From 14d0b5ba0c75ececfdb6a6c121d9cf2810571f77 Mon Sep 17 00:00:00 2001
From: Kun Huang <gareth@openstacker.org>
Date: Wed, 1 Apr 2015 20:50:39 +0800
Subject: [PATCH] configure ssl in deployment config

This patch enable ssl settings in deployment config and deprecate those
in rally.conf. Before those are totally removed from rally.conf, rally
will read those if no ssl settings in deployment config. This is for
back-compatibility.

Closes-Bug: #1430695
Change-Id: Idacbd99fae9de0c107d8bdaefb134663738ca497
---
 rally/deploy/engines/existing.py              | 14 ++++-
 rally/objects/endpoint.py                     |  7 ++-
 rally/osclients.py                            | 56 +++++++++++--------
 samples/deployments/existing-keystone-v3.json |  4 +-
 .../existing-with-given-endpoint.json         |  4 +-
 samples/deployments/existing.json             |  4 +-
 tests/unit/deploy/engines/test_existing.py    |  2 +
 tests/unit/objects/test_endpoint.py           |  6 ++
 tests/unit/test_api.py                        |  2 +
 tests/unit/test_osclients.py                  | 21 +++----
 10 files changed, 79 insertions(+), 41 deletions(-)

diff --git a/rally/deploy/engines/existing.py b/rally/deploy/engines/existing.py
index e240fe5c0b..0c20fba402 100644
--- a/rally/deploy/engines/existing.py
+++ b/rally/deploy/engines/existing.py
@@ -32,7 +32,9 @@ class ExistingCloud(engine.EngineFactory):
                 "username": "admin",
                 "password": "password",
                 "tenant_name": "demo"
-            }
+            },
+            "https_insecure": False,
+            "https_cacert": "",
         }
 
     Or, using keystone v3 API endpoint:
@@ -48,7 +50,9 @@ class ExistingCloud(engine.EngineFactory):
                 "user_domain_name": "admin",
                 "project_name": "admin",
                 "project_domain_name": "admin",
-            }
+            },
+            "https_insecure": False,
+            "https_cacert": "",
         }
     """
 
@@ -91,6 +95,8 @@ class ExistingCloud(engine.EngineFactory):
                               "enum": [consts.EndpointType.ADMIN,
                                        consts.EndpointType.INTERNAL,
                                        consts.EndpointType.PUBLIC]},
+            "https_insecure": {"type": "boolean"},
+            "https_cacert": {"type": "string"},
         },
         "anyOf": [
             {
@@ -120,7 +126,9 @@ class ExistingCloud(engine.EngineFactory):
             endpoint=common.get("endpoint"),
             domain_name=user.get("domain_name"),
             user_domain_name=user.get("user_domain_name", "Default"),
-            project_domain_name=user.get("project_domain_name", "Default")
+            project_domain_name=user.get("project_domain_name", "Default"),
+            https_insecure=common.get("https_insecure", False),
+            https_cacert=common.get("https_cacert")
         )
 
     def deploy(self):
diff --git a/rally/objects/endpoint.py b/rally/objects/endpoint.py
index 200e048239..24ac9077f7 100644
--- a/rally/objects/endpoint.py
+++ b/rally/objects/endpoint.py
@@ -22,7 +22,8 @@ class Endpoint(object):
                  permission=consts.EndpointPermission.USER,
                  region_name=None, endpoint_type=consts.EndpointType.PUBLIC,
                  admin_port=None, domain_name=None, endpoint=None,
-                 user_domain_name="Default", project_domain_name="Default"):
+                 user_domain_name="Default", project_domain_name="Default",
+                 https_insecure=None, https_cacert=None):
         self.auth_url = auth_url
         self.username = username
         self.password = password
@@ -34,6 +35,8 @@ class Endpoint(object):
         self.user_domain_name = user_domain_name
         self.project_domain_name = project_domain_name
         self.endpoint = endpoint
+        self.insecure = https_insecure
+        self.cacert = https_cacert
         if admin_port:
             import warnings
             warnings.warn("'admin_port' argument is deprecated and will "
@@ -46,6 +49,8 @@ class Endpoint(object):
                "endpoint_type": self.endpoint_type,
                "domain_name": self.domain_name,
                "endpoint": self.endpoint,
+               "https_insecure": self.insecure,
+               "https_cacert": self.cacert,
                "user_domain_name": self.user_domain_name,
                "project_domain_name": self.project_domain_name}
         if include_permission:
diff --git a/rally/osclients.py b/rally/osclients.py
index 610af32061..3030c725a9 100644
--- a/rally/osclients.py
+++ b/rally/osclients.py
@@ -30,9 +30,11 @@ OSCLIENTS_OPTS = [
     cfg.FloatOpt("openstack_client_http_timeout", default=180.0,
                  help="HTTP timeout for any of OpenStack service in seconds"),
     cfg.BoolOpt("https_insecure", default=False,
-                help="Use SSL for all OpenStack API interfaces"),
+                help="Use SSL for all OpenStack API interfaces",
+                deprecated_for_removal=True),
     cfg.StrOpt("https_cacert", default=None,
-               help="Path to CA server cetrificate for SSL")
+               help="Path to CA server cetrificate for SSL",
+               deprecated_for_removal=True)
 ]
 CONF.register_opts(OSCLIENTS_OPTS)
 
@@ -73,6 +75,12 @@ class Clients(object):
 
     def __init__(self, endpoint):
         self.endpoint = endpoint
+        # NOTE(kun) Apply insecure/cacert settings from rally.conf if those are
+        # not set in deployment config. Remove it when invaild.
+        if self.endpoint.insecure is None:
+            self.endpoint.insecure = CONF.https_insecure
+        if self.endpoint.cacert is None:
+            self.endpoint.cacert = CONF.https_cacert
         self.cache = {}
 
     @classmethod
@@ -95,7 +103,7 @@ class Clients(object):
         """Return keystone client."""
         new_kw = {
             "timeout": CONF.openstack_client_http_timeout,
-            "insecure": CONF.https_insecure, "cacert": CONF.https_cacert
+            "insecure": self.endpoint.insecure, "cacert": self.endpoint.cacert
         }
         kw = self.endpoint.to_dict()
         kw.update(new_kw)
@@ -137,8 +145,8 @@ class Clients(object):
                              auth_token=kc.auth_token,
                              http_log_debug=logging.is_debug(),
                              timeout=CONF.openstack_client_http_timeout,
-                             insecure=CONF.https_insecure,
-                             cacert=CONF.https_cacert)
+                             insecure=self.endpoint.insecure,
+                             cacert=self.endpoint.cacert)
         client.set_management_url(compute_api_url)
         return client
 
@@ -155,8 +163,8 @@ class Clients(object):
                                 token=kc.auth_token,
                                 endpoint_url=network_api_url,
                                 timeout=CONF.openstack_client_http_timeout,
-                                insecure=CONF.https_insecure,
-                                ca_cert=CONF.https_cacert)
+                                insecure=self.endpoint.insecure,
+                                ca_cert=self.endpoint.cacert)
         return client
 
     @cached
@@ -172,8 +180,8 @@ class Clients(object):
                                endpoint=image_api_url,
                                token=kc.auth_token,
                                timeout=CONF.openstack_client_http_timeout,
-                               insecure=CONF.https_insecure,
-                               cacert=CONF.https_cacert)
+                               insecure=self.endpoint.insecure,
+                               cacert=self.endpoint.cacert)
         return client
 
     @cached
@@ -189,8 +197,8 @@ class Clients(object):
                              endpoint=orchestration_api_url,
                              token=kc.auth_token,
                              timeout=CONF.openstack_client_http_timeout,
-                             insecure=CONF.https_insecure,
-                             cacert=CONF.https_cacert)
+                             insecure=self.endpoint.insecure,
+                             cacert=self.endpoint.cacert)
         return client
 
     @cached
@@ -200,8 +208,8 @@ class Clients(object):
         client = cinder.Client(version, None, None,
                                http_log_debug=logging.is_debug(),
                                timeout=CONF.openstack_client_http_timeout,
-                               insecure=CONF.https_insecure,
-                               cacert=CONF.https_cacert)
+                               insecure=self.endpoint.insecure,
+                               cacert=self.endpoint.cacert)
         kc = self.keystone()
         volume_api_url = kc.service_catalog.url_for(
             service_type="volume",
@@ -230,8 +238,8 @@ class Clients(object):
                     os_endpoint=metering_api_url,
                     token=auth_token,
                     timeout=CONF.openstack_client_http_timeout,
-                    insecure=CONF.https_insecure,
-                    cacert=CONF.https_cacert)
+                    insecure=self.endpoint.insecure,
+                    cacert=self.endpoint.cacert)
         return client
 
     @cached
@@ -247,8 +255,8 @@ class Clients(object):
                                    os_auth_token=kc.auth_token,
                                    ironic_url=baremetal_api_url,
                                    timeout=CONF.openstack_client_http_timeout,
-                                   insecure=CONF.https_insecure,
-                                   cacert=CONF.https_cacert)
+                                   insecure=self.endpoint.insecure,
+                                   cacert=self.endpoint.cacert)
         return client
 
     @cached
@@ -278,7 +286,7 @@ class Clients(object):
             "os_project_name": self.endpoint.tenant_name,
             "os_project_id": kc.auth_tenant_id,
             "os_auth_url": self.endpoint.auth_url,
-            "insecure": CONF.https_insecure,
+            "insecure": self.endpoint.insecure,
         }}}
         client = zaqar.Client(url=messaging_api_url,
                               version=version,
@@ -313,7 +321,7 @@ class Clients(object):
         client = designate.Client(
             endpoint=dns_api_url,
             token=kc.auth_token,
-            insecure=CONF.https_insecure)
+            insecure=self.endpoint.insecure)
         return client
 
     @cached
@@ -327,8 +335,8 @@ class Clients(object):
                               auth_url=self.endpoint.auth_url,
                               region_name=self.endpoint.region_name,
                               timeout=CONF.openstack_client_http_timeout,
-                              insecure=CONF.https_insecure,
-                              cacert=CONF.https_cacert)
+                              insecure=self.endpoint.insecure,
+                              cacert=self.endpoint.cacert)
         return client
 
     @cached
@@ -359,8 +367,8 @@ class Clients(object):
         client = swift.Connection(retries=1,
                                   preauthurl=object_api_url,
                                   preauthtoken=kc.auth_token,
-                                  insecure=CONF.https_insecure,
-                                  cacert=CONF.https_cacert)
+                                  insecure=self.endpoint.insecure,
+                                  cacert=self.endpoint.cacert)
         return client
 
     @cached
@@ -382,7 +390,7 @@ class Clients(object):
             url=ec2_api_url,
             aws_access_key_id=ec2_credential.access,
             aws_secret_access_key=ec2_credential.secret,
-            is_secure=CONF.https_insecure)
+            is_secure=self.endpoint.insecure)
         return client
 
     @cached
diff --git a/samples/deployments/existing-keystone-v3.json b/samples/deployments/existing-keystone-v3.json
index c5d97a08ce..6d7bcfc379 100644
--- a/samples/deployments/existing-keystone-v3.json
+++ b/samples/deployments/existing-keystone-v3.json
@@ -9,5 +9,7 @@
         "user_domain_name": "admin",
         "project_name": "admin",
         "project_domain_name": "admin",
-    }
+    },
+    "https_insecure": False,
+    "https_cacert": "",
 }
diff --git a/samples/deployments/existing-with-given-endpoint.json b/samples/deployments/existing-with-given-endpoint.json
index 89af49e142..1b058fa0d7 100644
--- a/samples/deployments/existing-with-given-endpoint.json
+++ b/samples/deployments/existing-with-given-endpoint.json
@@ -8,5 +8,7 @@
         "username": "admin",
         "password": "pa55word",
         "tenant_name": "demo"
-    }
+    },
+    "https_insecure": False,
+    "https_cacert": "",
 }
diff --git a/samples/deployments/existing.json b/samples/deployments/existing.json
index b445f62ac3..532bf5afd0 100644
--- a/samples/deployments/existing.json
+++ b/samples/deployments/existing.json
@@ -7,5 +7,7 @@
         "username": "admin",
         "password": "myadminpass",
         "tenant_name": "demo"
-    }
+    },
+    "https_insecure": False,
+    "https_cacert": "",
 }
diff --git a/tests/unit/deploy/engines/test_existing.py b/tests/unit/deploy/engines/test_existing.py
index c534059fb0..35d9758cd1 100644
--- a/tests/unit/deploy/engines/test_existing.py
+++ b/tests/unit/deploy/engines/test_existing.py
@@ -32,6 +32,8 @@ class TestExistingCloud(test.TestCase):
                 "auth_url": "http://example.net:5000/v2.0/",
                 "region_name": "RegionOne",
                 "endpoint_type": consts.EndpointType.INTERNAL,
+                "https_insecure": False,
+                "https_cacert": None,
                 "admin": {
                     "username": "admin",
                     "password": "myadminpass",
diff --git a/tests/unit/objects/test_endpoint.py b/tests/unit/objects/test_endpoint.py
index f401ac057b..909a2751b1 100644
--- a/tests/unit/objects/test_endpoint.py
+++ b/tests/unit/objects/test_endpoint.py
@@ -33,6 +33,8 @@ class EndpointTestCase(test.TestCase):
                           "domain_name": None,
                           "endpoint": None,
                           "endpoint_type": consts.EndpointType.PUBLIC,
+                          "https_insecure": None,
+                          "https_cacert": None,
                           "project_domain_name": "Default",
                           "user_domain_name": "Default"})
 
@@ -50,6 +52,8 @@ class EndpointTestCase(test.TestCase):
                           "endpoint": None,
                           "permission": consts.EndpointPermission.ADMIN,
                           "endpoint_type": consts.EndpointType.PUBLIC,
+                          "https_insecure": None,
+                          "https_cacert": None,
                           "project_domain_name": "Default",
                           "user_domain_name": "Default"})
 
@@ -67,5 +71,7 @@ class EndpointTestCase(test.TestCase):
                           "domain_name": None,
                           "endpoint": "foo_endpoint",
                           "endpoint_type": consts.EndpointType.PUBLIC,
+                          "https_insecure": None,
+                          "https_cacert": None,
                           "project_domain_name": "Default",
                           "user_domain_name": "Default"})
diff --git a/tests/unit/test_api.py b/tests/unit/test_api.py
index d6c22df0b0..b0a819ccde 100644
--- a/tests/unit/test_api.py
+++ b/tests/unit/test_api.py
@@ -177,6 +177,8 @@ class BaseDeploymentTestCase(test.TestCase):
         admin_endpoint["endpoint"] = None
         admin_endpoint.update(admin_endpoint.pop("admin"))
         admin_endpoint["permission"] = consts.EndpointPermission.ADMIN
+        admin_endpoint["https_insecure"] = False
+        admin_endpoint["https_cacert"] = None
         self.endpoints = {"admin": admin_endpoint, "users": []}
         self.deployment = {
             "uuid": self.deployment_uuid,
diff --git a/tests/unit/test_osclients.py b/tests/unit/test_osclients.py
index 69ef324aaf..2aba7ad17d 100644
--- a/tests/unit/test_osclients.py
+++ b/tests/unit/test_osclients.py
@@ -31,7 +31,8 @@ class TestCreateKeystoneClient(test.TestCase):
     def setUp(self):
         super(TestCreateKeystoneClient, self).setUp()
         self.kwargs = {"auth_url": "http://auth_url", "username": "user",
-                       "password": "password", "tenant_name": "tenant"}
+                       "password": "password", "tenant_name": "tenant",
+                       "https_insecure": False, "https_cacert": None}
 
     def test_create_keystone_client_v2(self):
         mock_keystone = mock.MagicMock()
@@ -179,8 +180,8 @@ class OSClientsTestCase(test.TestCase):
                 "token": self.fake_keystone.auth_token,
                 "endpoint_url": self.service_catalog.url_for.return_value,
                 "timeout": cfg.CONF.openstack_client_http_timeout,
-                "insecure": cfg.CONF.https_insecure,
-                "ca_cert": cfg.CONF.https_cacert
+                "insecure": self.endpoint.insecure,
+                "ca_cert": self.endpoint.cacert
             }
             self.service_catalog.url_for.assert_called_once_with(
                 service_type="network",
@@ -270,8 +271,8 @@ class OSClientsTestCase(test.TestCase):
                 "os_auth_token": self.fake_keystone.auth_token,
                 "ironic_url": self.service_catalog.url_for.return_value,
                 "timeout": cfg.CONF.openstack_client_http_timeout,
-                "insecure": cfg.CONF.https_insecure,
-                "cacert": cfg.CONF.https_cacert
+                "insecure": self.endpoint.insecure,
+                "cacert": self.endpoint.cacert
             }
             mock_ironic.client.get_client.assert_called_once_with("1.0", **kw)
             self.assertEqual(fake_ironic, self.clients.cache["ironic"])
@@ -313,7 +314,7 @@ class OSClientsTestCase(test.TestCase):
                 "os_project_name": self.endpoint.tenant_name,
                 "os_project_id": self.fake_keystone.auth_tenant_id,
                 "os_auth_url": self.endpoint.auth_url,
-                "insecure": cfg.CONF.https_insecure,
+                "insecure": self.endpoint.insecure,
             }}}
             mock_zaqar.client.Client.assert_called_once_with(
                 url=fake_zaqar_url, version=1.1, conf=conf)
@@ -334,8 +335,8 @@ class OSClientsTestCase(test.TestCase):
                 "auth_url": self.endpoint.auth_url,
                 "region_name": self.endpoint.region_name,
                 "timeout": cfg.CONF.openstack_client_http_timeout,
-                "insecure": cfg.CONF.https_insecure,
-                "cacert": cfg.CONF.https_cacert
+                "insecure": self.endpoint.insecure,
+                "cacert": self.endpoint.cacert
             }
             mock_trove.client.Client.assert_called_once_with("1.0", **kw)
             self.assertEqual(fake_trove, self.clients.cache["trove"])
@@ -405,7 +406,7 @@ class OSClientsTestCase(test.TestCase):
                 "url": "http://fake.to:1/fake",
                 "aws_access_key_id": "fake_access",
                 "aws_secret_access_key": "fake_secret",
-                "is_secure": cfg.CONF.https_insecure,
+                "is_secure": self.endpoint.insecure,
             }
             mock_boto.connect_ec2_endpoint.assert_called_once_with(**kw)
             self.assertEqual(fake_ec2, self.clients.cache["ec2"])
@@ -417,7 +418,7 @@ class OSClientsTestCase(test.TestCase):
                               "unknown_service": {}}
         mock_keystone.return_value = mock.Mock(service_catalog=mock.Mock(
                 get_endpoints=lambda: available_services))
-        clients = osclients.Clients({})
+        clients = osclients.Clients(self.endpoint)
 
         self.assertEqual(
             {consts.ServiceType.IDENTITY: consts.Service.KEYSTONE,