Merge "Handle registries with incorrect certs correctly"

2019-07-08 21:40:16 +00:00 · 2019-07-08 21:40:16 +00:00 · fc6871ab7b
commit fc6871ab7b
parent 2444752d14 51d723a9ff
2 changed files with 20 additions and 2 deletions
--- a/tripleo_common/image/image_uploader.py
+++ b/tripleo_common/image/image_uploader.py
@ -683,7 +683,8 @@ class BaseImageUploader(object):
    def is_insecure_registry(self, registry_host):
        if registry_host in self.secure_registries:
            return False
-        if registry_host in self.insecure_registries:
+        if (registry_host in self.insecure_registries or
+                registry_host in self.no_verify_registries):
            return True
        try:
            requests.get('https://%s/v2' % registry_host, timeout=30)
@ -694,7 +695,12 @@ class BaseImageUploader(object):
                requests.get('https://%s/v2' % registry_host, timeout=30,
                             verify=False)
                self.no_verify_registries.add(registry_host)
-                return False
+                # Techinically these type of registries are insecure when
+                # the container engine tries to do a pull. The python uploader
+                # ignores the certificate problem, but they are still inscure
+                # so we return True here while we'll still use https when we
+                # access the registry. LP#1833751
+                return True
            except requests.exceptions.SSLError:
                # So nope, it's really not a certificate verification issue
                self.insecure_registries.add(registry_host)
--- a/tripleo_common/tests/image/test_image_uploader.py
+++ b/tripleo_common/tests/image/test_image_uploader.py
@ -241,6 +241,18 @@ class TestBaseImageUploader(base.TestCase):
            self.requests.request_history[0].url
        )

+    @mock.patch('requests.get')
+    def test_is_insecure_registry_bad_cert(self, mock_get):
+        mock_get.side_effect = [requests.exceptions.SSLError('ouch'), True]
+        self.assertTrue(
+            self.uploader.is_insecure_registry('bcert:8787'))
+        self.assertTrue(
+            self.uploader.is_insecure_registry('bcert:8787'))
+        calls = [mock.call('https://bcert:8787/v2', timeout=30),
+                 mock.call('https://bcert:8787/v2', timeout=30, verify=False)]
+        mock_get.assert_has_calls(calls)
+        self.assertEqual(mock_get.call_count, 2)
+
    def test_is_insecure_registry_timeout(self):
        self.requests.get(
            'https://192.0.2.0:8787/',