From 89f311dfbd264a5d4309ea1ca4283f2746d6fa24 Mon Sep 17 00:00:00 2001
From: ramboman <lijie@unitedstack.com>
Date: Thu, 30 Apr 2020 21:30:47 +0800
Subject: [PATCH] add "verify_ssl_path" config for barbican key manager

Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.

Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
---
 castellan/key_manager/barbican_key_manager.py     | 15 ++++++++++++---
 castellan/options.py                              |  5 +++++
 castellan/tests/unit/test_options.py              |  9 +++++++--
 .../notes/bug-1876102-7c7288fb6e90b11d.yaml       |  6 ++++++
 4 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml

diff --git a/castellan/key_manager/barbican_key_manager.py b/castellan/key_manager/barbican_key_manager.py
index 892da26a..0fe63b88 100644
--- a/castellan/key_manager/barbican_key_manager.py
+++ b/castellan/key_manager/barbican_key_manager.py
@@ -64,7 +64,14 @@ _barbican_opts = [
     cfg.BoolOpt('verify_ssl',
                 default=True,
                 help='Specifies if insecure TLS (https) requests. If False, '
-                     'the server\'s certificate will not be validated'),
+                     'the server\'s certificate will not be validated, if '
+                     'True, we can set the verify_ssl_path config meanwhile.'),
+    cfg.StrOpt('verify_ssl_path',
+               default=None,
+               help='A path to a bundle or CA certs to check against, or '
+                    'None for requests to attempt to locate and use '
+                    'certificates which verify_ssh is True. If verify_ssl '
+                    'is False, this is ignored.'),
     cfg.StrOpt('barbican_endpoint_type',
                default='public',
                choices=['public', 'internal', 'admin'],
@@ -109,8 +116,10 @@ class BarbicanKeyManager(key_manager.KeyManager):
 
         try:
             auth = self._get_keystone_auth(context)
-            sess = session.Session(auth=auth,
-                                   verify=self.conf.barbican.verify_ssl)
+            verify_ssl = self.conf.barbican.verify_ssl
+            verify_ssl_path = self.conf.barbican.verify_ssl_path
+            verify = verify_ssl and verify_ssl_path or verify_ssl
+            sess = session.Session(auth=auth, verify=verify)
 
             self._barbican_endpoint = self._get_barbican_endpoint(auth, sess)
             self._barbican_client = barbican_client_import.Client(
diff --git a/castellan/options.py b/castellan/options.py
index 6c1991d6..213afc15 100644
--- a/castellan/options.py
+++ b/castellan/options.py
@@ -41,6 +41,7 @@ _DEFAULT_LOGGING_CONTEXT_FORMAT = ('%(asctime)s.%(msecs)03d %(process)d '
 def set_defaults(conf, backend=None, barbican_endpoint=None,
                  barbican_api_version=None, auth_endpoint=None,
                  retry_delay=None, number_of_retries=None, verify_ssl=None,
+                 verify_ssl_path=None,
                  api_class=None, vault_root_token_id=None,
                  vault_approle_role_id=None, vault_approle_secret_id=None,
                  vault_kv_mountpoint=None, vault_url=None,
@@ -57,6 +58,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
     :param retry_delay: Use this attribute to set retry delay.
     :param number_of_retries: Use this attribute to set number of retries.
     :param verify_ssl: Use this to specify if ssl should be verified.
+    :param verify_ssl_path: Use this to specify the CA path.
     :param vault_root_token_id: Use this for the root token id for vault.
     :param vault_approle_role_id: Use this for the approle role_id for vault.
     :param vault_approle_secret_id: Use this for the approle secret_id
@@ -103,6 +105,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
         if verify_ssl is not None:
             conf.set_default('verify_ssl', verify_ssl,
                              group=bkm._BARBICAN_OPT_GROUP)
+        if verify_ssl_path is not None:
+            conf.set_default('verify_ssl_path', verify_ssl_path,
+                             group=bkm._BARBICAN_OPT_GROUP)
         if barbican_endpoint_type is not None:
             conf.set_default('barbican_endpoint_type', barbican_endpoint_type,
                              group=bkm._BARBICAN_OPT_GROUP)
diff --git a/castellan/tests/unit/test_options.py b/castellan/tests/unit/test_options.py
index 3b82c49f..aceddd57 100644
--- a/castellan/tests/unit/test_options.py
+++ b/castellan/tests/unit/test_options.py
@@ -62,11 +62,16 @@ class TestOptions(base.TestCase):
         self.assertEqual(number_of_retries,
                          conf.barbican.number_of_retries)
 
-        verify_ssl = True
-        options.set_defaults(conf, verify_ssl=True)
+        verify_ssl = False
+        options.set_defaults(conf, verify_ssl=False)
         self.assertEqual(verify_ssl,
                          conf.barbican.verify_ssl)
 
+        verify_ssl_path = '/mnt'
+        options.set_defaults(conf, verify_ssl_path='/mnt')
+        self.assertEqual(verify_ssl_path,
+                         conf.barbican.verify_ssl_path)
+
         barbican_endpoint_type = 'internal'
         options.set_defaults(conf, barbican_endpoint_type='internal')
         result_type = conf.barbican.barbican_endpoint_type
diff --git a/releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml b/releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml
new file mode 100644
index 00000000..2b5eddb0
--- /dev/null
+++ b/releasenotes/notes/bug-1876102-7c7288fb6e90b11d.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Add a new parameter, ``verify_ssl_path``, that can be used to
+    configure the path to CA certs when verifying requests to
+    Barbican.