Add restriction for using CA certificate verification
CA certificate verification should be available only if Bypass verification is disabled. Partial-Bug: 1616438 Change-Id: Ib83210f52c7874398fcb1791e51091e05151273f Depends-On: Id38bf7c74869fa60852ca1cb2ccaa9c63412cf64
This commit is contained in:
parent
330c26c1e6
commit
7f02c12ed9
|
@ -1658,7 +1658,7 @@
|
|||
source: *non_empty_string
|
||||
error: "Empty vCenter password"
|
||||
-
|
||||
name: "vcenter_insecure"
|
||||
name: "vcenter_unsecure"
|
||||
type: "checkbox"
|
||||
label: "Bypass vCenter certificate verification"
|
||||
-
|
||||
|
@ -1666,6 +1666,9 @@
|
|||
type: "file"
|
||||
label: "CA file"
|
||||
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
|
||||
restrictions:
|
||||
- condition: "current_vcenter:vcenter_unsecure == true"
|
||||
message: "Bypass vCenter certificate verification should be disabled."
|
||||
-
|
||||
name: "nova_computes"
|
||||
type: "array"
|
||||
|
@ -1748,7 +1751,7 @@
|
|||
source: *non_empty_string
|
||||
error: "Invalid datastore"
|
||||
-
|
||||
name: "vcenter_insecure"
|
||||
name: "vcenter_unsecure"
|
||||
type: "checkbox"
|
||||
label: "Bypass vCenter certificate verification"
|
||||
-
|
||||
|
@ -1756,6 +1759,9 @@
|
|||
type: "file"
|
||||
label: "CA file"
|
||||
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
|
||||
restrictions:
|
||||
- condition: "glance:vcenter_unsecure == true"
|
||||
message: "Bypass vCenter certificate verification should be disabled."
|
||||
value:
|
||||
availability_zones:
|
||||
-
|
||||
|
@ -1763,7 +1769,7 @@
|
|||
vcenter_host: ""
|
||||
vcenter_username: ""
|
||||
vcenter_password: ""
|
||||
vcenter_insecure: true
|
||||
vcenter_unsecure: true
|
||||
vc_ca_file: {}
|
||||
nova_computes:
|
||||
-
|
||||
|
@ -1783,7 +1789,7 @@
|
|||
vcenter_password: ""
|
||||
datacenter: ""
|
||||
datastore: ""
|
||||
vcenter_insecure: true
|
||||
vcenter_unsecure: true
|
||||
ca_file: {}
|
||||
components_metadata:
|
||||
- name: hypervisor:qemu
|
||||
|
|
|
@ -30,14 +30,20 @@
|
|||
},
|
||||
{
|
||||
"type": "checkbox",
|
||||
"name": "vcenter_insecure",
|
||||
"name": "vcenter_unsecure",
|
||||
"label": "Bypass vCenter certificate verification"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"description": "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on.",
|
||||
"name": "vc_ca_file",
|
||||
"label": "CA file"
|
||||
"label": "CA file",
|
||||
"restrictions": [
|
||||
{
|
||||
"condition": "current_vcenter:vcenter_unsecure == true",
|
||||
"message": "Bypass vCenter certificate verification should be disabled."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"fields": [
|
||||
|
@ -143,14 +149,20 @@
|
|||
},
|
||||
{
|
||||
"type": "checkbox",
|
||||
"name": "vcenter_insecure",
|
||||
"name": "vcenter_unsecure",
|
||||
"label": "Bypass vCenter certificate verification"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"description": "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on.",
|
||||
"name": "ca_file",
|
||||
"label": "CA file"
|
||||
"label": "CA file",
|
||||
"restrictions": [
|
||||
{
|
||||
"condition": "glance:vcenter_unsecure == true",
|
||||
"message": "Bypass vCenter certificate verification should be disabled."
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"type": "object",
|
||||
|
@ -170,7 +182,7 @@
|
|||
"vcenter_host": "1.2.3.4",
|
||||
"vcenter_username": "admin",
|
||||
"vcenter_password": "secret",
|
||||
"vcenter_insecure": "true",
|
||||
"vcenter_unsecure": "true",
|
||||
"vcenter_ca_file": "file_blob",
|
||||
"nova_computes": [
|
||||
{
|
||||
|
@ -200,7 +212,7 @@
|
|||
"vcenter_host": "1.2.3.6",
|
||||
"vcenter_username": "user$",
|
||||
"vcenter_password": "pass$word",
|
||||
"vcenter_insecure": "true",
|
||||
"vcenter_unsecure": "true",
|
||||
"vcenter_ca_file": "file_blob",
|
||||
"nova_computes": [
|
||||
{
|
||||
|
@ -222,7 +234,7 @@
|
|||
"vcenter_password": "secret",
|
||||
"datacenter": "test_datacenter",
|
||||
"datastore": "test_datastore",
|
||||
"vcenter_insecure": "true",
|
||||
"vcenter_unsecure": "true",
|
||||
"ca_file": "file_blob"
|
||||
},
|
||||
"network": {
|
||||
|
|
|
@ -182,7 +182,7 @@ class VmwareDeploymentSerializerMixin(object):
|
|||
'vc_host': zone.get('vcenter_host', ''),
|
||||
'vc_user': vc_user,
|
||||
'vc_password': vc_password,
|
||||
'vc_insecure': zone.get('vcenter_insecure', ''),
|
||||
'vc_insecure': zone.get('vcenter_unsecure', ''),
|
||||
'vc_ca_file': zone.get('vcenter_ca_file', ''),
|
||||
'service_name': compute.get('service_name', ''),
|
||||
'vc_cluster': compute.get('vsphere_cluster', ''),
|
||||
|
@ -198,7 +198,7 @@ class VmwareDeploymentSerializerMixin(object):
|
|||
'vc_host': zone.get('vcenter_host', ''),
|
||||
'vc_user': vc_user,
|
||||
'vc_password': vc_password,
|
||||
'vc_insecure': zone.get('vcenter_insecure', ''),
|
||||
'vc_insecure': zone.get('vcenter_unsecure', ''),
|
||||
'vc_ca_file': zone.get('vcenter_ca_file', '')
|
||||
}
|
||||
cinder_instances.append(cinder_item)
|
||||
|
@ -231,7 +231,7 @@ class VmwareDeploymentSerializerMixin(object):
|
|||
'vc_password': glance_password,
|
||||
'vc_datacenter': glance_instance.get('datacenter', ''),
|
||||
'vc_datastore': glance_instance.get('datastore', ''),
|
||||
'vc_insecure': glance_instance.get('vcenter_insecure', ''),
|
||||
'vc_insecure': glance_instance.get('vcenter_unsecure', ''),
|
||||
'vc_ca_file': glance_instance.get('ca_file', '')
|
||||
}
|
||||
|
||||
|
|
|
@ -1691,6 +1691,9 @@ class CheckBeforeDeploymentTask(object):
|
|||
'settings': attributes,
|
||||
'default': vmware_attributes.editable,
|
||||
'cluster': task.cluster,
|
||||
'current_vcenter': vmware_attributes.editable['value'].get(
|
||||
'availability_zones')[0],
|
||||
'glance': vmware_attributes.editable['value'].get('glance'),
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': task.cluster.network_config
|
||||
}
|
||||
|
|
|
@ -322,6 +322,18 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
)
|
||||
self.vm_data = self.env.read_fixtures(['vmware_attributes'])[0]
|
||||
|
||||
def _get_models(self, attributes, vmware_attributes):
|
||||
return {
|
||||
'settings': attributes,
|
||||
'default': vmware_attributes['editable'],
|
||||
'current_vcenter': vmware_attributes['editable']['value'].get(
|
||||
'availability_zones')[0],
|
||||
'glance': vmware_attributes['editable']['value'].get('glance'),
|
||||
'cluster': self.cluster,
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': self.cluster.network_config
|
||||
}
|
||||
|
||||
def test_check_data_with_empty_values_without_restrictions(self):
|
||||
attributes = objects.Cluster.get_editable_attributes(self.cluster)
|
||||
attributes['common']['use_vcenter']['value'] = True
|
||||
|
@ -334,6 +346,8 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
"vcenter_host": "",
|
||||
"vcenter_username": "",
|
||||
"vcenter_password": "",
|
||||
"vcenter_unsecure": "",
|
||||
"vc_ca_file": {},
|
||||
"nova_computes": [
|
||||
{
|
||||
"vsphere_cluster": "",
|
||||
|
@ -351,18 +365,14 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
"vcenter_username": "",
|
||||
"vcenter_password": "",
|
||||
"datacenter": "",
|
||||
"datastore": ""
|
||||
"datastore": "",
|
||||
"vcenter_unsecure": "",
|
||||
"ca_file": {}
|
||||
}
|
||||
}
|
||||
# Update value with empty value
|
||||
vmware_attributes['editable']['value'] = empty_values
|
||||
models = {
|
||||
'settings': attributes,
|
||||
'default': vmware_attributes['editable'],
|
||||
'cluster': self.cluster,
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': self.cluster.network_config
|
||||
}
|
||||
models = self._get_models(attributes, vmware_attributes)
|
||||
|
||||
errs = VmwareAttributesRestriction.check_data(
|
||||
models=models,
|
||||
|
@ -381,13 +391,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
# value data taken from fixture one cluster of
|
||||
# nova computes left empty
|
||||
vmware_attributes = self.vm_data.copy()
|
||||
models = {
|
||||
'settings': attributes,
|
||||
'default': vmware_attributes['editable'],
|
||||
'cluster': self.cluster,
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': self.cluster.network_config
|
||||
}
|
||||
models = self._get_models(attributes, vmware_attributes)
|
||||
|
||||
errs = VmwareAttributesRestriction.check_data(
|
||||
models=models,
|
||||
|
@ -400,13 +404,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
# fixture have restrictions enabled for glance that's why
|
||||
# only 'Empty cluster' should returned
|
||||
vmware_attributes = self.vm_data.copy()
|
||||
models = {
|
||||
'settings': attributes,
|
||||
'default': vmware_attributes['editable'],
|
||||
'cluster': self.cluster,
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': self.cluster.network_config
|
||||
}
|
||||
models = self._get_models(attributes, vmware_attributes)
|
||||
|
||||
errs = VmwareAttributesRestriction.check_data(
|
||||
models=models,
|
||||
|
@ -423,13 +421,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
for j, ncompute in enumerate(azone['nova_computes']):
|
||||
ncompute['vsphere_cluster'] = 'cluster-{0}-{1}'.format(i, j)
|
||||
|
||||
models = {
|
||||
'settings': attributes,
|
||||
'default': vmware_attributes['editable'],
|
||||
'cluster': self.cluster,
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': self.cluster.network_config
|
||||
}
|
||||
models = self._get_models(attributes, vmware_attributes)
|
||||
|
||||
errs = VmwareAttributesRestriction.check_data(
|
||||
models=models,
|
||||
|
@ -452,13 +444,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
glance = vmware_attributes['editable']['value']['glance']
|
||||
glance['datacenter'] = 'test_datacenter'
|
||||
glance['datastore'] = 'test_datastore'
|
||||
models = {
|
||||
'settings': attributes,
|
||||
'default': vmware_attributes['editable'],
|
||||
'cluster': self.cluster,
|
||||
'version': settings.VERSION,
|
||||
'networking_parameters': self.cluster.network_config
|
||||
}
|
||||
models = self._get_models(attributes, vmware_attributes)
|
||||
|
||||
errs = VmwareAttributesRestriction.check_data(
|
||||
models=models,
|
||||
|
|
Loading…
Reference in New Issue