Implement a https:// in REST alarm notification

This change adds schemes https:// to the alarm notifier. By default, the server certificate is verified like a browser does but with the system CA. A client certificate can be set in the configuration file. [alarm] rest_notifier_certificate_file = /path/certificate.pem rest_notifier_certificate_key = /path/private_key.pem Change-Id: Id06e0a45ef88c15674052faeb941d87b70c7b99b Blueprint: alarm-notifier
2013-07-16 12:15:32 +02:00 · 2013-07-16 12:15:32 +02:00 · fc9b416a47
commit fc9b416a47
parent 0b50ac2f59
5 changed files with 102 additions and 19 deletions
--- a/ceilometer/alarm/notifier/rest.py
+++ b/ceilometer/alarm/notifier/rest.py
@ -20,12 +20,27 @@
 import eventlet
 import requests

+from oslo.config import cfg
+
 from ceilometer.alarm import notifier
 from ceilometer.openstack.common import jsonutils
 from ceilometer.openstack.common import log

 LOG = log.getLogger(__name__)

+REST_NOTIFIER_OPTS = [
+    cfg.StrOpt('rest_notifier_certificate_file',
+               default='',
+               help='SSL Client certificate for REST notifier'
+               ),
+    cfg.StrOpt('rest_notifier_certificate_key',
+               default='',
+               help='SSL Client private key for REST notifier'
+               ),
+]
+
+cfg.CONF.register_opts(REST_NOTIFIER_OPTS, group="alarm")
+

 class RestAlarmNotifier(notifier.AlarmNotifier):
    """Rest alarm notifier."""
@ -33,9 +48,13 @@ class RestAlarmNotifier(notifier.AlarmNotifier):
    def notify(self, action, alarm, state, reason):
        LOG.info("Notifying alarm %s in state %s with action %s because %s",
                 alarm, state, action, reason)
-        data = {
-            'state': state,
-            'reason': reason,
-        }
-        eventlet.spawn_n(requests.post, action,
-                         data=jsonutils.dumps(data))
+
+        body = {'state': state, 'reason': reason}
+        kwargs = {'data': jsonutils.dumps(body)}
+
+        cert = cfg.CONF.alarm.rest_notifier_certificate_file
+        key = cfg.CONF.alarm.rest_notifier_certificate_key
+        if action.scheme == 'https' and cert:
+            kwargs['cert'] = (cert, key) if key else cert
+
+        eventlet.spawn_n(requests.post, action, **kwargs)
--- a/ceilometer/tests/base.py
+++ b/ceilometer/tests/base.py
@ -64,4 +64,5 @@ class TestCase(testtools.TestCase):
        self.stubs.UnsetAll()
        self.stubs.SmartUnsetAll()
        self.mox.VerifyAll()
+        cfg.CONF.reset()
        super(TestCase, self).tearDown()
--- a/etc/ceilometer/ceilometer.conf.sample
+++ b/etc/ceilometer/ceilometer.conf.sample
@ -562,6 +562,17 @@

 [alarm]

+#
+# Options defined in ceilometer.alarm.notifier.rest
+#
+
+# SSL Client certificate for REST notifier (string value)
+#rest_notifier_certificate_file=
+
+# SSL Client private key for REST notifier (string value)
+#rest_notifier_certificate_key=
+
+
 #
 # Options defined in ceilometer.alarm.service
 #
@ -689,4 +700,4 @@
 #password=<None>


-# Total option count: 130
+# Total option count: 132
--- a/setup.cfg
+++ b/setup.cfg
@ -104,6 +104,7 @@ ceilometer.alarm.notifier =
    log = ceilometer.alarm.notifier.log:LogAlarmNotifier
    test = ceilometer.alarm.notifier.test:TestAlarmNotifier
    http = ceilometer.alarm.notifier.rest:RestAlarmNotifier
+    https = ceilometer.alarm.notifier.rest:RestAlarmNotifier

 paste.filter_factory =
    swift = ceilometer.objectstore.swift_middleware:filter_factory
--- a/tests/alarm/test_notifier.py
+++ b/tests/alarm/test_notifier.py
@ -15,11 +15,12 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-import eventlet
 import urlparse
 import mock
 import requests

+from oslo.config import cfg
+
 from ceilometer.alarm import service
 from ceilometer.openstack.common import context
 from ceilometer.openstack.common import network_utils
@ -59,6 +60,10 @@ class TestAlarmNotifier(base.TestCase):
                                      'condition': {'threshold': 42},
                                  })

+    @staticmethod
+    def _fake_spawn_n(func, *args, **kwargs):
+        func(*args, **kwargs)
+
    def test_notify_alarm_rest_action(self):
        action = 'http://host/action'
        data_json = '{"state": "ALARM", "reason": "what ?"}'
@ -66,17 +71,63 @@ class TestAlarmNotifier(base.TestCase):
        self.mox.StubOutWithMock(requests, "post")
        requests.post(network_utils.urlsplit(action), data=data_json)
        self.mox.ReplayAll()
-        self.service.notify_alarm(context.get_admin_context(),
-                                  {
-                                      'actions': [action],
-                                      'alarm': {'name': 'foobar'},
-                                      'condition': {'threshold': 42},
-                                      'reason': 'what ?',
-                                      'state': 'ALARM',
-                                  })
-        eventlet.sleep(1)
-        self.mox.UnsetStubs()
-        self.mox.VerifyAll()
+
+        with mock.patch('eventlet.spawn_n', self._fake_spawn_n):
+            self.service.notify_alarm(context.get_admin_context(),
+                                      {
+                                          'actions': [action],
+                                          'alarm': {'name': 'foobar'},
+                                          'condition': {'threshold': 42},
+                                          'reason': 'what ?',
+                                          'state': 'ALARM',
+                                      })
+
+    def test_notify_alarm_rest_action_with_ssl_client_cert(self):
+        action = 'https://host/action'
+        certificate = "/etc/ssl/cert/whatever.pem"
+        data_json = '{"state": "ALARM", "reason": "what ?"}'
+
+        cfg.CONF.set_override("rest_notifier_certificate_file", certificate,
+                              group='alarm')
+        self.mox.StubOutWithMock(requests, "post")
+        requests.post(network_utils.urlsplit(action), data=data_json,
+                      cert=certificate)
+        self.mox.ReplayAll()
+
+        with mock.patch('eventlet.spawn_n', self._fake_spawn_n):
+            self.service.notify_alarm(context.get_admin_context(),
+                                      {
+                                          'actions': [action],
+                                          'alarm': {'name': 'foobar'},
+                                          'condition': {'threshold': 42},
+                                          'reason': 'what ?',
+                                          'state': 'ALARM',
+                                      })
+
+    def test_notify_alarm_rest_action_with_ssl_client_cert_and_key(self):
+        action = 'https://host/action'
+        certificate = "/etc/ssl/cert/whatever.pem"
+        key = "/etc/ssl/cert/whatever.key"
+        data_json = '{"state": "ALARM", "reason": "what ?"}'
+
+        cfg.CONF.set_override("rest_notifier_certificate_file", certificate,
+                              group='alarm')
+        cfg.CONF.set_override("rest_notifier_certificate_key", key,
+                              group='alarm')
+        self.mox.StubOutWithMock(requests, "post")
+        requests.post(network_utils.urlsplit(action), data=data_json,
+                      cert=(certificate, key))
+        self.mox.ReplayAll()
+
+        with mock.patch('eventlet.spawn_n', self._fake_spawn_n):
+            self.service.notify_alarm(context.get_admin_context(),
+                                      {
+                                          'actions': [action],
+                                          'alarm': {'name': 'foobar'},
+                                          'condition': {'threshold': 42},
+                                          'reason': 'what ?',
+                                          'state': 'ALARM',
+                                      })

    @staticmethod
    def _fake_urlsplit(*args, **kwargs):