Fix disable_ssl_certificate_validation values if ca_certificates file is defined

In ClosingHttp.__init__, if disable_ssl_certification_validation is True and
ca_certs is defined, tempest should not try to validate the ca_certificates
file. If the certificate is self-signed, the validation will execute and fail.
As it is right now if both of those values are defined, tempest.conf will try
to validate the self-signed certs and it will fail. Instead, it should support
self-signed certs that will not pass validation. The code should be refactored
to correctly disable certificate validation even if the ca_cert location is
provided.

Change-Id: Iae42b5c2b4381947df71004613ca0a82b29730bb
Closes-Bug: #1705769

tempest/lib/common/http.py

@@ -25,8 +25,7 @@ class ClosingHttp(urllib3.poolmanager.PoolManager):
         if disable_ssl_certificate_validation:
             urllib3.disable_warnings()
             kwargs['cert_reqs'] = 'CERT_NONE'
-
-        if ca_certs:
+        elif ca_certs:
             kwargs['cert_reqs'] = 'CERT_REQUIRED'
             kwargs['ca_certs'] = ca_certs
 

tempest/tests/lib/common/test_http.py

@@ -0,0 +1,68 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib.common import http
+from tempest.tests import base
+
+
+class TestClosingHttp(base.TestCase):
+    def setUp(self):
+        super(TestClosingHttp, self).setUp()
+        self.cert_none = "CERT_NONE"
+        self.cert_location = "/etc/ssl/certs/ca-certificates.crt"
+
+    def test_constructor_invalid_ca_certs_and_timeout(self):
+        connection = http.ClosingHttp(
+            disable_ssl_certificate_validation=False,
+            ca_certs=None,
+            timeout=None)
+        for attr in ('cert_reqs', 'ca_certs', 'timeout'):
+            self.assertNotIn(attr, connection.connection_pool_kw)
+
+    def test_constructor_valid_ca_certs(self):
+        cert_required = 'CERT_REQUIRED'
+        connection = http.ClosingHttp(
+            disable_ssl_certificate_validation=False,
+            ca_certs=self.cert_location,
+            timeout=None)
+        self.assertEqual(cert_required,
+                         connection.connection_pool_kw['cert_reqs'])
+        self.assertEqual(self.cert_location,
+                         connection.connection_pool_kw['ca_certs'])
+        self.assertNotIn('timeout',
+                         connection.connection_pool_kw)
+
+    def test_constructor_ssl_cert_validation_disabled(self):
+        connection = http.ClosingHttp(
+            disable_ssl_certificate_validation=True,
+            ca_certs=None,
+            timeout=30)
+        self.assertEqual(self.cert_none,
+                         connection.connection_pool_kw['cert_reqs'])
+        self.assertEqual(30,
+                         connection.connection_pool_kw['timeout'])
+        self.assertNotIn('ca_certs',
+                         connection.connection_pool_kw)
+
+    def test_constructor_ssl_cert_validation_disabled_and_ca_certs(self):
+        connection = http.ClosingHttp(
+            disable_ssl_certificate_validation=True,
+            ca_certs=self.cert_location,
+            timeout=None)
+        self.assertNotIn('timeout',
+                         connection.connection_pool_kw)
+        self.assertEqual(self.cert_none,
+                         connection.connection_pool_kw['cert_reqs'])
+        self.assertNotIn('ca_certs',
+                         connection.connection_pool_kw)