Fix the ca certificate handling in the client sessions

The verify parameter is a 3 state parameter:
- it can be False if disabling CA checking is requested (insecure TLS)
- it can be set to True to check CA with the system CA bundle
- finally the path to the CA cert can be passed which must be used to
  check the session

The cert parameter used currently is a client certificate, which is
obviously wrong in this case.

Change-Id: I100163713236a6096197e011963d08e994312dcd
Closes-Bug: #1593268
(cherry picked from commit 9d428206cd)
This commit is contained in:
Gyorgy Szombathelyi 2016-06-16 17:01:35 +02:00
parent 8081497844
commit e46f0c77b7
3 changed files with 16 additions and 16 deletions

View File

@ -0,0 +1,4 @@
---
fixes:
- CA certificate handling in keystone, nova, neutron and
cinder clients are fixed (#330635)

View File

@ -103,9 +103,9 @@ class SessionCache(object):
def get_cinder_session(self):
session = self._sessions.get(SESSION_TYPE_CINDER)
if not session:
if not CONF.cinder.api_insecure and CONF.cinder.ca_file:
if not CONF.cinder.api_insecure:
session = keystone.Session(
cert=CONF.cinder.ca_file, verify=True)
verify=CONF.cinder.ca_file or True)
else:
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_CINDER, session)
@ -114,9 +114,9 @@ class SessionCache(object):
def get_keystone_session(self):
session = self._sessions.get(SESSION_TYPE_KEYSTONE)
if not session:
if not CONF.keystone.api_insecure and CONF.keystone.ca_file:
if not CONF.keystone.api_insecure:
session = keystone.Session(
cert=CONF.keystone.ca_file, verify=True)
verify=CONF.keystone.ca_file or True)
else:
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_KEYSTONE, session)
@ -125,9 +125,9 @@ class SessionCache(object):
def get_neutron_session(self):
session = self._sessions.get(SESSION_TYPE_NEUTRON)
if not session:
if not CONF.neutron.api_insecure and CONF.neutron.ca_file:
if not CONF.neutron.api_insecure:
session = keystone.Session(
cert=CONF.neutron.ca_file, verify=True)
verify=CONF.neutron.ca_file or True)
else:
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_NEUTRON, session)
@ -136,9 +136,9 @@ class SessionCache(object):
def get_nova_session(self):
session = self._sessions.get(SESSION_TYPE_NOVA)
if not session:
if not CONF.nova.api_insecure and CONF.nova.ca_file:
if not CONF.nova.api_insecure:
session = keystone.Session(
cert=CONF.nova.ca_file, verify=True)
verify=CONF.nova.ca_file or True)
else:
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_NOVA, session)

View File

@ -38,8 +38,7 @@ class TestSessionCache(base.SaharaTestCase):
self.override_config('ca_file', '/some/cacert', group='keystone')
self.override_config('api_insecure', False, group='keystone')
sc.get_session(sessions.SESSION_TYPE_KEYSTONE)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
keystone_session.assert_called_once_with(verify='/some/cacert')
sc = sessions.SessionCache()
keystone_session.reset_mock()
@ -58,8 +57,7 @@ class TestSessionCache(base.SaharaTestCase):
self.override_config('ca_file', '/some/cacert', group='nova')
self.override_config('api_insecure', False, group='nova')
sc.get_session(sessions.SESSION_TYPE_NOVA)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
keystone_session.assert_called_once_with(verify='/some/cacert')
sc = sessions.SessionCache()
keystone_session.reset_mock()
@ -78,8 +76,7 @@ class TestSessionCache(base.SaharaTestCase):
self.override_config('ca_file', '/some/cacert', group='cinder')
self.override_config('api_insecure', False, group='cinder')
sc.get_session(sessions.SESSION_TYPE_CINDER)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
keystone_session.assert_called_once_with(verify='/some/cacert')
sc = sessions.SessionCache()
keystone_session.reset_mock()
@ -98,8 +95,7 @@ class TestSessionCache(base.SaharaTestCase):
self.override_config('ca_file', '/some/cacert', group='neutron')
self.override_config('api_insecure', False, group='neutron')
sc.get_session(sessions.SESSION_TYPE_NEUTRON)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
keystone_session.assert_called_once_with(verify='/some/cacert')
sc = sessions.SessionCache()
keystone_session.reset_mock()