Support multiple ca certificates

Split the ca file into two files if there are two ca certificates Change-Id: I2bdef4ab4a2c6f24a28a4f41d7f58657c3e31bee
2022-04-26 16:10:04 +08:00 · 2022-04-26 16:10:04 +08:00 · c6eacca1f0
parent 778dd72e86
commit c6eacca1f0
1 changed files with 47 additions and 4 deletions
--- a/vmware_nsxlib/v3/cluster.py
+++ b/vmware_nsxlib/v3/cluster.py
@ -159,7 +159,6 @@ class TimeoutSession(requests.Session):
                raise e

            self.cert = None
-
        return ret


@ -174,6 +173,8 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
    SET_COOKIE_FIELD = 'Set-Cookie'
    XSRF_TOKEN = 'X-XSRF-TOKEN'
    JSESSIONID = 'JSESSIONID'
+    ca_files = {}
+    ca_number = 0

    @property
    def provider_id(self):
@ -201,8 +202,39 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):

    def new_connection(self, cluster_api, provider):
        config = cluster_api.nsxlib_config
-        session = TimeoutSession(config.http_timeout,
-                                 config.http_read_timeout)
+        # If two ca certs in one file which only 'Serial Number' are different,
+        # ssl verify process will break if the first cert is not enabled in
+        # the nsxt. Put only one ca cert in one file and verify it by GET
+        # operation
+        # Cache the ca_file for each provider
+        if not config.insecure and provider.ca_file:
+            ca_content = []
+            if self.ca_number == 0:
+                ca_content = self.get_ca_files(provider.ca_file)
+                self.ca_number = len(ca_content)
+            session = TimeoutSession(config.http_timeout,
+                                     config.http_read_timeout)
+            if self.ca_number == 1:
+                session.verify = provider.ca_file
+            elif self.ca_files.get(provider.id):
+                session.verify = self.ca_files.get(provider.id)
+            else:
+                base_file = '/tmp/ca_cert.pem'
+                for index, buff in enumerate(ca_content):
+                    ca_file = base_file + provider.id + '.' + str(index)
+                    try:
+                        with open(ca_file, 'w') as fname:
+                            fname.writelines(buff)
+                        session.verify = ca_file
+                        session.get(provider.url + '/api/v1/node/version')
+                        self.ca_files[provider.id] = ca_file
+                        break
+                    except Exception as e:
+                        LOG.debug("verify cert error %s, ca %s", e, ca_file)
+                        continue
+        else:
+            session = TimeoutSession(config.http_timeout,
+                                     config.http_read_timeout)
        if config.client_cert_provider:
            session.cert_provider = config.client_cert_provider
        # Set the headers with Auth info when token provider is set,
@ -219,7 +251,6 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
            thumbprint = None
        elif provider.ca_file:
            # verify using the said ca bundle path
-            session.verify = provider.ca_file
            thumbprint = None
        elif provider.thumbprint:
            # verify using the thumbprint
@ -243,6 +274,18 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
                                 config.token_provider)
        return session

+    def get_ca_files(self, ca_file):
+        files = []
+        with open(ca_file) as fname:
+            lines = fname.readlines()
+            buff = []
+            for line in lines:
+                buff.append(line)
+                if 'END CERTIFICATE' in line:
+                    files.append(buff)
+                    buff = []
+        return files
+
    def get_default_headers(self, session, provider, allow_overwrite_header,
                            token_provider=None):
        """Get the default headers that should be added to future requests"""