Fixes cert issue on oidc-auth command
When the user tries to authenticate using oidc-auth command externally, the oidc-auth script wasn't able to verify the local issuer certificate as following: user@external-machine$ oidc-auth -c <oam_ip> -u user2 -p <password> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate When the StarlingX system has HTTPS certificate enabled, one of the steps to configure the Remote CLIs and Clients Container is to provide the ca certificate which oidc-auth script should use to verify the requests during the authentication procedure, the enviroment variable OS_CACERT will hold the ca certifile file name. Refer the guide: https://docs.starlingx.io/security/openstack/ configure-remote-clis-and-clients.html for more information. The fix basically lets the oidc-auth script know about which certificate should be used during the authentication procedure. By default, now the oidc-auth script will use the certificate file provided into the OS_CACERT enviroment variable. Additionally, an option was created for the users to specify a cacert file when using the oidc-auth command. Test Plan: PASS: Deploy a SX and configure the oidc-auth-apps. PASS: Create an ldap user and configure the user roles. PASS: Try to authenticate locally using oidc-auth, should be successed. PASS: Configure the Remote CLIs in your remote workstation in order to get access to the oidc-auth command, refer the guide: Configure Container-backed Remote CLIs and Clients. PASS: Authenticate from your remote workstation with the oidc-auth command: oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password> The command should now successed. PASS: Opitional, authenticate from your remote workstation with the oidc-auth command specifying a cacert file: oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password> -ca <path to ca-certificate file> Closes-Bug: 2086731 Change-Id: Ia8f37b44f846207a13b8b4983cc3ed0614d97a93 Signed-off-by: Joaci Morais <Joaci.deMorais@windriver.com>
This commit is contained in:
Joaci Morais
parent
1de5f369d3
commit
b78a185adc
@ -9,6 +9,7 @@
|
|||||||
from argparse import ArgumentParser
|
from argparse import ArgumentParser
|
||||||
import getpass
|
import getpass
|
||||||
import mechanize
|
import mechanize
|
||||||
|
import os
|
||||||
import re
|
import re
|
||||||
import six
|
import six
|
||||||
import ssl
|
import ssl
|
||||||
@ -31,6 +32,9 @@ def main():
|
|||||||
help="Password. Prompted if not present.")
|
help="Password. Prompted if not present.")
|
||||||
parser.add_argument("-b", "--backend", dest="backend",
|
parser.add_argument("-b", "--backend", dest="backend",
|
||||||
help="Dex configured backend name")
|
help="Dex configured backend name")
|
||||||
|
parser.add_argument("-ca", "--cacert", dest="cacert",
|
||||||
|
help="Path to ca certificate file",
|
||||||
|
default=None)
|
||||||
|
|
||||||
parser.add_argument("-v", "--verbose", action='count')
|
parser.add_argument("-v", "--verbose", action='count')
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
@ -39,6 +43,7 @@ def main():
|
|||||||
username = args.username
|
username = args.username
|
||||||
password = args.password
|
password = args.password
|
||||||
client = args.client
|
client = args.client
|
||||||
|
cacert = args.cacert
|
||||||
|
|
||||||
if not username:
|
if not username:
|
||||||
try:
|
try:
|
||||||
@ -62,8 +67,39 @@ def main():
|
|||||||
print("username: " + username)
|
print("username: " + username)
|
||||||
print("password: " + password)
|
print("password: " + password)
|
||||||
|
|
||||||
ssl._create_default_https_context = ssl._create_unverified_context
|
default_cacert = None
|
||||||
|
OS_CACERT = os.environ.get('OS_CACERT', None)
|
||||||
|
if OS_CACERT:
|
||||||
|
default_cacert = os.path.join(os.getcwd(), OS_CACERT)
|
||||||
|
|
||||||
|
# prioritize the cacert informed by the user, otherwise use the OS_CACERT
|
||||||
|
cafile = None
|
||||||
|
if cacert:
|
||||||
|
if os.path.exists(cacert):
|
||||||
|
cafile = cacert
|
||||||
|
if verbose:
|
||||||
|
print(f"Using given cafile: {cafile}")
|
||||||
|
else:
|
||||||
|
print(f"ERROR: The provided cacert file: {cacert} was not found")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if cafile is None and default_cacert:
|
||||||
|
if os.path.exists(default_cacert):
|
||||||
|
cafile = default_cacert
|
||||||
|
if verbose:
|
||||||
|
print(f"Using certificate provided at OS_CACERT: {OS_CACERT}")
|
||||||
|
else:
|
||||||
|
print(f"WARN: The OS_CACERT set to {OS_CACERT} but was not found")
|
||||||
|
|
||||||
br = mechanize.Browser()
|
br = mechanize.Browser()
|
||||||
|
if cafile:
|
||||||
|
br.set_ca_data(context=ssl.create_default_context(
|
||||||
|
cafile=cafile))
|
||||||
|
else:
|
||||||
|
if verbose:
|
||||||
|
print("WARN: No valid cerfiticate found, using unverified context")
|
||||||
|
br.set_ca_data(context=ssl._create_unverified_context(
|
||||||
|
cert_reqs=ssl.CERT_NONE))
|
||||||
br.set_handle_robots(False)
|
br.set_handle_robots(False)
|
||||||
br.addheaders = [("User-agent", "Mozilla/5.0")]
|
br.addheaders = [("User-agent", "Mozilla/5.0")]
|
||||||
|
|
||||||
@ -185,7 +221,6 @@ def main():
|
|||||||
updateCredsCmd = ("kubectl config set-credentials " +
|
updateCredsCmd = ("kubectl config set-credentials " +
|
||||||
username + " --token " + idToken)
|
username + " --token " + idToken)
|
||||||
|
|
||||||
import os
|
|
||||||
os.system(updateCredsCmd)
|
os.system(updateCredsCmd)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user