Handle tls endpoint for zaqar websocket client

When creating zaqar websocket client, if the endpoint has tls enabled provide the CA to the client. Closes-Bug: 1791970 Change-Id: I09fca4ea80ae8246f136ea6998dfc7ad1c6bb4d2 (cherry picked from commit 6639b9e564)
2018-09-11 12:01:01 -06:00 · 2018-09-11 12:01:01 -06:00 · 7f8d8999d3
parent 901074e2b5
commit 7f8d8999d3
4 changed files with 39 additions and 1 deletions
--- a/tripleoclient/constants.py
+++ b/tripleoclient/constants.py
@ -61,6 +61,8 @@ ENABLE_SSH_ADMIN_TIMEOUT = 300
 ENABLE_SSH_ADMIN_STATUS_INTERVAL = 5
 ENABLE_SSH_ADMIN_SSH_PORT_TIMEOUT = 300

+# The path to the local CA certificate installed on the undercloud
+LOCAL_CACERT_PATH = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
 # Key-value pair of deprecated service and its warning message
 DEPRECATED_SERVICES = {"OS::TripleO::Services::OpenDaylightApi":
                       "You are using OpenDaylight as your networking"
--- a/tripleoclient/plugin.py
+++ b/tripleoclient/plugin.py
@ -26,6 +26,8 @@ import websocket

 from tripleoclient import exceptions

+from tripleoclient import constants
+
 LOG = logging.getLogger(__name__)

 DEFAULT_TRIPLEOCLIENT_API_VERSION = '1'
@ -83,7 +85,12 @@ class WebsocketClient(object):

        LOG.debug('Instantiating messaging websocket client: %s', endpoint)
        try:
-            self._ws = websocket.create_connection(endpoint)
+            if 'wss:' in endpoint:
+                OS_CACERT = {"ca_certs": constants.LOCAL_CACERT_PATH}
+                self._ws = websocket.create_connection(endpoint,
+                                                       sslopt=OS_CACERT)
+            else:
+                self._ws = websocket.create_connection(endpoint)
        except socket.error:
            LOG.error("Could not establish a connection to the Zaqar "
                      "websocket. The command was sent but the answer "
--- a/tripleoclient/tests/fakes.py
+++ b/tripleoclient/tests/fakes.py
@ -20,6 +20,7 @@ import sys
 AUTH_TOKEN = "foobar"
 AUTH_URL = "http://0.0.0.0"
 WS_URL = "ws://0.0.0.0"
+WSS_URL = "wss://0.0.0.0"


 class FakeApp(object):
--- a/tripleoclient/tests/test_plugin.py
+++ b/tripleoclient/tests/test_plugin.py
@ -106,3 +106,31 @@ class TestPlugin(base.TestCase):
        with mock.patch('tripleoclient.plugin.LOG') as mock_log:
            self.assertRaises(socket.error, client.messaging_websocket)
            mock_log.error.assert_called_once_with(msg)
+
+    @mock.patch("websocket.create_connection")
+    def test_make_tls_client(self, ws_create_connection):
+        clientmgr = mock.MagicMock()
+        clientmgr.get_endpoint_for_service_type.return_value = fakes.WSS_URL
+
+        clientmgr.auth.get_token.return_value = "TOKEN"
+        clientmgr.auth_ref.project_id = "ID"
+        ws_create_connection.return_value.recv.return_value = json.dumps({
+            "headers": {
+                "status": 200
+            }
+        })
+        client = plugin.make_client(clientmgr)
+
+        websocket = client.messaging_websocket()
+        # The second access should not return the same client:
+        self.assertIsNot(client.messaging_websocket(), websocket)
+
+        plugin.make_client(clientmgr)
+
+        # And the functions should only be called when the client is created:
+        self.assertEqual(clientmgr.auth.get_token.call_count, 2)
+        self.assertEqual(clientmgr.get_endpoint_for_service_type.call_count, 2)
+        ws_create_connection.assert_called_with(
+            "wss://0.0.0.0",
+            sslopt={'ca_certs':
+                    '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'})