Fix client cert authentication

With client auth, request for XSRF token should not carry admin username/password, for two reasons: 1. username/password may not exist in config 2. backend treats these credentials as authentication and ignores the desired principal identity Change-Id: I35af9536018196959297dcad6b11b98d0681d625
2017-09-07 16:38:45 -07:00 · 2017-09-07 16:38:45 -07:00 · f5f46e1d60
parent 99ec7bb6a3
commit f5f46e1d60
1 changed files with 13 additions and 9 deletions
--- a/vmware_nsxlib/v3/cluster.py
+++ b/vmware_nsxlib/v3/cluster.py
@ -117,16 +117,15 @@ class TimeoutSession(requests.Session):
                return super(TimeoutSession, self).request(*args, **kwargs)

        def get_cert_provider():
-            if inspect.isclass(self.cert_provider):
+            if inspect.isclass(self._cert_provider):
                # If client provided certificate provider as a class,
                # we spawn an instance here
-                return self.cert_provider()
-            return self.cert_provider
+                return self._cert_provider()
+            return self._cert_provider

        if 'timeout' not in kwargs:
            kwargs['timeout'] = (self.timeout, self.read_timeout)
-        skip_cert = kwargs.pop('skip_cert', False)
-        if not self._cert_provider or skip_cert:
+        if not self.cert_provider:
            # No client certificate needed
            return super(TimeoutSession, self).request(*args, **kwargs)

@ -228,15 +227,20 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):

        # Perform the initial session create and get the relevant jsessionid &
        # X-XSRF-TOKEN for future requests
-        req_data = 'j_username=%s&j_password=%s' % (provider.username,
-                                                    provider.password)
+        req_data = ''
+        if not session.cert_provider:
+            # With client certificate authentication, username and password
+            # may not be provided.
+            # If provided, backend treats these credentials as authentication
+            # and ignores client cert as principal identity indication.
+            req_data = 'j_username=%s&j_password=%s' % (provider.username,
+                                                        provider.password)
        req_headers = {'Accept': 'application/json',
                       'Content-Type': 'application/x-www-form-urlencoded'}
        # Cannot use the certificate at this stage, because it is used for
        # the certificate generation
        resp = session.request('post', provider.url + self.SESSION_CREATE_URL,
-                               data=req_data, headers=req_headers,
-                               skip_cert=True)
+                               data=req_data, headers=req_headers)
        if resp.status_code != 200:
            LOG.error("Session create failed for endpoint %s", provider.url)
            # this will later cause the endpoint to be Down