Merge "Add option to check fingergw hostnames"
This commit is contained in:
commit
91df64517f
|
@ -1370,6 +1370,13 @@ sections of ``zuul.conf`` are used by the finger gateway:
|
|||
|
||||
The path to the PEM encoded CA certificate file.
|
||||
|
||||
.. attr:: tls_verify_hostnames
|
||||
:default: true
|
||||
|
||||
In the case of a private CA it may be both safe and convenient
|
||||
to disable hostname checks. However, if the certificates are
|
||||
issued by a public CA, hostname verification should be enabled.
|
||||
|
||||
.. attr:: tls_client_only
|
||||
:default: false
|
||||
|
||||
|
|
|
@ -195,6 +195,7 @@ class TestStreamingBase(tests.base.AnsibleZuulTestCase):
|
|||
os.path.join(FIXTURE_DIR, 'fingergw/fingergw.pem'))
|
||||
config.set('fingergw', 'tls_key',
|
||||
os.path.join(FIXTURE_DIR, 'fingergw/fingergw.key'))
|
||||
config.set('fingergw', 'tls_verify_hostnames', 'False')
|
||||
|
||||
gateway = FingerGateway(
|
||||
config,
|
||||
|
|
|
@ -55,7 +55,7 @@ class RequestHandler(streamer_utils.BaseFingerRequestHandler):
|
|||
if use_ssl:
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.check_hostname = False
|
||||
context.check_hostname = self.fingergw.tls_verify_hostnames
|
||||
context.load_cert_chain(self.fingergw.tls_cert,
|
||||
self.fingergw.tls_key)
|
||||
context.load_verify_locations(self.fingergw.tls_ca)
|
||||
|
@ -170,6 +170,8 @@ class FingerGateway(object):
|
|||
self.tls_key = get_default(config, 'fingergw', 'tls_key')
|
||||
self.tls_cert = get_default(config, 'fingergw', 'tls_cert')
|
||||
self.tls_ca = get_default(config, 'fingergw', 'tls_ca')
|
||||
self.tls_verify_hostnames = get_default(
|
||||
config, 'fingergw', 'tls_verify_hostnames', default=True)
|
||||
client_only = get_default(config, 'fingergw', 'tls_client_only',
|
||||
default=False)
|
||||
if (all([self.tls_key, self.tls_cert, self.tls_ca])
|
||||
|
|
|
@ -196,7 +196,7 @@ class LogStreamer(object):
|
|||
if use_ssl:
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.check_hostname = False
|
||||
context.check_hostname = self.zuulweb.finger_tls_verify_hostnames
|
||||
context.load_cert_chain(
|
||||
self.zuulweb.finger_tls_cert, self.zuulweb.finger_tls_key)
|
||||
context.load_verify_locations(self.zuulweb.finger_tls_ca)
|
||||
|
@ -1309,6 +1309,8 @@ class ZuulWeb(object):
|
|||
self.config, 'fingergw', 'tls_cert')
|
||||
self.finger_tls_ca = get_default(
|
||||
self.config, 'fingergw', 'tls_ca')
|
||||
self.finger_tls_verify_hostnames = get_default(
|
||||
self.config, 'fingergw', 'tls_verify_hostnames', default=True)
|
||||
|
||||
route_map = cherrypy.dispatch.RoutesDispatcher()
|
||||
api = ZuulWebAPI(self)
|
||||
|
|
Loading…
Reference in New Issue