Add options to support TLS certificate verification

Add --os-cacert and --verify|--insecure options using the same sematics as the other project CLIs. --verify is included for completeness. Bug: 1236608 Change-Id: I8a116d790db5aa4cb17a2207efedce7cb229eba3
2013-10-07 12:23:00 -05:00 · 2013-10-07 12:23:00 -05:00 · 3f9c68f1c6
commit 3f9c68f1c6
parent bca4cf9578
7 changed files with 53 additions and 7 deletions
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@ -50,7 +50,7 @@ class ClientManager(object):

    def __init__(self, token=None, url=None, auth_url=None, project_name=None,
                 project_id=None, username=None, password=None,
-                 region_name=None, api_version=None):
+                 region_name=None, verify=True, api_version=None):
        self._token = token
        self._url = url
        self._auth_url = auth_url
@ -62,6 +62,16 @@ class ClientManager(object):
        self._api_version = api_version
        self._service_catalog = None

+        # verify is the Requests-compatible form
+        self._verify = verify
+        # also store in the form used by the legacy client libs
+        self._cacert = None
+        if verify is True or verify is False:
+            self._insecure = not verify
+        else:
+            self._cacert = verify
+            self._insecure = True
+
        self.auth_ref = None

        if not self._url:
--- a/openstackclient/common/restapi.py
+++ b/openstackclient/common/restapi.py
@ -53,6 +53,7 @@ class RESTApi(object):
        os_auth=None,
        user_agent=USER_AGENT,
        debug=None,
+        verify=True,
        **kwargs
    ):
        self.set_auth(os_auth)
--- a/openstackclient/compute/client.py
+++ b/openstackclient/compute/client.py
@ -38,8 +38,8 @@ def make_client(instance):
        api_key=instance._password,
        project_id=instance._project_name,
        auth_url=instance._auth_url,
-        # FIXME(dhellmann): add constructor argument for this
-        insecure=False,
+        cacert=instance._cacert,
+        insecure=instance._insecure,
        region_name=instance._region_name,
        # FIXME(dhellmann): get endpoint_type from option?
        endpoint_type='publicURL',
--- a/openstackclient/identity/client.py
+++ b/openstackclient/identity/client.py
@ -47,7 +47,10 @@ def make_client(instance):
            tenant_name=instance._project_name,
            tenant_id=instance._project_id,
            auth_url=instance._auth_url,
-            region_name=instance._region_name)
+            region_name=instance._region_name,
+            cacert=instance._cacert,
+            insecure=instance._insecure,
+        )
        instance.auth_ref = client.auth_ref
    return client

--- a/openstackclient/image/client.py
+++ b/openstackclient/image/client.py
@ -40,7 +40,12 @@ def make_client(instance):
    if not instance._url:
        instance._url = instance.get_endpoint_for_service_type(API_NAME)

-    return image_client(instance._url, token=instance._token)
+    return image_client(
+        instance._url,
+        token=instance._token,
+        cacert=instance._cacert,
+        insecure=instance._insecure,
+    )


 # NOTE(dtroyer): glanceclient.v1.image.ImageManager() doesn't have a find()
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@ -79,6 +79,9 @@ class OpenStackShell(app.App):
        # password flow auth
        self.auth_client = None

+        # Assume TLS host certificate verification is enabled
+        self.verify = True
+
        # NOTE(dtroyer): This hack changes the help action that Cliff
        #                automatically adds to the parser so we can defer
        #                its execution until after the api-versioned commands
@ -158,6 +161,22 @@ class OpenStackShell(app.App):
            metavar='<auth-region-name>',
            default=env('OS_REGION_NAME'),
            help='Authentication region name (Env: OS_REGION_NAME)')
+        parser.add_argument(
+            '--os-cacert',
+            metavar='<ca-bundle-file>',
+            default=env('OS_CACERT'),
+            help='CA certificate bundle file (Env: OS_CACERT)')
+        verify_group = parser.add_mutually_exclusive_group()
+        verify_group.add_argument(
+            '--verify',
+            action='store_true',
+            help='Verify server certificate (default)',
+        )
+        verify_group.add_argument(
+            '--insecure',
+            action='store_true',
+            help='Disable server certificate verification',
+        )
        parser.add_argument(
            '--os-default-domain',
            metavar='<auth-domain>',
@ -299,7 +318,9 @@ class OpenStackShell(app.App):
            username=self.options.os_username,
            password=self.options.os_password,
            region_name=self.options.os_region_name,
-            api_version=self.api_version)
+            verify=self.verify,
+            api_version=self.api_version,
+        )
        return

    def init_keyring_backend(self):
@ -387,7 +408,11 @@ class OpenStackShell(app.App):
            self.DeferredHelpAction(self.parser, self.parser, None, None)

        # Set up common client session
-        self.restapi = restapi.RESTApi()
+        if self.options.os_cacert:
+            self.verify = self.options.os_cacert
+        else:
+            self.verify = not self.options.insecure
+        self.restapi = restapi.RESTApi(verify=self.verify)

    def prepare_to_run_command(self, cmd):
        """Set up auth and API versions"""
--- a/openstackclient/volume/client.py
+++ b/openstackclient/volume/client.py
@ -40,6 +40,8 @@ def make_client(instance):
        api_key=instance._password,
        project_id=instance._project_name,
        auth_url=instance._auth_url,
+        cacert=instance._cacert,
+        insecure=instance._insecure,
    )

    return client