openstack
/
fuel-web
Code Issues Proposed changes

Add restriction for using CA certificate verification 

CA certificate verification should be available only if
Bypass verification is disabled.

Partial-Bug: 1616438
Change-Id: Ib83210f52c7874398fcb1791e51091e05151273f
Depends-On: Id38bf7c74869fa60852ca1cb2ccaa9c63412cf64
This commit is contained in:
Elena Kosareva 2016-08-26 18:34:09 +03:00
parent 330c26c1e6
commit 7f02c12ed9
5 changed files with 57 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nailgun/nailgun/fixtures/openstack.yaml
View File

@ -1658,7 +1658,7 @@
source: *non_empty_string
error: "Empty vCenter password"
-
name: "vcenter_insecure"
name: "vcenter_unsecure"
type: "checkbox"
label: "Bypass vCenter certificate verification"
-
@ -1666,6 +1666,9 @@
type: "file"
label: "CA file"
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
restrictions:
- condition: "current_vcenter:vcenter_unsecure == true"
message: "Bypass vCenter certificate verification should be disabled."
-
name: "nova_computes"
type: "array"
@ -1748,7 +1751,7 @@
source: *non_empty_string
error: "Invalid datastore"
-
name: "vcenter_insecure"
name: "vcenter_unsecure"
type: "checkbox"
label: "Bypass vCenter certificate verification"
-
@ -1756,6 +1759,9 @@
type: "file"
label: "CA file"
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
restrictions:
- condition: "glance:vcenter_unsecure == true"
message: "Bypass vCenter certificate verification should be disabled."
value:
availability_zones:
-
@ -1763,7 +1769,7 @@
vcenter_host: ""
vcenter_username: ""
vcenter_password: ""
vcenter_insecure: true
vcenter_unsecure: true
vc_ca_file: {}
nova_computes:
-
@ -1783,7 +1789,7 @@
vcenter_password: ""
datacenter: ""
datastore: ""
vcenter_insecure: true
vcenter_unsecure: true
ca_file: {}
components_metadata:
- name: hypervisor:qemu

26
nailgun/nailgun/fixtures/vmware_attributes.json
View File

@ -30,14 +30,20 @@
},
{
"type": "checkbox",
"name": "vcenter_insecure",
"name": "vcenter_unsecure",
"label": "Bypass vCenter certificate verification"
},
{
"type": "file",
"description": "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on.",
"name": "vc_ca_file",
"label": "CA file"
"label": "CA file",
"restrictions": [
{
"condition": "current_vcenter:vcenter_unsecure == true",
"message": "Bypass vCenter certificate verification should be disabled."
}
]
},
{
"fields": [
@ -143,14 +149,20 @@
},
{
"type": "checkbox",
"name": "vcenter_insecure",
"name": "vcenter_unsecure",
"label": "Bypass vCenter certificate verification"
},
{
"type": "file",
"description": "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on.",
"name": "ca_file",
"label": "CA file"
"label": "CA file",
"restrictions": [
{
"condition": "glance:vcenter_unsecure == true",
"message": "Bypass vCenter certificate verification should be disabled."
}
]
}
],
"type": "object",
@ -170,7 +182,7 @@
"vcenter_host": "1.2.3.4",
"vcenter_username": "admin",
"vcenter_password": "secret",
"vcenter_insecure": "true",
"vcenter_unsecure": "true",
"vcenter_ca_file": "file_blob",
"nova_computes": [
{
@ -200,7 +212,7 @@
"vcenter_host": "1.2.3.6",
"vcenter_username": "user$",
"vcenter_password": "pass$word",
"vcenter_insecure": "true",
"vcenter_unsecure": "true",
"vcenter_ca_file": "file_blob",
"nova_computes": [
{
@ -222,7 +234,7 @@
"vcenter_password": "secret",
"datacenter": "test_datacenter",
"datastore": "test_datastore",
"vcenter_insecure": "true",
"vcenter_unsecure": "true",
"ca_file": "file_blob"
},
"network": {

6
nailgun/nailgun/orchestrator/base_serializers.py
View File

@ -182,7 +182,7 @@ class VmwareDeploymentSerializerMixin(object):
'vc_host': zone.get('vcenter_host', ''),
'vc_user': vc_user,
'vc_password': vc_password,
'vc_insecure': zone.get('vcenter_insecure', ''),
'vc_insecure': zone.get('vcenter_unsecure', ''),
'vc_ca_file': zone.get('vcenter_ca_file', ''),
'service_name': compute.get('service_name', ''),
'vc_cluster': compute.get('vsphere_cluster', ''),
@ -198,7 +198,7 @@ class VmwareDeploymentSerializerMixin(object):
'vc_host': zone.get('vcenter_host', ''),
'vc_user': vc_user,
'vc_password': vc_password,
'vc_insecure': zone.get('vcenter_insecure', ''),
'vc_insecure': zone.get('vcenter_unsecure', ''),
'vc_ca_file': zone.get('vcenter_ca_file', '')
}
cinder_instances.append(cinder_item)
@ -231,7 +231,7 @@ class VmwareDeploymentSerializerMixin(object):
'vc_password': glance_password,
'vc_datacenter': glance_instance.get('datacenter', ''),
'vc_datastore': glance_instance.get('datastore', ''),
'vc_insecure': glance_instance.get('vcenter_insecure', ''),
'vc_insecure': glance_instance.get('vcenter_unsecure', ''),
'vc_ca_file': glance_instance.get('ca_file', '')
}

3
nailgun/nailgun/task/task.py
View File

@ -1691,6 +1691,9 @@ class CheckBeforeDeploymentTask(object):
'settings': attributes,
'default': vmware_attributes.editable,
'cluster': task.cluster,
'current_vcenter': vmware_attributes.editable['value'].get(
'availability_zones')[0],
'glance': vmware_attributes.editable['value'].get('glance'),
'version': settings.VERSION,
'networking_parameters': task.cluster.network_config
}

58
nailgun/nailgun/test/unit/test_restriction.py
View File

@ -322,6 +322,18 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
)
self.vm_data = self.env.read_fixtures(['vmware_attributes'])[0]
def _get_models(self, attributes, vmware_attributes):
return {
'settings': attributes,
'default': vmware_attributes['editable'],
'current_vcenter': vmware_attributes['editable']['value'].get(
'availability_zones')[0],
'glance': vmware_attributes['editable']['value'].get('glance'),
'cluster': self.cluster,
'version': settings.VERSION,
'networking_parameters': self.cluster.network_config
}
def test_check_data_with_empty_values_without_restrictions(self):
attributes = objects.Cluster.get_editable_attributes(self.cluster)
attributes['common']['use_vcenter']['value'] = True
@ -334,6 +346,8 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
"vcenter_host": "",
"vcenter_username": "",
"vcenter_password": "",
"vcenter_unsecure": "",
"vc_ca_file": {},
"nova_computes": [
{
"vsphere_cluster": "",
@ -351,18 +365,14 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
"vcenter_username": "",
"vcenter_password": "",
"datacenter": "",
"datastore": ""
"datastore": "",
"vcenter_unsecure": "",
"ca_file": {}
}
}
# Update value with empty value
vmware_attributes['editable']['value'] = empty_values
models = {
'settings': attributes,
'default': vmware_attributes['editable'],
'cluster': self.cluster,
'version': settings.VERSION,
'networking_parameters': self.cluster.network_config
}
models = self._get_models(attributes, vmware_attributes)
errs = VmwareAttributesRestriction.check_data(
models=models,
@ -381,13 +391,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
# value data taken from fixture one cluster of
# nova computes left empty
vmware_attributes = self.vm_data.copy()
models = {
'settings': attributes,
'default': vmware_attributes['editable'],
'cluster': self.cluster,
'version': settings.VERSION,
'networking_parameters': self.cluster.network_config
}
models = self._get_models(attributes, vmware_attributes)
errs = VmwareAttributesRestriction.check_data(
models=models,
@ -400,13 +404,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
# fixture have restrictions enabled for glance that's why
# only 'Empty cluster' should returned
vmware_attributes = self.vm_data.copy()
models = {
'settings': attributes,
'default': vmware_attributes['editable'],
'cluster': self.cluster,
'version': settings.VERSION,
'networking_parameters': self.cluster.network_config
}
models = self._get_models(attributes, vmware_attributes)
errs = VmwareAttributesRestriction.check_data(
models=models,
@ -423,13 +421,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
for j, ncompute in enumerate(azone['nova_computes']):
ncompute['vsphere_cluster'] = 'cluster-{0}-{1}'.format(i, j)
models = {
'settings': attributes,
'default': vmware_attributes['editable'],
'cluster': self.cluster,
'version': settings.VERSION,
'networking_parameters': self.cluster.network_config
}
models = self._get_models(attributes, vmware_attributes)
errs = VmwareAttributesRestriction.check_data(
models=models,
@ -452,13 +444,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
glance = vmware_attributes['editable']['value']['glance']
glance['datacenter'] = 'test_datacenter'
glance['datastore'] = 'test_datastore'
models = {
'settings': attributes,
'default': vmware_attributes['editable'],
'cluster': self.cluster,
'version': settings.VERSION,
'networking_parameters': self.cluster.network_config
}
models = self._get_models(attributes, vmware_attributes)
errs = VmwareAttributesRestriction.check_data(
models=models,