Refactor KS session creation and support CA certs

Change-Id: Ib3fc33b1825b16cc4537d979d5ab5ed0b39633d5

designateclient/shell.py

@@ -20,9 +20,8 @@ import traceback
 
 from cliff.app import App
 from cliff.commandmanager import CommandManager
-from keystoneclient.auth.identity import generic
-from keystoneclient import session as ks_session
 
+from designateclient import utils
 from designateclient.version import version_info as version
 
 
@@ -155,6 +154,11 @@ class DesignateShell(App):
                             help=("Defaults to env[OS_DNS_SERVICE_TYPE], or "
                                   "'dns'"))
 
+        parser.add_argument('--os-cacert',
+                            default=env('OS_CACERT'),
+                            help=('CA certificate bundle file. Defaults to '
+                                  'env[OS_CACERT]'))
+
         parser.add_argument('--insecure', action='store_true',
                             help="Explicitly allow 'insecure' SSL requests")
 
@@ -206,37 +210,25 @@ class DesignateShell(App):
 
     def initialize_app(self, argv):
         super(DesignateShell, self).initialize_app(argv)
-        self.session = self.get_session()
+        self.session = utils.get_session(
-
+            auth_url=self.options.os_auth_url,
-    def get_session(self):
+            endpoint=self.options.os_endpoint,
-        session = ks_session.Session()
+            domain_id=self.options.os_domain_id,
-
+            domain_name=self.options.os_domain_name,
-        auth_args = {
+            project_id=self.options.os_project_id or self.options.os_tenant_id,
-            'auth_url': self.options.os_auth_url,
+            project_name=(self.options.os_project_name or
-            'domain_id': self.options.os_domain_id,
+                          self.options.os_tenant_name),
-            'domain_name': self.options.os_domain_name,
+            project_domain_name=self.options.os_project_domain_name,
-            'project_id': self.options.os_project_id,
+            project_domain_id=self.options.os_project_domain_id,
-            'project_name': self.options.os_project_name,
+            username=self.options.os_username,
-            'project_domain_name': self.options.os_project_domain_name,
+            user_id=self.options.os_user_id,
-            'project_domain_id': self.options.os_project_domain_id,
+            password=self.options.os_password,
-            'tenant_id': self.options.os_tenant_id,
+            user_domain_id=self.options.os_user_domain_id,
-            'tenant_name': self.options.os_tenant_name,
+            user_domain_name=self.options.os_user_domain_name,
-        }
+            token=self.options.os_token,
-
+            insecure=self.options.insecure,
-        if self.options.os_token:
+            cacert=self.options.os_cacert,
-            auth_args['token'] = self.options.os_token
+        )
-            session.auth = generic.Token(**auth_args)
-        else:
-            password_args = {
-                'username': self.options.os_username,
-                'user_id': self.options.os_user_id,
-                'user_domain_id': self.options.os_user_domain_id,
-                'user_domain_name': self.options.os_user_domain_name,
-                'password': self.options.os_password
-            }
-            auth_args.update(password_args)
-            session.auth = generic.Password(**auth_args)
-        return session
 
     def run(self, argv):
         try:

designateclient/utils.py

@@ -18,6 +18,9 @@ import json
 import os
 
 
+from keystoneclient.auth.identity import generic
+from keystoneclient.auth import token_endpoint
+from keystoneclient import session as ks_session
 import pkg_resources
 
 from designateclient import exceptions
@@ -92,3 +95,48 @@ def get_columns(data):
 
     map(lambda item: map(_seen, item.keys()), data)
     return list(columns)
+
+
+def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
+                project_name, project_domain_name, project_domain_id, username,
+                user_id, password, user_domain_id, user_domain_name, token,
+                insecure, cacert):
+    session = ks_session.Session()
+
+    # Build + Attach Authentication Plugin
+    auth_args = {
+        'auth_url': auth_url,
+        'domain_id': domain_id,
+        'domain_name': domain_name,
+        'project_id': project_id,
+        'project_name': project_name,
+        'project_domain_name': project_domain_name,
+        'project_domain_id': project_domain_id,
+    }
+
+    if token and endpoint:
+        session.auth = token_endpoint.Token(endpoint, token)
+
+    elif token:
+        auth_args.update({
+            'token': token
+        })
+        session.auth = generic.Token(**auth_args)
+
+    else:
+        auth_args.update({
+            'username': username,
+            'user_id': user_id,
+            'password': password,
+            'user_domain_id': user_domain_id,
+            'user_domain_name': user_domain_name,
+        })
+        session.auth = generic.Password(**auth_args)
+
+    # SSL/TLS Server Cert Verification
+    if insecure is True:
+        session.verify = False
+    else:
+        session.verify = cacert
+
+    return session

designateclient/v1/__init__.py

@@ -14,12 +14,10 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 from keystoneclient import adapter
-from keystoneclient.auth.identity import generic
-from keystoneclient.auth import token_endpoint
-from keystoneclient import session as ks_session
 from stevedore import extension
 
 from designateclient import exceptions
+from designateclient import utils
 from designateclient import version
 
 
@@ -33,51 +31,39 @@ class Client(object):
                  project_id=None, project_domain_name=None,
                  project_domain_id=None, auth_url=None, token=None,
                  endpoint_type='publicURL', region_name=None,
-                 service_type='dns', insecure=False, verify=None, session=None,
+                 service_type='dns', insecure=False, session=None,
-                 auth=None):
+                 cacert=None):
         """
         :param endpoint: Endpoint URL
         :param token: A token instead of username / password
         :param insecure: Allow "insecure" HTTPS requests
         """
-        # Backwards compat to preserve the functionality of insecure.
+
-        if verify is None and insecure:
+        if endpoint:
-            verify = False
+            endpoint = endpoint.rstrip('/')
-        else:
+            if not endpoint.endswith('v1'):
-            verify = True
+                endpoint = "%s/v1" % endpoint
 
         # Compatibility code to mimic the old behaviour of the client
         if session is None:
-            session = ks_session.Session(verify=verify)
+            session = utils.get_session(
-
+                auth_url=auth_url,
-            auth_args = {
+                endpoint=endpoint,
-                'auth_url': auth_url,
+                domain_id=domain_id,
-                'domain_id': domain_id,
+                domain_name=domain_name,
-                'domain_name': domain_name,
+                project_id=project_id or tenant_id,
-                'project_id': project_id,
+                project_name=project_name or tenant_name,
-                'project_name': project_name,
+                project_domain_name=project_domain_name,
-                'project_domain_name': project_domain_name,
+                project_domain_id=project_domain_id,
-                'project_domain_id': project_domain_id,
+                username=username,
-                'tenant_id': tenant_id,
+                user_id=user_id,
-                'tenant_name': tenant_name,
+                password=password,
-            }
+                user_domain_id=user_domain_id,
-
+                user_domain_name=user_domain_name,
-            if token:
+                token=token,
-                # To mimic typical v1 behaviour I copied this
+                insecure=insecure,
-                endpoint = endpoint.rstrip('/')
+                cacert=cacert,
-                if not endpoint.endswith('v1'):
+            )
-                    endpoint = "%s/v1" % endpoint
-                session.auth = token_endpoint.Token(endpoint, token)
-            else:
-                password_args = {
-                    'username': username,
-                    'user_id': user_id,
-                    'user_domain_id': user_domain_id,
-                    'user_domain_name': user_domain_name,
-                    'password': password
-                }
-                auth_args.update(password_args)
-                session.auth = generic.Password(**auth_args)
 
         # Since we have to behave nicely like a legacy client/bindings we use
         # an adapter around the session to not modify it's state.
@@ -85,7 +71,7 @@ class Client(object):
 
         self.session = adapter.Adapter(
             session,
-            auth=auth,
+            auth=session.auth,
             endpoint_override=endpoint,
             region_name=region_name,
             service_type=service_type,