From fa5b81f903b3ac0028f7e935aea728a443689bfe Mon Sep 17 00:00:00 2001 From: junboli Date: Fri, 17 Nov 2017 13:22:01 +0800 Subject: [PATCH] Add ssl support for manila API access Currently, Manila does not support secure access the manila APIs, obviously, this is a defect for manila service. This change is to add ssl support for manila project. Closes-bug: #1732844 Closes-bug: #1730529 Change-Id: I2dbc52ce95933e648cc065b2b2112788bf4484d0 --- doc/source/configuration/tables/manila-ca.inc | 8 ++------ manila/service.py | 6 ++++++ manila/tests/test_service.py | 12 ++++++++++++ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/doc/source/configuration/tables/manila-ca.inc b/doc/source/configuration/tables/manila-ca.inc index 0d034ab2a7..2f7468de7a 100644 --- a/doc/source/configuration/tables/manila-ca.inc +++ b/doc/source/configuration/tables/manila-ca.inc @@ -18,9 +18,5 @@ - Description * - **[DEFAULT]** - - * - ``ssl_ca_file`` = ``None`` - - (String) CA certificate file to use to verify connecting clients. - * - ``ssl_cert_file`` = ``None`` - - (String) Certificate file to use when starting the server securely. - * - ``ssl_key_file`` = ``None`` - - (String) Private key file to use when starting the server securely. + * - ``osapi_share_use_ssl`` = ``False`` + - (Boolean) Wraps the socket in a SSL context if True is set. diff --git a/manila/service.py b/manila/service.py index a6d52703dd..d5c815971a 100644 --- a/manila/service.py +++ b/manila/service.py @@ -60,6 +60,10 @@ service_opts = [ cfg.IntOpt('osapi_share_workers', default=1, help='Number of workers for OpenStack Share API service.'), + cfg.BoolOpt('osapi_share_use_ssl', + default=False, + help='Wraps the socket in a SSL context if True is set. ' + 'A certificate file and key file must be specified.'), ] CONF = cfg.CONF @@ -290,6 +294,7 @@ class WSGIService(service.ServiceBase): self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0") self.port = getattr(CONF, '%s_listen_port' % name, 0) self.workers = getattr(CONF, '%s_workers' % name, None) + self.use_ssl = getattr(CONF, '%s_use_ssl' % name, False) if self.workers is not None and self.workers < 1: LOG.warning( "Value of config option %(name)s_workers must be integer " @@ -302,6 +307,7 @@ class WSGIService(service.ServiceBase): self.app, host=self.host, port=self.port, + use_ssl=self.use_ssl ) def _get_manager(self): diff --git a/manila/tests/test_service.py b/manila/tests/test_service.py index c0d78d5ae2..4e67ed547d 100644 --- a/manila/tests/test_service.py +++ b/manila/tests/test_service.py @@ -226,3 +226,15 @@ class TestWSGIService(test.TestCase): self.test_service.start() self.assertGreater(self.test_service.server._pool.size, 0) wsgi.Loader.load_app.assert_called_once_with("test_service") + + @mock.patch('oslo_service.wsgi.Server') + @mock.patch('oslo_service.wsgi.Loader') + def test_ssl_enabled(self, mock_loader, mock_server): + self.override_config('osapi_share_use_ssl', True) + + service.WSGIService("osapi_share") + mock_server.assert_called_once_with(mock.ANY, mock.ANY, mock.ANY, + port=mock.ANY, host=mock.ANY, + use_ssl=True) + + self.assertTrue(mock_loader.called)