From 31d785ec6951a84f831ea3dfd49214c42ae4fd26 Mon Sep 17 00:00:00 2001
From: Dean Troyer <dtroyer@gmail.com>
Date: Thu, 4 Jun 2015 09:20:29 -0500
Subject: [PATCH] Allow --insecure to override --os-cacert

Change --insecure to ignore the --os-cacert setting.  This is a change
from before where OSC followed the requests pattern of cacert taking
priority.

This logic is also introduced in os-client-config 1.3.0; we
do not require that release yet so it is duplicated here for now.
That change will come with the upcoming global options refactor.

Closes-Bug: #1447784
Change-Id: Iaa6d499ed0929c00a56dcd92a2017487c702774a
---
 openstackclient/shell.py            | 21 +++++++++++++++------
 openstackclient/tests/test_shell.py |  9 +++++----
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/openstackclient/shell.py b/openstackclient/shell.py
index 136542dcd5..36483b3a7e 100644
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@@ -264,12 +264,21 @@ class OpenStackShell(app.App):
         self.log.debug("cloud cfg: %s", self.cloud.config)
 
         # Set up client TLS
-        cacert = self.cloud.cacert
-        if cacert:
-            self.verify = cacert
-        else:
-            self.verify = not self.cloud.config.get('insecure', False)
-            self.verify = self.cloud.config.get('verify', self.verify)
+        # NOTE(dtroyer): --insecure is the non-default condition that
+        #                overrides any verify setting in clouds.yaml
+        #                so check it first, then fall back to any verify
+        #                setting provided.
+        self.verify = not self.cloud.config.get(
+            'insecure',
+            not self.cloud.config.get('verify', True),
+        )
+
+        # NOTE(dtroyer): Per bug https://bugs.launchpad.net/bugs/1447784
+        #                --insecure now overrides any --os-cacert setting,
+        #                where before --insecure was ignored if --os-cacert
+        #                was set.
+        if self.verify and self.cloud.cacert:
+            self.verify = self.cloud.cacert
 
         # Save default domain
         self.default_domain = self.options.default_domain
diff --git a/openstackclient/tests/test_shell.py b/openstackclient/tests/test_shell.py
index 8850d8f97d..b080ae9164 100644
--- a/openstackclient/tests/test_shell.py
+++ b/openstackclient/tests/test_shell.py
@@ -540,14 +540,15 @@ class TestShellCli(TestShell):
         self.assertTrue(_shell.verify)
 
         # --os-cacert and --insecure
-        # NOTE(dtroyer): This really is a bogus combination, the default is
-        #                to follow the requests.Session convention and let
-        #                --os-cacert override --insecure
+        # NOTE(dtroyer): Per bug https://bugs.launchpad.net/bugs/1447784
+        #                in this combination --insecure now overrides any
+        #                --os-cacert setting, where before --insecure
+        #                was ignored if --os-cacert was set.
         fake_execute(_shell, "--os-cacert foo --insecure list user")
         self.assertIsNone(_shell.options.verify)
         self.assertTrue(_shell.options.insecure)
         self.assertEqual('foo', _shell.options.cacert)
-        self.assertTrue(_shell.verify)
+        self.assertFalse(_shell.verify)
 
     def test_default_env(self):
         flag = ""