From 90f5374f73ea8dd5f41c9ca8f2ed447d5a37285a Mon Sep 17 00:00:00 2001 From: Manuel Buil Date: Mon, 15 Jan 2018 15:24:47 +0100 Subject: [PATCH] Check certificates for vim This patch tries to fix the bug: https://bugs.launchpad.net/tacker/+bug/1719841 This is already fixed in master: https://review.openstack.org/#/c/529374/15 Change-Id: I0401e8e385a690695061e558c15856c8a2fe0db9 Signed-off-by: Manuel Buil --- samples/vim/vim_config.yaml | 1 + tacker/nfvo/drivers/vim/openstack_driver.py | 17 +++++++++++------ tacker/tests/unit/db/utils.py | 13 +++++++------ .../nfvo/drivers/vim/test_openstack_driver.py | 7 +++++-- tacker/vnfm/keystone.py | 11 ++++++----- 5 files changed, 30 insertions(+), 19 deletions(-) diff --git a/samples/vim/vim_config.yaml b/samples/vim/vim_config.yaml index fe2bd65a7..1903d1aeb 100644 --- a/samples/vim/vim_config.yaml +++ b/samples/vim/vim_config.yaml @@ -4,3 +4,4 @@ password: 'mySecretPW' project_name: 'nfv' project_domain_name: 'Default' user_domain_name: 'Default' +cert_verify: 'False' diff --git a/tacker/nfvo/drivers/vim/openstack_driver.py b/tacker/nfvo/drivers/vim/openstack_driver.py index 699c297fb..153870dc8 100644 --- a/tacker/nfvo/drivers/vim/openstack_driver.py +++ b/tacker/nfvo/drivers/vim/openstack_driver.py @@ -116,8 +116,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver, Initialize keystoneclient with provided authentication attributes. """ + verify = ('True' == vim_obj['auth_cred'].get('cert_verify', 'True') + or False) auth_url = vim_obj['auth_url'] - keystone_version = self._validate_auth_url(auth_url) + keystone_version = self._validate_auth_url(auth_url, verify=verify) auth_cred = self._get_auth_creds(keystone_version, vim_obj) return self._initialize_keystone(keystone_version, auth_cred) @@ -150,9 +152,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver, return auth_plugin - def _validate_auth_url(self, auth_url): + def _validate_auth_url(self, auth_url, verify): try: - keystone_version = self.keystone.get_version(auth_url) + keystone_version = self.keystone.get_version(auth_url, verify) except Exception as e: LOG.error('VIM Auth URL invalid') raise nfvo.VimConnectionException(message=str(e)) @@ -331,8 +333,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver, :param client_type: openstack client to initialize :return: initialized client """ + verify = 'True' == vim_obj.get('cert_verify', 'True') or False auth_url = vim_obj['auth_url'] - keystone_version = self._validate_auth_url(auth_url) + keystone_version = self._validate_auth_url(auth_url, verify=verify) auth_cred = self._get_auth_creds(keystone_version, vim_obj) auth_plugin = self._get_auth_plugin(keystone_version, **auth_cred) sess = session.Session(auth=auth_plugin) @@ -542,8 +545,10 @@ class NeutronClient(object): """Neutron Client class for networking-sfc driver""" def __init__(self, auth_attr): - auth = identity.Password(**auth_attr) - sess = session.Session(auth=auth) + auth_cred = auth_attr.copy() + verify = 'True' == auth_cred.pop('cert_verify', 'True') or False + auth = identity.Password(**auth_cred) + sess = session.Session(auth=auth, verify=verify) self.client = neutron_client.Client(session=sess) def flow_classifier_create(self, fc_dict): diff --git a/tacker/tests/unit/db/utils.py b/tacker/tests/unit/db/utils.py index 1769e9720..3a678b8d4 100644 --- a/tacker/tests/unit/db/utils.py +++ b/tacker/tests/unit/db/utils.py @@ -147,12 +147,12 @@ def get_dummy_vnf_update_config(): def get_vim_obj(): - return {'vim': {'type': 'openstack', 'auth_url': - 'http://localhost:5000', 'vim_project': {'name': - 'test_project'}, 'auth_cred': {'username': 'test_user', - 'password': - 'test_password'}, - 'name': 'VIM0', + return {'vim': {'type': 'openstack', 'auth_url': 'http://localhost:5000', + 'vim_project': {'name': 'test_project'}, + 'auth_cred': {'username': 'test_user', + 'password': 'test_password', + 'cert_verify': 'True'}, + 'name': 'VIM0', 'tenant_id': 'test-project'}} @@ -161,6 +161,7 @@ def get_vim_auth_obj(): 'password': 'test_password', 'project_id': None, 'project_name': 'test_project', + 'cert_verify': 'True', 'auth_url': 'http://localhost:5000/v3', 'user_domain_name': 'default', 'project_domain_name': 'default'} diff --git a/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py b/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py index 5a4f412ed..a2f65a11d 100644 --- a/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py +++ b/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py @@ -90,6 +90,7 @@ class TestOpenstack_Driver(base.TestCase): 'auth_cred': {'username': 'test_user', 'password': 'test_password', 'user_domain_name': 'default', + 'cert_verify': 'True', 'auth_url': 'http://localhost:5000'}, 'name': 'VIM0', 'vim_project': {'name': 'test_project', @@ -103,6 +104,7 @@ class TestOpenstack_Driver(base.TestCase): 'user_domain_name': 'default', 'key_type': 'barbican_key', 'secret_uuid': 'fake-secret-uuid', + 'cert_verify': 'True', 'auth_url': 'http://localhost:5000'}, 'name': 'VIM0', 'vim_project': {'name': 'test_project', @@ -131,8 +133,9 @@ class TestOpenstack_Driver(base.TestCase): mock_ks_client = mock.Mock(version='v2.0', **attrs) self.keystone.get_version.return_value = keystone_version auth_obj = {'tenant_name': 'test_project', 'username': 'test_user', - 'password': 'test_password', 'auth_url': - 'http://localhost:5000/v2.0', 'tenant_id': None} + 'password': 'test_password', 'cert_verify': 'True', + 'auth_url': 'http://localhost:5000/v2.0', + 'tenant_id': None} self._test_register_vim(self.vim_obj, mock_ks_client) self.keystone.initialize_client.assert_called_once_with( version=keystone_version, **auth_obj) diff --git a/tacker/vnfm/keystone.py b/tacker/vnfm/keystone.py index 5c3ae1888..04d8a5a1f 100644 --- a/tacker/vnfm/keystone.py +++ b/tacker/vnfm/keystone.py @@ -36,21 +36,22 @@ class Keystone(object): instance such as version, session and client """ - def get_version(self, base_url=None): + def get_version(self, base_url=None, verify=True): try: - keystone_client = client.Client(auth_url=base_url) + keystone_client = client.Client(auth_url=base_url, verify=verify) except exceptions.ConnectionError: raise return keystone_client.version - def get_session(self, auth_plugin): - ses = session.Session(auth=auth_plugin) + def get_session(self, auth_plugin, verify): + ses = session.Session(auth=auth_plugin, verify=verify) return ses def get_endpoint(self, ses, service_type, region_name=None): return ses.get_endpoint(service_type, region_name) def initialize_client(self, version, **kwargs): + verify = 'True' == kwargs.pop('cert_verify', 'True') or False if version == 'v2.0': from keystoneclient.v2_0 import client if 'token' in kwargs: @@ -63,7 +64,7 @@ class Keystone(object): auth_plugin = identity.v3.Token(**kwargs) else: auth_plugin = identity.v3.Password(**kwargs) - ses = self.get_session(auth_plugin=auth_plugin) + ses = self.get_session(auth_plugin=auth_plugin, verify=verify) cli = client.Client(session=ses) return cli