Fix the ca certificate handling in the client sessions

The verify parameter is a 3 state parameter: - it can be False if disabling CA checking is requested (insecure TLS) - it can be set to True to check CA with the system CA bundle - finally the path to the CA cert can be passed which must be used to check the session The cert parameter used currently is a client certificate, which is obviously wrong in this case. Change-Id: I100163713236a6096197e011963d08e994312dcd Closes-Bug: #1593268 (cherry picked from commit 9d428206cd)
2016-06-16 17:01:35 +02:00 · 2016-06-16 17:01:35 +02:00 · e46f0c77b7
commit e46f0c77b7
parent 8081497844
3 changed files with 16 additions and 16 deletions
--- a/releasenotes/notes/ca-cert-fix-5c434a82f9347039.yaml
+++ b/releasenotes/notes/ca-cert-fix-5c434a82f9347039.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - CA certificate handling in keystone, nova, neutron and
+    cinder clients are fixed (#330635)
--- a/sahara/service/sessions.py
+++ b/sahara/service/sessions.py
@ -103,9 +103,9 @@ class SessionCache(object):
    def get_cinder_session(self):
        session = self._sessions.get(SESSION_TYPE_CINDER)
        if not session:
-            if not CONF.cinder.api_insecure and CONF.cinder.ca_file:
+            if not CONF.cinder.api_insecure:
                session = keystone.Session(
-                    cert=CONF.cinder.ca_file, verify=True)
+                    verify=CONF.cinder.ca_file or True)
            else:
                session = self.get_insecure_session()
            self._set_session(SESSION_TYPE_CINDER, session)
@ -114,9 +114,9 @@ class SessionCache(object):
    def get_keystone_session(self):
        session = self._sessions.get(SESSION_TYPE_KEYSTONE)
        if not session:
-            if not CONF.keystone.api_insecure and CONF.keystone.ca_file:
+            if not CONF.keystone.api_insecure:
                session = keystone.Session(
-                    cert=CONF.keystone.ca_file, verify=True)
+                    verify=CONF.keystone.ca_file or True)
            else:
                session = self.get_insecure_session()
            self._set_session(SESSION_TYPE_KEYSTONE, session)
@ -125,9 +125,9 @@ class SessionCache(object):
    def get_neutron_session(self):
        session = self._sessions.get(SESSION_TYPE_NEUTRON)
        if not session:
-            if not CONF.neutron.api_insecure and CONF.neutron.ca_file:
+            if not CONF.neutron.api_insecure:
                session = keystone.Session(
-                    cert=CONF.neutron.ca_file, verify=True)
+                    verify=CONF.neutron.ca_file or True)
            else:
                session = self.get_insecure_session()
            self._set_session(SESSION_TYPE_NEUTRON, session)
@ -136,9 +136,9 @@ class SessionCache(object):
    def get_nova_session(self):
        session = self._sessions.get(SESSION_TYPE_NOVA)
        if not session:
-            if not CONF.nova.api_insecure and CONF.nova.ca_file:
+            if not CONF.nova.api_insecure:
                session = keystone.Session(
-                    cert=CONF.nova.ca_file, verify=True)
+                    verify=CONF.nova.ca_file or True)
            else:
                session = self.get_insecure_session()
            self._set_session(SESSION_TYPE_NOVA, session)
--- a/sahara/tests/unit/service/test_sessions.py
+++ b/sahara/tests/unit/service/test_sessions.py
@ -38,8 +38,7 @@ class TestSessionCache(base.SaharaTestCase):
        self.override_config('ca_file', '/some/cacert', group='keystone')
        self.override_config('api_insecure', False, group='keystone')
        sc.get_session(sessions.SESSION_TYPE_KEYSTONE)
-        keystone_session.assert_called_once_with(cert='/some/cacert',
-                                                 verify=True)
+        keystone_session.assert_called_once_with(verify='/some/cacert')

        sc = sessions.SessionCache()
        keystone_session.reset_mock()
@ -58,8 +57,7 @@ class TestSessionCache(base.SaharaTestCase):
        self.override_config('ca_file', '/some/cacert', group='nova')
        self.override_config('api_insecure', False, group='nova')
        sc.get_session(sessions.SESSION_TYPE_NOVA)
-        keystone_session.assert_called_once_with(cert='/some/cacert',
-                                                 verify=True)
+        keystone_session.assert_called_once_with(verify='/some/cacert')

        sc = sessions.SessionCache()
        keystone_session.reset_mock()
@ -78,8 +76,7 @@ class TestSessionCache(base.SaharaTestCase):
        self.override_config('ca_file', '/some/cacert', group='cinder')
        self.override_config('api_insecure', False, group='cinder')
        sc.get_session(sessions.SESSION_TYPE_CINDER)
-        keystone_session.assert_called_once_with(cert='/some/cacert',
-                                                 verify=True)
+        keystone_session.assert_called_once_with(verify='/some/cacert')

        sc = sessions.SessionCache()
        keystone_session.reset_mock()
@ -98,8 +95,7 @@ class TestSessionCache(base.SaharaTestCase):
        self.override_config('ca_file', '/some/cacert', group='neutron')
        self.override_config('api_insecure', False, group='neutron')
        sc.get_session(sessions.SESSION_TYPE_NEUTRON)
-        keystone_session.assert_called_once_with(cert='/some/cacert',
-                                                 verify=True)
+        keystone_session.assert_called_once_with(verify='/some/cacert')

        sc = sessions.SessionCache()
        keystone_session.reset_mock()