Support multiple ca certificates
Split the ca file into two files if there are two ca certificates Change-Id: I2bdef4ab4a2c6f24a28a4f41d7f58657c3e31bee
This commit is contained in:
parent
778dd72e86
commit
c6eacca1f0
|
@ -159,7 +159,6 @@ class TimeoutSession(requests.Session):
|
|||
raise e
|
||||
|
||||
self.cert = None
|
||||
|
||||
return ret
|
||||
|
||||
|
||||
|
@ -174,6 +173,8 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
|
|||
SET_COOKIE_FIELD = 'Set-Cookie'
|
||||
XSRF_TOKEN = 'X-XSRF-TOKEN'
|
||||
JSESSIONID = 'JSESSIONID'
|
||||
ca_files = {}
|
||||
ca_number = 0
|
||||
|
||||
@property
|
||||
def provider_id(self):
|
||||
|
@ -201,8 +202,39 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
|
|||
|
||||
def new_connection(self, cluster_api, provider):
|
||||
config = cluster_api.nsxlib_config
|
||||
session = TimeoutSession(config.http_timeout,
|
||||
config.http_read_timeout)
|
||||
# If two ca certs in one file which only 'Serial Number' are different,
|
||||
# ssl verify process will break if the first cert is not enabled in
|
||||
# the nsxt. Put only one ca cert in one file and verify it by GET
|
||||
# operation
|
||||
# Cache the ca_file for each provider
|
||||
if not config.insecure and provider.ca_file:
|
||||
ca_content = []
|
||||
if self.ca_number == 0:
|
||||
ca_content = self.get_ca_files(provider.ca_file)
|
||||
self.ca_number = len(ca_content)
|
||||
session = TimeoutSession(config.http_timeout,
|
||||
config.http_read_timeout)
|
||||
if self.ca_number == 1:
|
||||
session.verify = provider.ca_file
|
||||
elif self.ca_files.get(provider.id):
|
||||
session.verify = self.ca_files.get(provider.id)
|
||||
else:
|
||||
base_file = '/tmp/ca_cert.pem'
|
||||
for index, buff in enumerate(ca_content):
|
||||
ca_file = base_file + provider.id + '.' + str(index)
|
||||
try:
|
||||
with open(ca_file, 'w') as fname:
|
||||
fname.writelines(buff)
|
||||
session.verify = ca_file
|
||||
session.get(provider.url + '/api/v1/node/version')
|
||||
self.ca_files[provider.id] = ca_file
|
||||
break
|
||||
except Exception as e:
|
||||
LOG.debug("verify cert error %s, ca %s", e, ca_file)
|
||||
continue
|
||||
else:
|
||||
session = TimeoutSession(config.http_timeout,
|
||||
config.http_read_timeout)
|
||||
if config.client_cert_provider:
|
||||
session.cert_provider = config.client_cert_provider
|
||||
# Set the headers with Auth info when token provider is set,
|
||||
|
@ -219,7 +251,6 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
|
|||
thumbprint = None
|
||||
elif provider.ca_file:
|
||||
# verify using the said ca bundle path
|
||||
session.verify = provider.ca_file
|
||||
thumbprint = None
|
||||
elif provider.thumbprint:
|
||||
# verify using the thumbprint
|
||||
|
@ -243,6 +274,18 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
|
|||
config.token_provider)
|
||||
return session
|
||||
|
||||
def get_ca_files(self, ca_file):
|
||||
files = []
|
||||
with open(ca_file) as fname:
|
||||
lines = fname.readlines()
|
||||
buff = []
|
||||
for line in lines:
|
||||
buff.append(line)
|
||||
if 'END CERTIFICATE' in line:
|
||||
files.append(buff)
|
||||
buff = []
|
||||
return files
|
||||
|
||||
def get_default_headers(self, session, provider, allow_overwrite_header,
|
||||
token_provider=None):
|
||||
"""Get the default headers that should be added to future requests"""
|
||||
|
|
Loading…
Reference in New Issue