Fixes cert issue on oidc-auth command

When the user tries to authenticate using oidc-auth command
externally, the oidc-auth script wasn't able to verify the local
issuer certificate as following:

user@external-machine$ oidc-auth -c <oam_ip> -u user2 -p <password>
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable
to get local issuer certificate

When the StarlingX system has HTTPS certificate enabled, one of the
steps to configure the Remote CLIs and Clients Container is to
provide the ca certificate which oidc-auth script should use to
verify the requests during the authentication procedure, the
enviroment variable OS_CACERT will hold the ca certifile file name.
Refer the guide: https://docs.starlingx.io/security/openstack/
configure-remote-clis-and-clients.html for more information.

The fix basically lets the oidc-auth script know about which
certificate should be used during the authentication procedure. By
default, now the oidc-auth script will use the certificate file
provided into the OS_CACERT enviroment variable.

Additionally, an option was created for the users to specify a cacert
file when using the oidc-auth command.

Test Plan:
PASS: Deploy a SX and configure the oidc-auth-apps.
PASS: Create an ldap user and configure the user roles.
PASS: Try to authenticate locally using oidc-auth, should be
successed.
PASS: Configure the Remote CLIs in your remote workstation in
order to get access to the oidc-auth command, refer the guide: Configure
Container-backed Remote CLIs and Clients.
PASS: Authenticate from your remote workstation with the
oidc-auth command:
oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password>
The command should now successed.
PASS: Opitional, authenticate from your remote workstation with the
oidc-auth command specifying a cacert file:
oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password>
-ca <path to ca-certificate file>

Closes-Bug: 2086731

Change-Id: Ia8f37b44f846207a13b8b4983cc3ed0614d97a93
Signed-off-by: Joaci Morais <Joaci.deMorais@windriver.com>
This commit is contained in:
Joaci Morais 2024-11-05 11:57:11 -03:00
parent 1de5f369d3
commit b78a185adc

View File

@ -9,6 +9,7 @@
from argparse import ArgumentParser
import getpass
import mechanize
import os
import re
import six
import ssl
@ -31,6 +32,9 @@ def main():
help="Password. Prompted if not present.")
parser.add_argument("-b", "--backend", dest="backend",
help="Dex configured backend name")
parser.add_argument("-ca", "--cacert", dest="cacert",
help="Path to ca certificate file",
default=None)
parser.add_argument("-v", "--verbose", action='count')
args = parser.parse_args()
@ -39,6 +43,7 @@ def main():
username = args.username
password = args.password
client = args.client
cacert = args.cacert
if not username:
try:
@ -62,8 +67,39 @@ def main():
print("username: " + username)
print("password: " + password)
ssl._create_default_https_context = ssl._create_unverified_context
default_cacert = None
OS_CACERT = os.environ.get('OS_CACERT', None)
if OS_CACERT:
default_cacert = os.path.join(os.getcwd(), OS_CACERT)
# prioritize the cacert informed by the user, otherwise use the OS_CACERT
cafile = None
if cacert:
if os.path.exists(cacert):
cafile = cacert
if verbose:
print(f"Using given cafile: {cafile}")
else:
print(f"ERROR: The provided cacert file: {cacert} was not found")
sys.exit(1)
if cafile is None and default_cacert:
if os.path.exists(default_cacert):
cafile = default_cacert
if verbose:
print(f"Using certificate provided at OS_CACERT: {OS_CACERT}")
else:
print(f"WARN: The OS_CACERT set to {OS_CACERT} but was not found")
br = mechanize.Browser()
if cafile:
br.set_ca_data(context=ssl.create_default_context(
cafile=cafile))
else:
if verbose:
print("WARN: No valid cerfiticate found, using unverified context")
br.set_ca_data(context=ssl._create_unverified_context(
cert_reqs=ssl.CERT_NONE))
br.set_handle_robots(False)
br.addheaders = [("User-agent", "Mozilla/5.0")]
@ -185,7 +221,6 @@ def main():
updateCredsCmd = ("kubectl config set-credentials " +
username + " --token " + idToken)
import os
os.system(updateCredsCmd)