Add option to skip SSL hostname verification

This change adds a new config param ssl_assert_hostname. Its value will be ultimately passed to the underlying urllib3 param "assert_hostname". Technically, the value coud be bool or string. This patch focuses to set it to False to disable hostname check while keeping other cert verifications. Change-Id: I8b1ef5fe915d8317f65ce5e1927eb71141027e16
2024-01-02 14:19:01 -08:00 · 2024-01-02 14:19:01 -08:00 · 5d408a01f8
commit 5d408a01f8
parent d11fe387c7
3 changed files with 36 additions and 4 deletions
--- a/vmware_nsxlib/tests/unit/v3/test_cluster.py
+++ b/vmware_nsxlib/tests/unit/v3/test_cluster.py
@ -140,6 +140,7 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
        mock_api.nsxlib_config = mock.Mock()
        mock_api.nsxlib_config.retries = 100
        mock_api.nsxlib_config.insecure = False
+        mock_api.nsxlib_config.ssl_assert_hostname = None
        mock_adaptor_init.return_value = None
        mock_retry.return_value = 100
        provider = cluster.NSXRequestsHTTPProvider()
@ -153,7 +154,31 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
            mock_adaptor_init.assert_called_once_with(
                pool_connections=1, pool_maxsize=1,
                max_retries=100, pool_block=False,
-                thumbprint=None)
+                thumbprint=None, assert_hostname=None)
+
+    @mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
+    @mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
+    def test_new_connection_with_ca_file_no_host_assert(
+            self, mock_adaptor_init, mock_retry):
+        mock_api = mock.Mock()
+        mock_api.nsxlib_config = mock.Mock()
+        mock_api.nsxlib_config.retries = 100
+        mock_api.nsxlib_config.insecure = False
+        mock_api.nsxlib_config.ssl_assert_hostname = False
+        mock_adaptor_init.return_value = None
+        mock_retry.return_value = 100
+        provider = cluster.NSXRequestsHTTPProvider()
+        with mock.patch.object(cluster.TimeoutSession, 'request',
+                               return_value=get_sess_create_resp()):
+            session = provider.new_connection(
+                mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6',
+                                           None, None, "ca_file"))
+
+            self.assertEqual("ca_file", session.verify)
+            mock_adaptor_init.assert_called_once_with(
+                pool_connections=1, pool_maxsize=1,
+                max_retries=100, pool_block=False,
+                thumbprint=None, assert_hostname=False)

    @mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
    @mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
@ -163,6 +188,7 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
        mock_api.nsxlib_config = mock.Mock()
        mock_api.nsxlib_config.retries = 100
        mock_api.nsxlib_config.insecure = False
+        mock_api.nsxlib_config.ssl_assert_hostname = None
        mock_adaptor_init.return_value = None
        mock_retry.return_value = 100
        provider = cluster.NSXRequestsHTTPProvider()
@ -176,7 +202,7 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
            mock_adaptor_init.assert_called_once_with(
                pool_connections=1, pool_maxsize=1,
                max_retries=100, pool_block=False,
-                thumbprint="thumbprint")
+                thumbprint="thumbprint", assert_hostname=None)

    def test_validate_connection_keep_alive(self):
        mock_conn = mocks.MockRequestSessionApi()
--- a/vmware_nsxlib/v3/cluster.py
+++ b/vmware_nsxlib/v3/cluster.py
@ -234,7 +234,8 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
        adapter = NSXHTTPAdapter(
            pool_connections=1, pool_maxsize=1,
            max_retries=RetryDebug.from_int(config.retries),
-            pool_block=False, thumbprint=thumbprint)
+            pool_block=False, thumbprint=thumbprint,
+            assert_hostname=config.ssl_assert_hostname)
        session.mount('http://', adapter)
        session.mount('https://', adapter)

@ -325,11 +326,14 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
 class NSXHTTPAdapter(adapters.HTTPAdapter):
    def __init__(self, *args, **kwargs):
        self.thumbprint = kwargs.pop("thumbprint", None)
+        self.assert_hostname = kwargs.pop("assert_hostname", None)
        super(NSXHTTPAdapter, self).__init__(*args, **kwargs)

    def init_poolmanager(self, *args, **kwargs):
        if self.thumbprint:
            kwargs["assert_fingerprint"] = self.thumbprint
+        if self.assert_hostname is not None:
+            kwargs["assert_hostname"] = self.assert_hostname
        super(NSXHTTPAdapter, self).init_poolmanager(*args, **kwargs)


--- a/vmware_nsxlib/v3/config.py
+++ b/vmware_nsxlib/v3/config.py
@ -207,7 +207,8 @@ class NsxLibConfig(object):
                 api_rate_mode=None,
                 exception_config=None,
                 api_log_mode=None,
-                 enable_health_check=True):
+                 enable_health_check=True,
+                 ssl_assert_hostname=None):

        self.nsx_api_managers = nsx_api_managers
        self._username = username
@ -240,6 +241,7 @@ class NsxLibConfig(object):
        self.exception_config = exception_config or ExceptionConfig()
        self.api_log_mode = api_log_mode
        self.enable_health_check = enable_health_check
+        self.ssl_assert_hostname = ssl_assert_hostname

        if len(nsx_api_managers) == 1 and not self.cluster_unavailable_retry:
            LOG.warning("When only one endpoint is provided, keepalive probes"