Support cert and key file of mutual authentication for client

HTTPS mutual authentication needs cacert, cert and key file. Now, zunclient just support cacert file. This patch supports another two file . Change-Id: I28e43f899a6f80ff72fbb9666b0516eb81907689
2018-12-05 10:05:55 +08:00
parent e5505bb0db
commit fbdc86f0b0
4 changed files with 26 additions and 6 deletions
--- a/zunclient/shell.py
+++ b/zunclient/shell.py
@@ -346,6 +346,18 @@ class OpenStackZunShell(object):
                            help='Specify a CA bundle file to use in '
                            'verifying a TLS (https) server certificate. '
                            'Defaults to env[OS_CACERT].')
+        parser.add_argument('--os-cert',
+                            metavar='<ca-certificate>',
+                            default=cliutils.env('OS_CERT', default=None),
+                            help='Specify a client certificate file (for '
+                                 'client auth). '
+                                 'Defaults to env[OS_CERT].')
+        parser.add_argument('--os-key',
+                            metavar='<ca-certificate>',
+                            default=cliutils.env('OS_KEY', default=None),
+                            help='Specify a client certificate key file (for '
+                                 'client auth). '
+                                 'Defaults to env[OS_KEY].')

        parser.add_argument('--bypass-url',
                            metavar='<bypass-url>',
@@ -543,13 +555,13 @@ class OpenStackZunShell(object):
         os_user_domain_id, os_user_domain_name,
         os_project_domain_id, os_project_domain_name,
         os_auth_url, os_auth_system, endpoint_type,
-         service_type, bypass_url, insecure, os_cacert) = (
+         service_type, bypass_url, insecure, os_cacert, os_cert, os_key) = (
            (args.os_username, args.os_project_name, args.os_project_id,
             args.os_user_domain_id, args.os_user_domain_name,
             args.os_project_domain_id, args.os_project_domain_name,
             args.os_auth_url, args.os_auth_system, args.endpoint_type,
             args.service_type, args.bypass_url, args.insecure,
-             args.os_cacert)
+             args.os_cacert, args.os_cert, args.os_key)
        )

        if os_auth_system and os_auth_system != "keystone":
@@ -683,6 +695,8 @@ class OpenStackZunShell(object):
                                interface=endpoint_type,
                                insecure=insecure,
                                cacert=os_cacert,
+                                cert=os_cert,
+                                key=os_key,
                                **kwargs)

        args.func(self.cs, args)
--- a/zunclient/tests/unit/test_shell.py
+++ b/zunclient/tests/unit/test_shell.py
@@ -249,6 +249,7 @@ class ShellTest(utils.TestCase):
            project_domain_id='', project_domain_name='',
            user_domain_id='', user_domain_name='', profile=None,
            endpoint_override=None, insecure=False, cacert=None,
+            cert=None, key=None,
            version=api_versions.APIVersion('1.26'))

    def test_main_option_region(self):
@@ -284,6 +285,7 @@ class ShellTest(utils.TestCase):
            project_domain_id='', project_domain_name='',
            user_domain_id='', user_domain_name='', profile=None,
            endpoint_override=None, insecure=False, cacert=None,
+            cert=None, key=None,
            version=api_versions.APIVersion('1.26'))

    @mock.patch('zunclient.client.Client')
@@ -300,6 +302,7 @@ class ShellTest(utils.TestCase):
            project_domain_id='', project_domain_name='',
            user_domain_id='', user_domain_name='', profile=None,
            endpoint_override=None, insecure=False, cacert=None,
+            cert=None, key=None,
            version=api_versions.APIVersion('1.26'))


@@ -333,5 +336,5 @@ class ShellTestKeystoneV3(ShellTest):
            project_domain_id='', project_domain_name='Default',
            user_domain_id='', user_domain_name='Default',
            endpoint_override=None, insecure=False, profile=None,
-            cacert=None,
+            cacert=None, cert=None, key=None,
            version=api_versions.APIVersion('1.26'))
--- a/zunclient/tests/unit/v1/test_client.py
+++ b/zunclient/tests/unit/v1/test_client.py
@@ -46,7 +46,7 @@ class ClientTest(testtools.TestCase):
        client.Client(auth_token='mytoken',
                      endpoint_override='http://myurl/')
        mock_session.assert_called_once_with(
-            auth=mock_auth_plugin, verify=True)
+            auth=mock_auth_plugin, cert=None, verify=True)
        http_client.assert_called_once_with(
            endpoint_override='http://myurl/',
            interface='public',
--- a/zunclient/v1/client.py
+++ b/zunclient/v1/client.py
@@ -39,7 +39,7 @@ class Client(object):
                 project_id=None, project_name=None, region_name=None,
                 service_name=None, service_type='container', session=None,
                 user_domain_id=None, user_domain_name=None,
-                 username=None, cacert=None, **kwargs):
+                 username=None, cacert=None, cert=None, key=None, **kwargs):
        """Initialization of Client object.

        :param api_version: Container API version
@@ -101,8 +101,11 @@ class Client(object):
            loader = loading.get_plugin_loader(auth_type)
            # This should be able to handle v2 and v3 Keystone Auth
            auth_plugin = loader.load_from_options(**loader_kwargs)
+            if cert and key:
+                cert = cert, key
            session = ksa_session.Session(auth=auth_plugin,
-                                          verify=(cacert or not insecure))
+                                          verify=(cacert or not insecure),
+                                          cert=cert)
        client_kwargs = {}
        if not endpoint_override:
            try: