Add ca_bundle path in ssl request

Add possibility to configure CA_BUNDLE path for 'verify' parameter in ssl request Change-Id: I5f0076a43983cca20cd9a723de44180712da90a1 Closes-bug:#1582131
2016-06-01 14:42:42 +03:00 · 2016-06-01 14:42:42 +03:00 · 788403b0f1
commit 788403b0f1
parent 1c1064b6d4
3 changed files with 36 additions and 0 deletions
--- a/aodh/notifier/rest.py
+++ b/aodh/notifier/rest.py
@ -36,6 +36,9 @@ OPTS = [
               default='',
               help='SSL Client private key for REST notifier.'
               ),
+    cfg.StrOpt('rest_notifier_ca_bundle_certificate_path',
+               help='SSL CA_BUNDLE certificate for REST notifier',
+               ),
    cfg.BoolOpt('rest_notifier_ssl_verify',
                default=True,
                help='Whether to verify the SSL Server certificate when '
@ -84,6 +87,8 @@ class RestAlarmNotifier(notifier.AlarmNotifier):
            options = urlparse.parse_qs(action.query)
            verify = bool(int(options.get('aodh-alarm-ssl-verify',
                                          [default_verify])[-1]))
+            if verify and self.conf.rest_notifier_ca_bundle_certificate_path:
+                verify = self.conf.rest_notifier_ca_bundle_certificate_path
            kwargs['verify'] = verify

            cert = self.conf.rest_notifier_certificate_file
--- a/aodh/tests/unit/test_notifier.py
+++ b/aodh/tests/unit/test_notifier.py
@ -257,6 +257,24 @@ class TestAlarmNotifier(tests_base.BaseTestCase):
                kwargs['headers'])
            self.assertEqual(DATA_JSON, jsonutils.loads(kwargs['data']))

+    def test_notify_alarm_rest_action_with_ssl_server_verify_enable(self):
+        action = 'https://host/action'
+        ca_bundle = "/path/to/custom_cert.pem"
+
+        self.CONF.set_override("rest_notifier_ca_bundle_certificate_path",
+                               ca_bundle)
+
+        with mock.patch.object(requests.Session, 'post') as poster:
+            self._msg_notifier.sample({},
+                                      'alarm.update',
+                                      self._notification(action))
+            time.sleep(1)
+            poster.assert_called_with(action, data=mock.ANY,
+                                      headers=mock.ANY,
+                                      verify=ca_bundle)
+            args, kwargs = poster.call_args
+            self.assertEqual(DATA_JSON, jsonutils.loads(kwargs['data']))
+
    def test_notify_alarm_rest_action_with_ssl_verify_disable(self):
        action = 'https://host/action?aodh-alarm-ssl-verify=0'

--- a/releasenotes/notes/fix-ssl-request-8107616b6a85a217.yaml
+++ b/releasenotes/notes/fix-ssl-request-8107616b6a85a217.yaml
@ -0,0 +1,13 @@
+---
+fixes:
+  - >
+    [`bug 1582131 <https://bugs.launchpad.net/aodh/+bug/1582131>`_]
+    Fix an issue with adding CA_BUNDLE certificate parth as value of "verify"
+    parameter in SSL requests.
+
+features:
+  - >
+    A new option “rest_notifier_ca_bundle_certificate_path” has been added
+    in the configuration file, set None as default value. If this option is
+    present and SSL is used for alarm action the certificate path provided
+    will be used as value of verify parameter in action request.