From b78a185adcf03ca10b5d40b3e8f0fec74d9ccd27 Mon Sep 17 00:00:00 2001
From: Joaci Morais <Joaci.deMorais@windriver.com>
Date: Tue, 5 Nov 2024 11:57:11 -0300
Subject: [PATCH] Fixes cert issue on oidc-auth command

When the user tries to authenticate using oidc-auth command
externally, the oidc-auth script wasn't able to verify the local
issuer certificate as following:

user@external-machine$ oidc-auth -c <oam_ip> -u user2 -p <password>
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable
to get local issuer certificate

When the StarlingX system has HTTPS certificate enabled, one of the
steps to configure the Remote CLIs and Clients Container is to
provide the ca certificate which oidc-auth script should use to
verify the requests during the authentication procedure, the
enviroment variable OS_CACERT will hold the ca certifile file name.
Refer the guide: https://docs.starlingx.io/security/openstack/
configure-remote-clis-and-clients.html for more information.

The fix basically lets the oidc-auth script know about which
certificate should be used during the authentication procedure. By
default, now the oidc-auth script will use the certificate file
provided into the OS_CACERT enviroment variable.

Additionally, an option was created for the users to specify a cacert
file when using the oidc-auth command.

Test Plan:
PASS: Deploy a SX and configure the oidc-auth-apps.
PASS: Create an ldap user and configure the user roles.
PASS: Try to authenticate locally using oidc-auth, should be
successed.
PASS: Configure the Remote CLIs in your remote workstation in
order to get access to the oidc-auth command, refer the guide: Configure
Container-backed Remote CLIs and Clients.
PASS: Authenticate from your remote workstation with the
oidc-auth command:
oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password>
The command should now successed.
PASS: Opitional, authenticate from your remote workstation with the
oidc-auth command specifying a cacert file:
oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password>
-ca <path to ca-certificate file>

Closes-Bug: 2086731

Change-Id: Ia8f37b44f846207a13b8b4983cc3ed0614d97a93
Signed-off-by: Joaci Morais <Joaci.deMorais@windriver.com>
---
 .../oidcauthtools/oidcauthtools/oidc_auth.py  | 39 ++++++++++++++++++-
 1 file changed, 37 insertions(+), 2 deletions(-)

diff --git a/oidc-auth-tools/oidcauthtools/oidcauthtools/oidc_auth.py b/oidc-auth-tools/oidcauthtools/oidcauthtools/oidc_auth.py
index 31717bc..719f393 100644
--- a/oidc-auth-tools/oidcauthtools/oidcauthtools/oidc_auth.py
+++ b/oidc-auth-tools/oidcauthtools/oidcauthtools/oidc_auth.py
@@ -9,6 +9,7 @@
 from argparse import ArgumentParser
 import getpass
 import mechanize
+import os
 import re
 import six
 import ssl
@@ -31,6 +32,9 @@ def main():
                         help="Password. Prompted if not present.")
     parser.add_argument("-b", "--backend", dest="backend",
                         help="Dex configured backend name")
+    parser.add_argument("-ca", "--cacert", dest="cacert",
+                        help="Path to ca certificate file",
+                        default=None)
 
     parser.add_argument("-v", "--verbose", action='count')
     args = parser.parse_args()
@@ -39,6 +43,7 @@ def main():
     username = args.username
     password = args.password
     client = args.client
+    cacert = args.cacert
 
     if not username:
         try:
@@ -62,8 +67,39 @@ def main():
         print("username: " + username)
         print("password: " + password)
 
-    ssl._create_default_https_context = ssl._create_unverified_context
+    default_cacert = None
+    OS_CACERT = os.environ.get('OS_CACERT', None)
+    if OS_CACERT:
+        default_cacert = os.path.join(os.getcwd(), OS_CACERT)
+
+    # prioritize the cacert informed by the user, otherwise use the OS_CACERT
+    cafile = None
+    if cacert:
+        if os.path.exists(cacert):
+            cafile = cacert
+            if verbose:
+                print(f"Using given cafile: {cafile}")
+        else:
+            print(f"ERROR: The provided cacert file: {cacert} was not found")
+            sys.exit(1)
+
+    if cafile is None and default_cacert:
+        if os.path.exists(default_cacert):
+            cafile = default_cacert
+            if verbose:
+                print(f"Using certificate provided at OS_CACERT: {OS_CACERT}")
+        else:
+            print(f"WARN: The OS_CACERT set to {OS_CACERT} but was not found")
+
     br = mechanize.Browser()
+    if cafile:
+        br.set_ca_data(context=ssl.create_default_context(
+            cafile=cafile))
+    else:
+        if verbose:
+            print("WARN: No valid cerfiticate found, using unverified context")
+        br.set_ca_data(context=ssl._create_unverified_context(
+            cert_reqs=ssl.CERT_NONE))
     br.set_handle_robots(False)
     br.addheaders = [("User-agent", "Mozilla/5.0")]
 
@@ -185,7 +221,6 @@ def main():
     updateCredsCmd = ("kubectl config set-credentials " +
                       username + " --token " + idToken)
 
-    import os
     os.system(updateCredsCmd)