Enable https for Openstack in Snaps

When running in https environment, snaps should provide two options:
1. To support certification verify when https certification file is provided;
2. To disable server certificate verification without cert file.

JIRA: SNAPS-84

Change-Id: I5a9094238db5c8017cc8b80e3353adc6e793b552
Signed-off-by: Linda Wang <wangwulin@huawei.com>

diff --git a/snaps/openstack/create_user.py b/snaps/openstack/create_user.py
index c6d4678..b3f93d4 100644 (file)
--- a/snaps/openstack/create_user.py
+++ b/snaps/openstack/create_user.py
@@ -93,7 +93,8 @@ class OpenStackUser:
             identity_api_version=self.__os_creds.identity_api_version,
             user_domain_id=self.__os_creds.user_domain_id,
             project_domain_id=self.__os_creds.project_domain_id,
-            proxy_settings=self.__os_creds.proxy_settings)
+            proxy_settings=self.__os_creds.proxy_settings,
+            cacert=self.__os_creds.cacert)
 
 
 class UserSettings:

diff --git a/snaps/openstack/os_credentials.py b/snaps/openstack/os_credentials.py
index db6369b..b55e480 100644 (file)
--- a/snaps/openstack/os_credentials.py
+++ b/snaps/openstack/os_credentials.py
@@ -22,7 +22,7 @@ class OSCreds:
 
     def __init__(self, username, password, auth_url, project_name, identity_api_version=2, image_api_version=2,
                  network_api_version=2, compute_api_version=2, user_domain_id='default', project_domain_id='default',
-                 proxy_settings=None):
+                 proxy_settings=None, cacert=True):
         """
         Constructor
         :param username: The user (required)
@@ -36,6 +36,8 @@ class OSCreds:
         :param user_domain_id: Used for v3 APIs
         :param project_domain_id: Used for v3 APIs
         :param proxy_settings: instance of os_credentials.ProxySettings class
+        :param cacert: Default to be True for http, or the certification file is specified for https verification,
+                       or set to be False to disable server certificate verification without cert file
         """
         self.username = username
         self.password = password
@@ -48,6 +50,7 @@ class OSCreds:
         self.user_domain_id = user_domain_id
         self.project_domain_id = project_domain_id
         self.proxy_settings = proxy_settings
+        self.cacert = cacert
 
         if self.proxy_settings and not isinstance(self.proxy_settings, ProxySettings):
             raise Exception('proxy_settings must be an instance of the class ProxySettings')
@@ -72,7 +75,8 @@ class OSCreds:
                ', network_api_version=' + str(self.network_api_version) + \
                ', compute_api_version=' + str(self.compute_api_version) + \
                ', user_domain_id=' + str(self.user_domain_id) + \
-               ', proxy_settings=' + str(self.proxy_settings)
+               ', proxy_settings=' + str(self.proxy_settings) + \
+               ', cacert=' + str(self.cacert)
 
 
 class ProxySettings:

diff --git a/snaps/openstack/tests/openstack_tests.py b/snaps/openstack/tests/openstack_tests.py
index bfcadaf..109d2ce 100644 (file)
--- a/snaps/openstack/tests/openstack_tests.py
+++ b/snaps/openstack/tests/openstack_tests.py
@@ -85,6 +85,13 @@ def get_credentials(os_env_file=None, proxy_settings_str=None,
             tokens = re.split(':', proxy_settings_str)
             proxy_settings = ProxySettings(tokens[0], tokens[1], ssh_proxy_cmd)
 
+        if config.get('OS_CACERT'):
+            https_cacert = config.get('OS_CACERT')
+        elif config.get('OS_INSECURE'):
+            https_cacert = False
+        else:
+            https_cacert = True
+
         os_creds = OSCreds(username=config['OS_USERNAME'],
                            password=config['OS_PASSWORD'],
                            auth_url=config['OS_AUTH_URL'],
@@ -92,7 +99,8 @@ def get_credentials(os_env_file=None, proxy_settings_str=None,
                            identity_api_version=version,
                            user_domain_id=user_domain_id,
                            project_domain_id=proj_domain_id,
-                           proxy_settings=proxy_settings)
+                           proxy_settings=proxy_settings,
+                           cacert=https_cacert)
     else:
         logger.info('Reading development os_env file - ' + dev_os_env_file)
         config = file_utils.read_yaml(dev_os_env_file)

diff --git a/snaps/openstack/utils/keystone_utils.py b/snaps/openstack/utils/keystone_utils.py
index 337bdc2..8f5effd 100644 (file)
--- a/snaps/openstack/utils/keystone_utils.py
+++ b/snaps/openstack/utils/keystone_utils.py
@@ -12,12 +12,12 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import requests
+import logging
+
 from keystoneclient.client import Client
 from keystoneauth1.identity import v3, v2
 from keystoneauth1 import session
-import logging
-
+import requests
 
 logger = logging.getLogger('keystone_utils')
 
@@ -59,7 +59,8 @@ def keystone_session(os_creds):
     if os_creds.proxy_settings:
         req_session = requests.Session()
         req_session.proxies = {'http': os_creds.proxy_settings.host + ':' + os_creds.proxy_settings.port}
-    return session.Session(auth=auth, session=req_session)
+    return session.Session(auth=auth, session=req_session,
+                           verify=os_creds.cacert)
 
 
 def keystone_client(os_creds):