From d4f1fa457a0fcbd1ac84c816157175c090958d6f Mon Sep 17 00:00:00 2001 From: Lucian Petrut Date: Wed, 1 Aug 2018 14:05:17 +0300 Subject: [PATCH] Enable trusted certificates support A recent feature has been added, allowing users to specify trusted certificates (e.g. as barbican secret ids). The idea is to ensure that the certificates used to sign and validate the glance image are actually trusted by the user. In order to enable this feature within our driver, all we have to do is pass the trusted certificate ids (stored as an instance object attribute) to the method that fetches glance images. Blueprint: nova-validate-certificates Change-Id: Ic28f2b3ecf4ca92dcb7e9643c6e0d207d40b5287 --- compute_hyperv/nova/driver.py | 1 + compute_hyperv/nova/imagecache.py | 3 ++- compute_hyperv/tests/fake_instance.py | 1 + compute_hyperv/tests/unit/test_imagecache.py | 10 +++++++--- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/compute_hyperv/nova/driver.py b/compute_hyperv/nova/driver.py index c97cc5ed..5525fc8e 100644 --- a/compute_hyperv/nova/driver.py +++ b/compute_hyperv/nova/driver.py @@ -105,6 +105,7 @@ class HyperVDriver(driver.ComputeDriver): "supports_tagged_attach_volume": True, "supports_extend_volume": True, "supports_multiattach": False, + "supports_trusted_certs": True, } def __init__(self, virtapi): diff --git a/compute_hyperv/nova/imagecache.py b/compute_hyperv/nova/imagecache.py index d8c47bed..9d47a6ab 100644 --- a/compute_hyperv/nova/imagecache.py +++ b/compute_hyperv/nova/imagecache.py @@ -121,7 +121,8 @@ class ImageCache(imagecache.ImageCacheManager): if not image_path: try: - images.fetch(context, image_id, base_image_path) + images.fetch(context, image_id, base_image_path, + instance.trusted_certs) if image_type == 'iso': format_ext = 'iso' else: diff --git a/compute_hyperv/tests/fake_instance.py b/compute_hyperv/tests/fake_instance.py index 8bec07e1..42914cff 100644 --- a/compute_hyperv/tests/fake_instance.py +++ b/compute_hyperv/tests/fake_instance.py @@ -40,6 +40,7 @@ def fake_db_instance(**updates): 'flavor': flavorinfo, 'numa_topology': None, 'vcpu_model': None, + 'trusted_certs': None, }, 'tags': [], 'services': [] diff --git a/compute_hyperv/tests/unit/test_imagecache.py b/compute_hyperv/tests/unit/test_imagecache.py index b0666668..1df8ee2a 100644 --- a/compute_hyperv/tests/unit/test_imagecache.py +++ b/compute_hyperv/tests/unit/test_imagecache.py @@ -49,7 +49,9 @@ class ImageCacheTestCase(test_base.HyperVBaseTestCase): super(ImageCacheTestCase, self).setUp() self.context = 'fake-context' - self.instance = fake_instance.fake_instance_obj(self.context) + self.instance = fake_instance.fake_instance_obj( + self.context, + expected_attrs=['trusted_certs']) self.imagecache = imagecache.ImageCache() self.tmpdir = self.useFixture(fixtures.TempDir()).path @@ -120,7 +122,8 @@ class ImageCacheTestCase(test_base.HyperVBaseTestCase): self.assertEqual(expected_image_path, result) mock_fetch.assert_called_once_with(self.context, self.FAKE_IMAGE_REF, - expected_path) + expected_path, + self.instance.trusted_certs) self.imagecache._vhdutils.get_vhd_format.assert_called_once_with( expected_path) self.imagecache._pathutils.rename.assert_called_once_with( @@ -178,7 +181,8 @@ class ImageCacheTestCase(test_base.HyperVBaseTestCase): mock_fetch.assert_called_once_with(self.context, fake_rescue_image_id, - expected_path) + expected_path, + self.instance.trusted_certs) self.imagecache._vhdutils.get_vhd_info.assert_called_once_with( expected_vhd_path)