Merge "Add option for verifying TLS (https) requests"

2017-01-21 23:29:29 +00:00 · 2017-01-21 23:29:29 +00:00 · 53ff248f4b
parent c83eb195e3 a6b25bb136
commit 53ff248f4b
3 changed files with 32 additions and 18 deletions
--- a/castellan/key_manager/barbican_key_manager.py
+++ b/castellan/key_manager/barbican_key_manager.py
@ -63,6 +63,10 @@ barbican_opts = [
               default=60,
               help='Number of times to retry poll for key creation '
                    'completion'),
+    cfg.BoolOpt('verify_ssl',
+                default=True,
+                help='Specifies if insecure TLS (https) requests. If False, '
+                     'the server\'s certificate will not be validated'),
 ]

 BARBICAN_OPT_GROUP = 'barbican'
@ -109,7 +113,8 @@ class BarbicanKeyManager(key_manager.KeyManager):

        try:
            auth = self._get_keystone_auth(context)
-            sess = session.Session(auth=auth)
+            sess = session.Session(auth=auth,
+                                   verify=self.conf.barbican.verify_ssl)

            self._barbican_endpoint = self._get_barbican_endpoint(auth, sess)
            self._barbican_client = barbican_client.Client(
--- a/castellan/options.py
+++ b/castellan/options.py
@ -32,7 +32,7 @@ _DEFAULT_LOGGING_CONTEXT_FORMAT = ('%(asctime)s.%(msecs)03d %(process)d '

 def set_defaults(conf, api_class=None, barbican_endpoint=None,
                 barbican_api_version=None, auth_endpoint=None,
-                 retry_delay=None, number_of_retries=None):
+                 retry_delay=None, number_of_retries=None, verify_ssl=None):
    """Set defaults for configuration values.

    Overrides the default options values.
@ -43,6 +43,7 @@ def set_defaults(conf, api_class=None, barbican_endpoint=None,
    :param auth_endpoint: Use this endpoint to connect to Keystone.
    :param retry_delay: Use this attribute to set retry delay.
    :param number_of_retries: Use this attribute to set number of retries.
+    :param verify_ssl: Use this to specify if ssl should be verified.
    """
    conf.register_opts(km.key_manager_opts, group='key_manager')
    if bkm:
@ -50,23 +51,26 @@ def set_defaults(conf, api_class=None, barbican_endpoint=None,

    if api_class is not None:
        conf.set_default('api_class', api_class, group='key_manager')
-    if bkm is not None and barbican_endpoint is not None:
-        conf.set_default('barbican_endpoint', barbican_endpoint,
-                         group=bkm.BARBICAN_OPT_GROUP)
-    if bkm is not None and barbican_api_version is not None:
-        conf.set_default('barbican_api_version', barbican_api_version,
-                         group=bkm.BARBICAN_OPT_GROUP)
-    if bkm is not None and auth_endpoint is not None:
-        conf.set_default('auth_endpoint', auth_endpoint,
-                         group=bkm.BARBICAN_OPT_GROUP)

-    if bkm is not None and retry_delay is not None:
-        conf.set_default('retry_delay', retry_delay,
-                         group=bkm.BARBICAN_OPT_GROUP)
-
-    if bkm is not None and number_of_retries is not None:
-        conf.set_default('number_of_retries', number_of_retries,
-                         group=bkm.BARBICAN_OPT_GROUP)
+    if bkm is not None:
+        if barbican_endpoint is not None:
+            conf.set_default('barbican_endpoint', barbican_endpoint,
+                             group=bkm.BARBICAN_OPT_GROUP)
+        if barbican_api_version is not None:
+            conf.set_default('barbican_api_version', barbican_api_version,
+                             group=bkm.BARBICAN_OPT_GROUP)
+        if auth_endpoint is not None:
+            conf.set_default('auth_endpoint', auth_endpoint,
+                             group=bkm.BARBICAN_OPT_GROUP)
+        if retry_delay is not None:
+            conf.set_default('retry_delay', retry_delay,
+                             group=bkm.BARBICAN_OPT_GROUP)
+        if number_of_retries is not None:
+            conf.set_default('number_of_retries', number_of_retries,
+                             group=bkm.BARBICAN_OPT_GROUP)
+        if verify_ssl is not None:
+            conf.set_default('verify_ssl', verify_ssl,
+                             group=bkm.BARBICAN_OPT_GROUP)


 def enable_logging(conf=None, app_name='castellan'):
--- a/castellan/tests/unit/test_options.py
+++ b/castellan/tests/unit/test_options.py
@ -53,3 +53,8 @@ class TestOptions(base.TestCase):
        options.set_defaults(conf, number_of_retries=number_of_retries)
        self.assertEqual(number_of_retries,
                         conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
+
+        verify_ssl = True
+        options.set_defaults(conf, verify_ssl=True)
+        self.assertEqual(verify_ssl,
+                         conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)