Allow non-verified HTTPS sources for virtualmedia

This PR enables the emulator to insert media that is served over HTTPS by adding a new configuration option that disables python-requests verification. Signed-off-by: Antoni Segura Puimedon <asegurap@redhat.com> Change-Id: Ie594ee021f55c5e97ca0ab5e9e96409fdd7038a9
2021-05-14 17:35:33 +02:00 · 2021-05-14 17:35:33 +02:00 · b6542f6e8e
commit b6542f6e8e
parent 17fd2a01d3
3 changed files with 57 additions and 4 deletions
--- a/doc/source/admin/emulator.conf
+++ b/doc/source/admin/emulator.conf
@ -94,6 +94,10 @@ SUSHY_EMULATOR_VMEDIA_DEVICES = {
    }
 }

+# Instruct the virtual media insertion not to verify the SSL certificate
+# when retrieving the image.
+SUSHY_EMULATOR_VMEDIA_VERIFY_SSL = True
+
 # This map contains statically configured Redfish Storage resource linked
 # up with the Systems resource, keyed by the UUIDs of the Systems.
 SUSHY_EMULATOR_STORAGE = {
--- a/sushy_tools/emulator/resources/vmedia.py
+++ b/sushy_tools/emulator/resources/vmedia.py
@ -140,12 +140,16 @@ class StaticDriver(base.DriverBase):
        :raises: `FishyError` if image can't be manipulated
        """
        device_info = self._get_device(identity, device)
+        verify_media_cert = self._config.get(
+            'SUSHY_EMULATOR_VMEDIA_VERIFY_SSL', True)

        try:
            with tempfile.NamedTemporaryFile(
                    mode='w+b', delete=False) as tmp_file:

-                with requests.get(image_url, stream=True) as rsp:
+                with requests.get(image_url,
+                                  stream=True,
+                                  verify=verify_media_cert) as rsp:

                    with open(tmp_file.name, 'wb') as fl:

--- a/sushy_tools/tests/unit/emulator/resources/test_vmedia.py
+++ b/sushy_tools/tests/unit/emulator/resources/test_vmedia.py
@ -97,7 +97,7 @@ class StaticDriverTestCase(base.BaseTestCase):

        self.assertEqual('/alphabet/soup/fish.iso', local_file)
        mock_requests.get.assert_called_once_with(
-            'http://fish.it/red.iso', stream=True)
+            'http://fish.it/red.iso', stream=True, verify=True)
        mock_open.assert_called_once_with(mock.ANY, 'wb')
        mock_rename.assert_called_once_with(
            'alphabet.soup', '/alphabet/soup/fish.iso')
@ -132,7 +132,7 @@ class StaticDriverTestCase(base.BaseTestCase):

        self.assertEqual('/alphabet/soup/red.iso', local_file)
        mock_requests.get.assert_called_once_with(
-            'http://fish.it/red.iso', stream=True)
+            'http://fish.it/red.iso', stream=True, verify=True)
        mock_open.assert_called_once_with(mock.ANY, 'wb')
        mock_rename.assert_called_once_with(
            'alphabet.soup', '/alphabet/soup/red.iso')
@ -166,7 +166,8 @@ class StaticDriverTestCase(base.BaseTestCase):
            inserted=True, write_protected=False)

        self.assertEqual('/alphabet/soup/boot-abc', local_file)
-        mock_requests.get.assert_called_once_with(full_url, stream=True)
+        mock_requests.get.assert_called_once_with(full_url, stream=True,
+                                                  verify=True)
        mock_open.assert_called_once_with(mock.ANY, 'wb')
        mock_rename.assert_called_once_with(
            'alphabet.soup', '/alphabet/soup/boot-abc')
@ -175,6 +176,50 @@ class StaticDriverTestCase(base.BaseTestCase):
        self.assertTrue(device_info['Inserted'])
        self.assertFalse(device_info['WriteProtected'])

+    @mock.patch.object(vmedia.StaticDriver, '_get_device', autospec=True)
+    @mock.patch.object(builtins, 'open', autospec=True)
+    @mock.patch.object(vmedia.os, 'rename', autospec=True)
+    @mock.patch.object(vmedia, 'tempfile', autospec=True)
+    @mock.patch.object(vmedia, 'requests', autospec=True)
+    def test_insert_image_no_verify_ssl(self, mock_requests, mock_tempfile,
+                                        mock_rename, mock_open,
+                                        mock_get_device):
+        device_info = {}
+        mock_get_device.return_value = device_info
+
+        mock_tempfile.mkdtemp.return_value = '/alphabet/soup'
+        mock_tempfile.gettempdir.return_value = '/tmp'
+        mock_tmp_file = (mock_tempfile.NamedTemporaryFile
+                         .return_value.__enter__.return_value)
+        mock_tmp_file.name = 'alphabet.soup'
+        mock_rsp = mock_requests.get.return_value.__enter__.return_value
+        mock_rsp.headers = {
+            'content-disposition': 'attachment; filename="fish.iso"'
+        }
+
+        ssl_conf_key = 'SUSHY_EMULATOR_VMEDIA_VERIFY_SSL'
+        default_ssl_verify = self.test_driver._config.get(ssl_conf_key)
+        try:
+            self.test_driver._config[ssl_conf_key] = (
+                False)
+            local_file = self.test_driver.insert_image(
+                self.UUID, 'Cd', 'https://fish.it/red.iso', inserted=True,
+                write_protected=False)
+        finally:
+            self.test_driver._config[ssl_conf_key] = default_ssl_verify
+
+        self.assertEqual('/alphabet/soup/fish.iso', local_file)
+        mock_requests.get.assert_called_once_with(
+            'https://fish.it/red.iso', stream=True, verify=False)
+        mock_open.assert_called_once_with(mock.ANY, 'wb')
+        mock_rename.assert_called_once_with(
+            'alphabet.soup', '/alphabet/soup/fish.iso')
+
+        self.assertEqual('fish.iso', device_info['Image'])
+        self.assertTrue(device_info['Inserted'])
+        self.assertFalse(device_info['WriteProtected'])
+        self.assertEqual(local_file, device_info['_local_file'])
+
    @mock.patch.object(vmedia.StaticDriver, '_get_device', autospec=True)
    @mock.patch.object(vmedia.os, 'unlink', autospec=True)
    def test_eject_image(self, mock_unlink, mock_get_device):