From dc4251a766419fbfa80f034688eb71319e312204 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Wed, 14 Jun 2017 14:53:10 -0700 Subject: [PATCH] Verify https connections by default The 'insecure' option was being read in as a string without being converted to a boolean, preventing it from ever being able to be set to False. The default value has also been changed to False, so that verification of certificates must be explicitly disabled. Change-Id: Ic68b870ea8d5e2e3451ea7915407fabb918efe72 --- etc/openstack.ini | 5 ++-- monitorstack/utils/os_utils.py | 5 +++- ...default-verify-value-fcba6bc554b9768e.yaml | 5 ++++ tests/unit/test_os_utils.py | 25 ++++++++++++++++++- 4 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/default-verify-value-fcba6bc554b9768e.yaml diff --git a/etc/openstack.ini b/etc/openstack.ini index a491689..204ff9d 100644 --- a/etc/openstack.ini +++ b/etc/openstack.ini @@ -4,8 +4,9 @@ # override whatever is needed within the local sections. [DEFAULT] -# The verify option is for SSL. If your SSL certificate is not -# valid set this option to false else omit it or set it true. +# Allow insecure TLS (https) requests. +# If your SSL certificate is not valid set this option to true, +# else omit it or set it false. insecure = true auth_url = https://127.0.0.1:5000/v3 diff --git a/monitorstack/utils/os_utils.py b/monitorstack/utils/os_utils.py index 0a7bf1f..11b8d6d 100644 --- a/monitorstack/utils/os_utils.py +++ b/monitorstack/utils/os_utils.py @@ -30,6 +30,8 @@ except ImportError as e: # pragma: no cover ' Please install "python-openstacksdk".' ' ERROR: %s' % str(e)) +from distutils.util import strtobool + from monitorstack import utils @@ -43,7 +45,8 @@ class OpenStack(object): :type os_auth_args: dict """ self.os_auth_args = os_auth_args - self.verify = self.os_auth_args.get('insecure', True) is False + insecure = bool(strtobool(self.os_auth_args.get('insecure', 'False'))) + self.verify = insecure is False @property def conn(self): diff --git a/releasenotes/notes/default-verify-value-fcba6bc554b9768e.yaml b/releasenotes/notes/default-verify-value-fcba6bc554b9768e.yaml new file mode 100644 index 0000000..3b05845 --- /dev/null +++ b/releasenotes/notes/default-verify-value-fcba6bc554b9768e.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + The default value of the ``insecure`` option is now `False`, which will + verify certificates of https connections. diff --git a/tests/unit/test_os_utils.py b/tests/unit/test_os_utils.py index 03cb626..2316dba 100644 --- a/tests/unit/test_os_utils.py +++ b/tests/unit/test_os_utils.py @@ -130,12 +130,20 @@ class MockedOpenStackConn(object): class TestOSUtilsConnection(unittest.TestCase): """Tests for the utilities.""" + def setUp(self): + """Setup the test.""" + # load the base class for these tests. + self.config = tests.unit.read_config()['keystone'] + + def tearDown(self): + """Tear down the test.""" + pass def test_conn(self): """Test the OpenStack connection interface.""" # load the base class for these tests. self.osu = os_utils.OpenStack( - os_auth_args=tests.unit.read_config()['keystone'] + os_auth_args=self.config ) self.assertTrue( isinstance( @@ -144,6 +152,21 @@ class TestOSUtilsConnection(unittest.TestCase): ) ) + def test_insecure(self): + """Test True insecure value.""" + self.osu = os_utils.OpenStack( + os_auth_args=self.config + ) + self.assertFalse(self.osu.verify) + + def test_secure(self): + """Test False insecure value.""" + with mock.patch.dict(self.config, {'insecure': 'False'}): + self.osu = os_utils.OpenStack( + os_auth_args=self.config + ) + self.assertTrue(self.osu.verify) + class TestOsUtils(unittest.TestCase): """Tests for the utilities."""