openstack/aodh
Code Issues Proposed changes

Add ca_bundle path in ssl request

Browse Source 
Add possibility to configure CA_BUNDLE path for 'verify' parameter
in ssl request

Change-Id: I5f0076a43983cca20cd9a723de44180712da90a1
Closes-bug:#1582131
This commit is contained in:
Igor Degtiarov 2016-06-01 14:42:42 +03:00
parent 1c1064b6d4
commit 788403b0f1
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
aodh/notifier/rest.py
View File

@ -36,6 +36,9 @@ OPTS = [
default='', default='',
help='SSL Client private key for REST notifier.' help='SSL Client private key for REST notifier.'
), ),
cfg.StrOpt('rest_notifier_ca_bundle_certificate_path',
help='SSL CA_BUNDLE certificate for REST notifier',
),
cfg.BoolOpt('rest_notifier_ssl_verify', cfg.BoolOpt('rest_notifier_ssl_verify',
default=True, default=True,
help='Whether to verify the SSL Server certificate when ' help='Whether to verify the SSL Server certificate when '
@ -84,6 +87,8 @@ class RestAlarmNotifier(notifier.AlarmNotifier):
options = urlparse.parse_qs(action.query) options = urlparse.parse_qs(action.query)
verify = bool(int(options.get('aodh-alarm-ssl-verify', verify = bool(int(options.get('aodh-alarm-ssl-verify',
[default_verify])[-1])) [default_verify])[-1]))
if verify and self.conf.rest_notifier_ca_bundle_certificate_path:
verify = self.conf.rest_notifier_ca_bundle_certificate_path
kwargs['verify'] = verify kwargs['verify'] = verify
cert = self.conf.rest_notifier_certificate_file cert = self.conf.rest_notifier_certificate_file

18
aodh/tests/unit/test_notifier.py
View File

@ -257,6 +257,24 @@ class TestAlarmNotifier(tests_base.BaseTestCase):
kwargs['headers']) kwargs['headers'])
self.assertEqual(DATA_JSON, jsonutils.loads(kwargs['data'])) self.assertEqual(DATA_JSON, jsonutils.loads(kwargs['data']))
def test_notify_alarm_rest_action_with_ssl_server_verify_enable(self):
action = 'https://host/action'
ca_bundle = "/path/to/custom_cert.pem"
self.CONF.set_override("rest_notifier_ca_bundle_certificate_path",
ca_bundle)
with mock.patch.object(requests.Session, 'post') as poster:
self._msg_notifier.sample({},
'alarm.update',
self._notification(action))
time.sleep(1)
poster.assert_called_with(action, data=mock.ANY,
headers=mock.ANY,
verify=ca_bundle)
args, kwargs = poster.call_args
self.assertEqual(DATA_JSON, jsonutils.loads(kwargs['data']))
def test_notify_alarm_rest_action_with_ssl_verify_disable(self): def test_notify_alarm_rest_action_with_ssl_verify_disable(self):
action = 'https://host/action?aodh-alarm-ssl-verify=0' action = 'https://host/action?aodh-alarm-ssl-verify=0'

13
releasenotes/notes/fix-ssl-request-8107616b6a85a217.yaml Normal file
View File

@ -0,0 +1,13 @@
---
fixes:
- >
[`bug 1582131 <https://bugs.launchpad.net/aodh/+bug/1582131>`_]
Fix an issue with adding CA_BUNDLE certificate parth as value of "verify"
parameter in SSL requests.
features:
- >
A new option “rest_notifier_ca_bundle_certificate_path” has been added
in the configuration file, set None as default value. If this option is
present and SSL is used for alarm action the certificate path provided
will be used as value of verify parameter in action request.