From fedc7933c6ba74f43fa1f88c70f0852f64ad56cc Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Fri, 16 Dec 2022 13:36:06 -0500
Subject: [PATCH] Fix SSL cert error in nfv-vim for rehomed subcloud

After a subcloud is rehomed, for some reason nfv-vim will fail to
query hosts from sysinv's admin (https) endpoint, due to SSL certificate
verification error (unable to get local issuer certificate).

This fixed the issue by explicitly passing a SSL context to urlopen
from urllib. This fix will not impact http access.

The fix is similar to commit a763fca6a488fa39278f65b5395b3510218ce4f2

Test Plan:
PASS: Subcloud rehome successfully.
PASS: Verify the subcloud can be lock/unlock successfully after rehomed.
PASS: After unlock, verify in nfv-vim.log that REST calls to sysinv
      don't get timed out and are successful.

Closes-Bug: 1998941
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I3f1be0a08563db14157f4959f2a64180d2fe8240
---
 nfv/nfv-common/nfv_common/helpers.py              | 15 +++++++++++++++
 .../nfvi_plugins/openstack/rest_api.py            |  9 ++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/nfv/nfv-common/nfv_common/helpers.py b/nfv/nfv-common/nfv_common/helpers.py
index 85d22cd9..ada85c99 100755
--- a/nfv/nfv-common/nfv_common/helpers.py
+++ b/nfv/nfv-common/nfv_common/helpers.py
@@ -5,6 +5,7 @@
 #
 import errno
 import functools
+import os
 import select
 import socket
 
@@ -114,3 +115,17 @@ def get_local_host_name():
     Returns the name of the local host
     """
     return socket.gethostname()
+
+
+def get_system_ca_file():
+    """Return path to system default CA file."""
+    # Standard CA file locations for Debian/Ubuntu, RedHat/Fedora,
+    # Suse, FreeBSD/OpenBSD
+    ca_path = ['/etc/ssl/certs/ca-certificates.crt',
+               '/etc/pki/tls/certs/ca-bundle.crt',
+               '/etc/ssl/ca-bundle.pem',
+               '/etc/ssl/cert.pem']
+    for ca in ca_path:
+        if os.path.exists(ca):
+            return ca
+    return None
diff --git a/nfv/nfv-plugins/nfv_plugins/nfvi_plugins/openstack/rest_api.py b/nfv/nfv-plugins/nfv_plugins/nfvi_plugins/openstack/rest_api.py
index 9d1577dc..a01acb47 100755
--- a/nfv/nfv-plugins/nfv_plugins/nfvi_plugins/openstack/rest_api.py
+++ b/nfv/nfv-plugins/nfv_plugins/nfvi_plugins/openstack/rest_api.py
@@ -13,6 +13,7 @@ from six.moves import socketserver as SocketServer
 from six.moves import urllib
 
 import socket
+import ssl
 import struct
 
 from nfv_common import debug
@@ -20,6 +21,7 @@ from nfv_common import selobj
 from nfv_common import timers
 
 from nfv_common.helpers import coroutine
+from nfv_common.helpers import get_system_ca_file
 from nfv_common.helpers import Object
 from nfv_common.helpers import Result
 
@@ -341,8 +343,13 @@ def _rest_api_request(token_id,
             response_raw = request.text
             request.close()
         else:
+            ca_file = get_system_ca_file()
+            ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH,
+                                                     cafile=ca_file)
+
             request = urllib.request.urlopen(request_info,
-                                             timeout=timeout_in_secs)
+                                             timeout=timeout_in_secs,
+                                             context=ssl_context)
             headers = list()  # list of tuples
             for key, value in request.info().items():
                 if key not in headers_per_hop: