return parsed, LocalConnection()

6
tests/unit/utils.py
View File

@ -57,6 +57,11 @@ def fake_get_auth_keystone(expected_os_options=None, exc=None,
actual_kwargs['cacert'] is None:
from swiftclient import client as c
raise c.ClientException("unverified-certificate")
if auth_url.startswith("https") and \
auth_url.endswith("client-certificate") and \
not (actual_kwargs['cert'] and actual_kwargs['cert_key']):
from swiftclient import client as c
raise c.ClientException("noclient-certificate")
return storage_url, token
return fake_get_auth_keystone
@ -215,6 +220,7 @@ class MockHttpTest(unittest.TestCase):
on_request = kwargs.get('on_request')
def wrapper(url, proxy=None, cacert=None, insecure=False,
cert=None, cert_key=None,
ssl_compression=True, timeout=None):
if storage_url:
self.assertEqual(storage_url, url)