Add option to skip SSL hostname verification
This change adds a new config param ssl_assert_hostname. Its value will be ultimately passed to the underlying urllib3 param "assert_hostname". Technically, the value coud be bool or string. This patch focuses to set it to False to disable hostname check while keeping other cert verifications. Change-Id: I8b1ef5fe915d8317f65ce5e1927eb71141027e16
This commit is contained in:
parent
d11fe387c7
commit
5d408a01f8
@ -140,6 +140,7 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
|
||||
mock_api.nsxlib_config = mock.Mock()
|
||||
mock_api.nsxlib_config.retries = 100
|
||||
mock_api.nsxlib_config.insecure = False
|
||||
mock_api.nsxlib_config.ssl_assert_hostname = None
|
||||
mock_adaptor_init.return_value = None
|
||||
mock_retry.return_value = 100
|
||||
provider = cluster.NSXRequestsHTTPProvider()
|
||||
@ -153,7 +154,31 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
|
||||
mock_adaptor_init.assert_called_once_with(
|
||||
pool_connections=1, pool_maxsize=1,
|
||||
max_retries=100, pool_block=False,
|
||||
thumbprint=None)
|
||||
thumbprint=None, assert_hostname=None)
|
||||
|
||||
@mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
|
||||
@mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
|
||||
def test_new_connection_with_ca_file_no_host_assert(
|
||||
self, mock_adaptor_init, mock_retry):
|
||||
mock_api = mock.Mock()
|
||||
mock_api.nsxlib_config = mock.Mock()
|
||||
mock_api.nsxlib_config.retries = 100
|
||||
mock_api.nsxlib_config.insecure = False
|
||||
mock_api.nsxlib_config.ssl_assert_hostname = False
|
||||
mock_adaptor_init.return_value = None
|
||||
mock_retry.return_value = 100
|
||||
provider = cluster.NSXRequestsHTTPProvider()
|
||||
with mock.patch.object(cluster.TimeoutSession, 'request',
|
||||
return_value=get_sess_create_resp()):
|
||||
session = provider.new_connection(
|
||||
mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6',
|
||||
None, None, "ca_file"))
|
||||
|
||||
self.assertEqual("ca_file", session.verify)
|
||||
mock_adaptor_init.assert_called_once_with(
|
||||
pool_connections=1, pool_maxsize=1,
|
||||
max_retries=100, pool_block=False,
|
||||
thumbprint=None, assert_hostname=False)
|
||||
|
||||
@mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
|
||||
@mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
|
||||
@ -163,6 +188,7 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
|
||||
mock_api.nsxlib_config = mock.Mock()
|
||||
mock_api.nsxlib_config.retries = 100
|
||||
mock_api.nsxlib_config.insecure = False
|
||||
mock_api.nsxlib_config.ssl_assert_hostname = None
|
||||
mock_adaptor_init.return_value = None
|
||||
mock_retry.return_value = 100
|
||||
provider = cluster.NSXRequestsHTTPProvider()
|
||||
@ -176,7 +202,7 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
|
||||
mock_adaptor_init.assert_called_once_with(
|
||||
pool_connections=1, pool_maxsize=1,
|
||||
max_retries=100, pool_block=False,
|
||||
thumbprint="thumbprint")
|
||||
thumbprint="thumbprint", assert_hostname=None)
|
||||
|
||||
def test_validate_connection_keep_alive(self):
|
||||
mock_conn = mocks.MockRequestSessionApi()
|
||||
|
@ -234,7 +234,8 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
|
||||
adapter = NSXHTTPAdapter(
|
||||
pool_connections=1, pool_maxsize=1,
|
||||
max_retries=RetryDebug.from_int(config.retries),
|
||||
pool_block=False, thumbprint=thumbprint)
|
||||
pool_block=False, thumbprint=thumbprint,
|
||||
assert_hostname=config.ssl_assert_hostname)
|
||||
session.mount('http://', adapter)
|
||||
session.mount('https://', adapter)
|
||||
|
||||
@ -325,11 +326,14 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
|
||||
class NSXHTTPAdapter(adapters.HTTPAdapter):
|
||||
def __init__(self, *args, **kwargs):
|
||||
self.thumbprint = kwargs.pop("thumbprint", None)
|
||||
self.assert_hostname = kwargs.pop("assert_hostname", None)
|
||||
super(NSXHTTPAdapter, self).__init__(*args, **kwargs)
|
||||
|
||||
def init_poolmanager(self, *args, **kwargs):
|
||||
if self.thumbprint:
|
||||
kwargs["assert_fingerprint"] = self.thumbprint
|
||||
if self.assert_hostname is not None:
|
||||
kwargs["assert_hostname"] = self.assert_hostname
|
||||
super(NSXHTTPAdapter, self).init_poolmanager(*args, **kwargs)
|
||||
|
||||
|
||||
|
@ -207,7 +207,8 @@ class NsxLibConfig(object):
|
||||
api_rate_mode=None,
|
||||
exception_config=None,
|
||||
api_log_mode=None,
|
||||
enable_health_check=True):
|
||||
enable_health_check=True,
|
||||
ssl_assert_hostname=None):
|
||||
|
||||
self.nsx_api_managers = nsx_api_managers
|
||||
self._username = username
|
||||
@ -240,6 +241,7 @@ class NsxLibConfig(object):
|
||||
self.exception_config = exception_config or ExceptionConfig()
|
||||
self.api_log_mode = api_log_mode
|
||||
self.enable_health_check = enable_health_check
|
||||
self.ssl_assert_hostname = ssl_assert_hostname
|
||||
|
||||
if len(nsx_api_managers) == 1 and not self.cluster_unavailable_retry:
|
||||
LOG.warning("When only one endpoint is provided, keepalive probes"
|
||||
|
Loading…
Reference in New Issue
Block a user