From 89f311dfbd264a5d4309ea1ca4283f2746d6fa24 Mon Sep 17 00:00:00 2001 From: ramboman Date: Thu, 30 Apr 2020 21:30:47 +0800 Subject: [PATCH] add "verify_ssl_path" config for barbican key manager Now we cann't use the verify_ssl if we set True, so we add the "verify_ssl_path" config to solve it. Closes-Bug: #1876102 Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5 --- castellan/key_manager/barbican_key_manager.py | 15 ++++++++++++--- castellan/options.py | 5 +++++ castellan/tests/unit/test_options.py | 9 +++++++-- .../notes/bug-1876102-7c7288fb6e90b11d.yaml | 6 ++++++ 4 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml diff --git a/castellan/key_manager/barbican_key_manager.py b/castellan/key_manager/barbican_key_manager.py index 892da26a..0fe63b88 100644 --- a/castellan/key_manager/barbican_key_manager.py +++ b/castellan/key_manager/barbican_key_manager.py @@ -64,7 +64,14 @@ _barbican_opts = [ cfg.BoolOpt('verify_ssl', default=True, help='Specifies if insecure TLS (https) requests. If False, ' - 'the server\'s certificate will not be validated'), + 'the server\'s certificate will not be validated, if ' + 'True, we can set the verify_ssl_path config meanwhile.'), + cfg.StrOpt('verify_ssl_path', + default=None, + help='A path to a bundle or CA certs to check against, or ' + 'None for requests to attempt to locate and use ' + 'certificates which verify_ssh is True. If verify_ssl ' + 'is False, this is ignored.'), cfg.StrOpt('barbican_endpoint_type', default='public', choices=['public', 'internal', 'admin'], @@ -109,8 +116,10 @@ class BarbicanKeyManager(key_manager.KeyManager): try: auth = self._get_keystone_auth(context) - sess = session.Session(auth=auth, - verify=self.conf.barbican.verify_ssl) + verify_ssl = self.conf.barbican.verify_ssl + verify_ssl_path = self.conf.barbican.verify_ssl_path + verify = verify_ssl and verify_ssl_path or verify_ssl + sess = session.Session(auth=auth, verify=verify) self._barbican_endpoint = self._get_barbican_endpoint(auth, sess) self._barbican_client = barbican_client_import.Client( diff --git a/castellan/options.py b/castellan/options.py index 6c1991d6..213afc15 100644 --- a/castellan/options.py +++ b/castellan/options.py @@ -41,6 +41,7 @@ _DEFAULT_LOGGING_CONTEXT_FORMAT = ('%(asctime)s.%(msecs)03d %(process)d ' def set_defaults(conf, backend=None, barbican_endpoint=None, barbican_api_version=None, auth_endpoint=None, retry_delay=None, number_of_retries=None, verify_ssl=None, + verify_ssl_path=None, api_class=None, vault_root_token_id=None, vault_approle_role_id=None, vault_approle_secret_id=None, vault_kv_mountpoint=None, vault_url=None, @@ -57,6 +58,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, :param retry_delay: Use this attribute to set retry delay. :param number_of_retries: Use this attribute to set number of retries. :param verify_ssl: Use this to specify if ssl should be verified. + :param verify_ssl_path: Use this to specify the CA path. :param vault_root_token_id: Use this for the root token id for vault. :param vault_approle_role_id: Use this for the approle role_id for vault. :param vault_approle_secret_id: Use this for the approle secret_id @@ -103,6 +105,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, if verify_ssl is not None: conf.set_default('verify_ssl', verify_ssl, group=bkm._BARBICAN_OPT_GROUP) + if verify_ssl_path is not None: + conf.set_default('verify_ssl_path', verify_ssl_path, + group=bkm._BARBICAN_OPT_GROUP) if barbican_endpoint_type is not None: conf.set_default('barbican_endpoint_type', barbican_endpoint_type, group=bkm._BARBICAN_OPT_GROUP) diff --git a/castellan/tests/unit/test_options.py b/castellan/tests/unit/test_options.py index 3b82c49f..aceddd57 100644 --- a/castellan/tests/unit/test_options.py +++ b/castellan/tests/unit/test_options.py @@ -62,11 +62,16 @@ class TestOptions(base.TestCase): self.assertEqual(number_of_retries, conf.barbican.number_of_retries) - verify_ssl = True - options.set_defaults(conf, verify_ssl=True) + verify_ssl = False + options.set_defaults(conf, verify_ssl=False) self.assertEqual(verify_ssl, conf.barbican.verify_ssl) + verify_ssl_path = '/mnt' + options.set_defaults(conf, verify_ssl_path='/mnt') + self.assertEqual(verify_ssl_path, + conf.barbican.verify_ssl_path) + barbican_endpoint_type = 'internal' options.set_defaults(conf, barbican_endpoint_type='internal') result_type = conf.barbican.barbican_endpoint_type diff --git a/releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml b/releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml new file mode 100644 index 00000000..2b5eddb0 --- /dev/null +++ b/releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Add a new parameter, ``verify_ssl_path``, that can be used to + configure the path to CA certs when verifying requests to + Barbican.