openstack/castellan
Code Issues Proposed changes

add "verify_ssl_path" config for barbican key manager

Browse Source 
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.

Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
This commit is contained in:
ramboman 2020-04-30 21:30:47 +08:00
parent 8f7e36df1e
commit 89f311dfbd
4 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
castellan/key_manager/barbican_key_manager.py
View File

@ -64,7 +64,14 @@ _barbican_opts = [
cfg.BoolOpt('verify_ssl', cfg.BoolOpt('verify_ssl',
default=True, default=True,
help='Specifies if insecure TLS (https) requests. If False, ' help='Specifies if insecure TLS (https) requests. If False, '
'the server\'s certificate will not be validated'), 'the server\'s certificate will not be validated, if '
'True, we can set the verify_ssl_path config meanwhile.'),
cfg.StrOpt('verify_ssl_path',
default=None,
help='A path to a bundle or CA certs to check against, or '
'None for requests to attempt to locate and use '
'certificates which verify_ssh is True. If verify_ssl '
'is False, this is ignored.'),
cfg.StrOpt('barbican_endpoint_type', cfg.StrOpt('barbican_endpoint_type',
default='public', default='public',
choices=['public', 'internal', 'admin'], choices=['public', 'internal', 'admin'],
@ -109,8 +116,10 @@ class BarbicanKeyManager(key_manager.KeyManager):
try: try:
auth = self._get_keystone_auth(context) auth = self._get_keystone_auth(context)
sess = session.Session(auth=auth, verify_ssl = self.conf.barbican.verify_ssl
verify=self.conf.barbican.verify_ssl) verify_ssl_path = self.conf.barbican.verify_ssl_path
verify = verify_ssl and verify_ssl_path or verify_ssl
sess = session.Session(auth=auth, verify=verify)
self._barbican_endpoint = self._get_barbican_endpoint(auth, sess) self._barbican_endpoint = self._get_barbican_endpoint(auth, sess)
self._barbican_client = barbican_client_import.Client( self._barbican_client = barbican_client_import.Client(

5
castellan/options.py
View File

@ -41,6 +41,7 @@ _DEFAULT_LOGGING_CONTEXT_FORMAT = ('%(asctime)s.%(msecs)03d %(process)d '
def set_defaults(conf, backend=None, barbican_endpoint=None, def set_defaults(conf, backend=None, barbican_endpoint=None,
barbican_api_version=None, auth_endpoint=None, barbican_api_version=None, auth_endpoint=None,
retry_delay=None, number_of_retries=None, verify_ssl=None, retry_delay=None, number_of_retries=None, verify_ssl=None,
verify_ssl_path=None,
api_class=None, vault_root_token_id=None, api_class=None, vault_root_token_id=None,
vault_approle_role_id=None, vault_approle_secret_id=None, vault_approle_role_id=None, vault_approle_secret_id=None,
vault_kv_mountpoint=None, vault_url=None, vault_kv_mountpoint=None, vault_url=None,
@ -57,6 +58,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
:param retry_delay: Use this attribute to set retry delay. :param retry_delay: Use this attribute to set retry delay.
:param number_of_retries: Use this attribute to set number of retries. :param number_of_retries: Use this attribute to set number of retries.
:param verify_ssl: Use this to specify if ssl should be verified. :param verify_ssl: Use this to specify if ssl should be verified.
:param verify_ssl_path: Use this to specify the CA path.
:param vault_root_token_id: Use this for the root token id for vault. :param vault_root_token_id: Use this for the root token id for vault.
:param vault_approle_role_id: Use this for the approle role_id for vault. :param vault_approle_role_id: Use this for the approle role_id for vault.
:param vault_approle_secret_id: Use this for the approle secret_id :param vault_approle_secret_id: Use this for the approle secret_id
@ -103,6 +105,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
if verify_ssl is not None: if verify_ssl is not None:
conf.set_default('verify_ssl', verify_ssl, conf.set_default('verify_ssl', verify_ssl,
group=bkm._BARBICAN_OPT_GROUP) group=bkm._BARBICAN_OPT_GROUP)
if verify_ssl_path is not None:
conf.set_default('verify_ssl_path', verify_ssl_path,
group=bkm._BARBICAN_OPT_GROUP)
if barbican_endpoint_type is not None: if barbican_endpoint_type is not None:
conf.set_default('barbican_endpoint_type', barbican_endpoint_type, conf.set_default('barbican_endpoint_type', barbican_endpoint_type,
group=bkm._BARBICAN_OPT_GROUP) group=bkm._BARBICAN_OPT_GROUP)

9
castellan/tests/unit/test_options.py
View File

@ -62,11 +62,16 @@ class TestOptions(base.TestCase):
self.assertEqual(number_of_retries, self.assertEqual(number_of_retries,
conf.barbican.number_of_retries) conf.barbican.number_of_retries)
verify_ssl = True verify_ssl = False
options.set_defaults(conf, verify_ssl=True) options.set_defaults(conf, verify_ssl=False)
self.assertEqual(verify_ssl, self.assertEqual(verify_ssl,
conf.barbican.verify_ssl) conf.barbican.verify_ssl)
verify_ssl_path = '/mnt'
options.set_defaults(conf, verify_ssl_path='/mnt')
self.assertEqual(verify_ssl_path,
conf.barbican.verify_ssl_path)
barbican_endpoint_type = 'internal' barbican_endpoint_type = 'internal'
options.set_defaults(conf, barbican_endpoint_type='internal') options.set_defaults(conf, barbican_endpoint_type='internal')
result_type = conf.barbican.barbican_endpoint_type result_type = conf.barbican.barbican_endpoint_type

6
releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Add a new parameter, ``verify_ssl_path``, that can be used to
configure the path to CA certs when verifying requests to
Barbican.