Fix urgent amphora two-way auth security bug

The value of gunicorn's option 'cert_reqs` for client-cert requirement
does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.

Story: 2006660
Task: 36916

SecurityImpact: CVE-2019-17134

Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
(cherry picked from commit 2c9af84bdf)

octavia/cmd/agent.py

@@ -74,7 +74,7 @@ def main():
         'timeout': CONF.amphora_agent.agent_request_read_timeout,
         'certfile': CONF.amphora_agent.agent_server_cert,
         'ca_certs': CONF.amphora_agent.agent_server_ca,
-        'cert_reqs': True,
+        'cert_reqs': ssl.CERT_REQUIRED,
         'ssl_version': getattr(ssl, "PROTOCOL_%s" % proto),
         'preload_app': True,
         'accesslog': '/var/log/amphora-agent.log',

octavia/tests/unit/cmd/test_agent.py

@@ -9,6 +9,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import ssl
 
 import mock
 
@@ -36,5 +37,11 @@ class TestAmphoraAgentCMD(base.TestCase):
 
         agent.main()
 
+        # Ensure gunicorn is initialized with the correct cert_reqs option.
+        # This option is what enforces use of a valid client certificate.
+        self.assertEqual(
+            ssl.CERT_REQUIRED,
+            mock_amp.call_args[0][1]['cert_reqs'])
+
         mock_health_proc.start.assert_called_once_with()
         mock_amp_instance.run.assert_called_once()

releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml

@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Correctly require two-way certificate authentication to connect to the
+    amphora agent API (CVE-2019-17134).