openstack/ironic
Code Issues Proposed changes

Merge "Support to validate iLO SSL certificate in iLO drivers"

Browse Source
This commit is contained in:
Jenkins 2016-08-01 17:29:07 +00:00 committed by Gerrit Code Review
commit c6e40cf902
7 changed files with 57 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/drivers/ilo.rst
View File

@ -289,6 +289,7 @@ Nodes configured for iLO driver should have the ``driver`` property set to
- ``ilo_username``: Username for the iLO with administrator privileges. - ``ilo_username``: Username for the iLO with administrator privileges.
- ``ilo_password``: Password for the above iLO user. - ``ilo_password``: Password for the above iLO user.
- ``ilo_deploy_iso``: The glance UUID of the deploy ramdisk ISO image. - ``ilo_deploy_iso``: The glance UUID of the deploy ramdisk ISO image.
- ``ilo_ca_file``: (optional) CA certificate file to validate iLO.
- ``client_port``: (optional) Port to be used for iLO operations if you are - ``client_port``: (optional) Port to be used for iLO operations if you are
using a custom port on the iLO. Default port used is 443. using a custom port on the iLO. Default port used is 443.
- ``client_timeout``: (optional) Timeout for iLO operations. Default timeout - ``client_timeout``: (optional) Timeout for iLO operations. Default timeout
@ -426,6 +427,7 @@ Nodes configured for iLO driver should have the ``driver`` property set to
- ``ilo_username``: Username for the iLO with administrator privileges. - ``ilo_username``: Username for the iLO with administrator privileges.
- ``ilo_password``: Password for the above iLO user. - ``ilo_password``: Password for the above iLO user.
- ``ilo_deploy_iso``: The glance UUID of the deploy ramdisk ISO image. - ``ilo_deploy_iso``: The glance UUID of the deploy ramdisk ISO image.
- ``ilo_ca_file``: (optional) CA certificate file to validate iLO.
- ``client_port``: (optional) Port to be used for iLO operations if you are - ``client_port``: (optional) Port to be used for iLO operations if you are
using a custom port on the iLO. Default port used is 443. using a custom port on the iLO. Default port used is 443.
- ``client_timeout``: (optional) Timeout for iLO operations. Default timeout - ``client_timeout``: (optional) Timeout for iLO operations. Default timeout
@ -545,6 +547,7 @@ Nodes configured for iLO driver should have the ``driver`` property set to
- ``ilo_password``: Password for the above iLO user. - ``ilo_password``: Password for the above iLO user.
- ``deploy_kernel``: The glance UUID of the deployment kernel. - ``deploy_kernel``: The glance UUID of the deployment kernel.
- ``deploy_ramdisk``: The glance UUID of the deployment ramdisk. - ``deploy_ramdisk``: The glance UUID of the deployment ramdisk.
- ``ilo_ca_file``: (optional) CA certificate file to validate iLO.
- ``client_port``: (optional) Port to be used for iLO operations if you are - ``client_port``: (optional) Port to be used for iLO operations if you are
using a custom port on the iLO. Default port used is 443. using a custom port on the iLO. Default port used is 443.
- ``client_timeout``: (optional) Timeout for iLO operations. Default timeout - ``client_timeout``: (optional) Timeout for iLO operations. Default timeout

3
etc/ironic/ironic.conf.sample
View File

@ -1158,6 +1158,9 @@
# operations (integer value) # operations (integer value)
#power_wait = 2 #power_wait = 2
# CA certificate file to validate iLO. (string value)
#ca_file = <None>
[inspector] [inspector]

2
ironic/conf/ilo.py
View File

@ -78,6 +78,8 @@ opts = [
default=2, default=2,
help=_('Amount of time in seconds to wait in between power ' help=_('Amount of time in seconds to wait in between power '
'operations')), 'operations')),
cfg.StrOpt('ca_file',
help=_('CA certificate file to validate iLO.')),
] ]

10
ironic/drivers/modules/ilo/common.py
View File

@ -59,6 +59,7 @@ REQUIRED_PROPERTIES = {
OPTIONAL_PROPERTIES = { OPTIONAL_PROPERTIES = {
'client_port': _("port to be used for iLO operations. Optional."), 'client_port': _("port to be used for iLO operations. Optional."),
'client_timeout': _("timeout (in seconds) for iLO operations. Optional."), 'client_timeout': _("timeout (in seconds) for iLO operations. Optional."),
'ca_file': _("CA certificate file to validate iLO. optional"),
} }
CONSOLE_PROPERTIES = { CONSOLE_PROPERTIES = {
'console_port': _("node's UDP port to connect to. Only required for " 'console_port': _("node's UDP port to connect to. Only required for "
@ -211,6 +212,12 @@ def parse_driver_info(node):
value = info.get(param, CONF.ilo.get(param)) value = info.get(param, CONF.ilo.get(param))
if param == "client_port": if param == "client_port":
d_info[param] = utils.validate_network_port(value, param) d_info[param] = utils.validate_network_port(value, param)
elif param == "ca_file":
if value and not os.path.isfile(value):
raise exception.InvalidParameterValue(_(
'%(param)s "%(value)s" is not found.') %
{'param': param, 'value': value})
d_info[param] = value
else: else:
try: try:
d_info[param] = int(value) d_info[param] = int(value)
@ -250,7 +257,8 @@ def get_ilo_object(node):
driver_info['ilo_username'], driver_info['ilo_username'],
driver_info['ilo_password'], driver_info['ilo_password'],
driver_info['client_timeout'], driver_info['client_timeout'],
driver_info['client_port']) driver_info['client_port'],
cacert=driver_info.get('ca_file'))
return ilo_object return ilo_object

7
ironic/tests/unit/conductor/test_manager.py
View File

@ -4022,21 +4022,22 @@ class ManagerTestProperties(tests_db_base.DbTestCase):
def test_driver_properties_fake_ilo(self): def test_driver_properties_fake_ilo(self):
expected = ['ilo_address', 'ilo_username', 'ilo_password', expected = ['ilo_address', 'ilo_username', 'ilo_password',
'client_port', 'client_timeout', 'ilo_change_password'] 'client_port', 'client_timeout', 'ilo_change_password',
'ca_file']
self._check_driver_properties("fake_ilo", expected) self._check_driver_properties("fake_ilo", expected)
def test_driver_properties_ilo_iscsi(self): def test_driver_properties_ilo_iscsi(self):
expected = ['ilo_address', 'ilo_username', 'ilo_password', expected = ['ilo_address', 'ilo_username', 'ilo_password',
'client_port', 'client_timeout', 'ilo_deploy_iso', 'client_port', 'client_timeout', 'ilo_deploy_iso',
'console_port', 'ilo_change_password', 'console_port', 'ilo_change_password',
'deploy_forces_oob_reboot'] 'deploy_forces_oob_reboot', 'ca_file']
self._check_driver_properties("iscsi_ilo", expected) self._check_driver_properties("iscsi_ilo", expected)
def test_driver_properties_agent_ilo(self): def test_driver_properties_agent_ilo(self):
expected = ['ilo_address', 'ilo_username', 'ilo_password', expected = ['ilo_address', 'ilo_username', 'ilo_password',
'client_port', 'client_timeout', 'ilo_deploy_iso', 'client_port', 'client_timeout', 'ilo_deploy_iso',
'console_port', 'ilo_change_password', 'console_port', 'ilo_change_password',
'deploy_forces_oob_reboot'] 'deploy_forces_oob_reboot', 'ca_file']
self._check_driver_properties("agent_ilo", expected) self._check_driver_properties("agent_ilo", expected)
def test_driver_properties_fail(self): def test_driver_properties_fail(self):

30
ironic/tests/unit/drivers/modules/ilo/test_common.py
View File

@ -61,7 +61,9 @@ class IloValidateParametersTestCase(db_base.DbTestCase):
self.context, driver='fake_ilo', self.context, driver='fake_ilo',
driver_info=INFO_DICT) driver_info=INFO_DICT)
def test_parse_driver_info(self): @mock.patch.object(os.path, 'isfile', return_value=True, autospec=True)
def _test_parse_driver_info(self, isFile_mock):
info = ilo_common.parse_driver_info(self.node) info = ilo_common.parse_driver_info(self.node)
self.assertEqual(INFO_DICT['ilo_address'], info['ilo_address']) self.assertEqual(INFO_DICT['ilo_address'], info['ilo_address'])
@ -69,6 +71,15 @@ class IloValidateParametersTestCase(db_base.DbTestCase):
self.assertEqual(INFO_DICT['ilo_password'], info['ilo_password']) self.assertEqual(INFO_DICT['ilo_password'], info['ilo_password'])
self.assertEqual(60, info['client_timeout']) self.assertEqual(60, info['client_timeout'])
self.assertEqual(443, info['client_port']) self.assertEqual(443, info['client_port'])
self.assertEqual('/home/user/cafile.pem', info['ca_file'])
def test_parse_driver_info_ca_file_in_driver_info(self):
self.node.driver_info['ca_file'] = '/home/user/cafile.pem'
self._test_parse_driver_info()
def test_parse_driver_info_ca_file_in_conf_file(self):
self.config(ca_file='/home/user/cafile.pem', group='ilo')
self._test_parse_driver_info()
def test_parse_driver_info_missing_address(self): def test_parse_driver_info_missing_address(self):
del self.node.driver_info['ilo_address'] del self.node.driver_info['ilo_address']
@ -85,6 +96,13 @@ class IloValidateParametersTestCase(db_base.DbTestCase):
self.assertRaises(exception.MissingParameterValue, self.assertRaises(exception.MissingParameterValue,
ilo_common.parse_driver_info, self.node) ilo_common.parse_driver_info, self.node)
@mock.patch.object(os.path, 'isfile', return_value=False, autospec=True)
def test_parse_driver_info_invalid_cafile(self, isFile_mock):
self.node.driver_info['ca_file'] = '/home/missing.pem'
self.assertRaisesRegex(exception.InvalidParameterValue,
'ca_file "/home/missing.pem" is not found.',
ilo_common.parse_driver_info, self.node)
def test_parse_driver_info_invalid_timeout(self): def test_parse_driver_info_invalid_timeout(self):
self.node.driver_info['client_timeout'] = 'qwe' self.node.driver_info['client_timeout'] = 'qwe'
self.assertRaises(exception.InvalidParameterValue, self.assertRaises(exception.InvalidParameterValue,
@ -132,11 +150,13 @@ class IloCommonMethodsTestCase(db_base.DbTestCase):
self.node = obj_utils.create_test_node( self.node = obj_utils.create_test_node(
self.context, driver='fake_ilo', driver_info=self.info) self.context, driver='fake_ilo', driver_info=self.info)
@mock.patch.object(os.path, 'isfile', return_value=True, autospec=True)
@mock.patch.object(ilo_client, 'IloClient', spec_set=True, @mock.patch.object(ilo_client, 'IloClient', spec_set=True,
autospec=True) autospec=True)
def test_get_ilo_object(self, ilo_client_mock): def _test_get_ilo_object(self, ilo_client_mock, isFile_mock, ca_file=None):
self.info['client_timeout'] = 60 self.info['client_timeout'] = 60
self.info['client_port'] = 443 self.info['client_port'] = 443
self.info['ca_file'] = ca_file
ilo_client_mock.return_value = 'ilo_object' ilo_client_mock.return_value = 'ilo_object'
returned_ilo_object = ilo_common.get_ilo_object(self.node) returned_ilo_object = ilo_common.get_ilo_object(self.node)
ilo_client_mock.assert_called_with( ilo_client_mock.assert_called_with(
@ -147,6 +167,12 @@ class IloCommonMethodsTestCase(db_base.DbTestCase):
self.info['client_port']) self.info['client_port'])
self.assertEqual('ilo_object', returned_ilo_object) self.assertEqual('ilo_object', returned_ilo_object)
def test_get_ilo_object_cafile(self):
self._test_get_ilo_object(ca_file='/home/user/ilo.pem')
def test_get_ilo_object_no_cafile(self):
self._test_get_ilo_object()
@mock.patch.object(ilo_common, 'get_ilo_object', spec_set=True, @mock.patch.object(ilo_common, 'get_ilo_object', spec_set=True,
autospec=True) autospec=True)
def test_get_ilo_license(self, get_ilo_object_mock): def test_get_ilo_license(self, get_ilo_object_mock):

8
releasenotes/notes/validate-ilo-certificates-3ab98bb8cfad7d60.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- Added support to validate iLO SSL certificate in iLO
drivers.
New config parameter '[ilo]/ca_file' added to
specify iLO CA certificate file.
If 'ca_file' is specified, iLO drivers will validate
iLO SSL certificates.