Deal with PEP-0476 certificate chaining checking

PEP-0476 introduced more thorough certificate chain verification for HTTPS connectivity; this was introduced in Python 2.7.9, and breaks a number of unit tests in the keystone codebase. Disable certificate chain verification for keystone SSL tests using the backwards compatible SSLContext provided for this purpose. Change-Id: I6b5e975ed4c9abf3571212ba0e172eb653bb9281 Closes-Bug: #1403068
2015-01-05 14:14:40 +00:00 · 2015-01-05 14:14:40 +00:00 · 89aec92962
parent 203228f899
commit 89aec92962
1 changed files with 27 additions and 10 deletions
--- a/keystone/tests/unit/test_ssl.py
+++ b/keystone/tests/unit/test_ssl.py
@ -36,8 +36,25 @@ CLIENT = os.path.join(CERTDIR, 'middleware.pem')
 class SSLTestCase(tests.TestCase):
    def setUp(self):
        super(SSLTestCase, self).setUp()
+        # NOTE(jamespage):
+        # Deal with more secure certificate chain verification
+        # introduced in python 2.7.9 under PEP-0476
+        # https://github.com/python/peps/blob/master/pep-0476.txt
+        self.context = None
+        if hasattr(ssl, '_create_unverified_context'):
+            self.context = ssl._create_unverified_context()
        self.load_backends()

+    def get_HTTPSConnection(self, *args):
+        """Simple helper to configure HTTPSConnection objects."""
+        if self.context:
+            return environment.httplib.HTTPSConnection(
+                *args,
+                context=self.context
+            )
+        else:
+            return environment.httplib.HTTPSConnection(*args)
+
    def test_1way_ssl_ok(self):
        """Make sure both public and admin API work with 1-way SSL."""
        paste_conf = self._paste_config('keystone')
@ -45,7 +62,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Admin
        with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '127.0.0.1', CONF.eventlet_server.admin_port)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -53,7 +70,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Public
        with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '127.0.0.1', CONF.eventlet_server.public_port)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -69,7 +86,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Admin
        with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '127.0.0.1', CONF.eventlet_server.admin_port, CLIENT, CLIENT)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -77,7 +94,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Public
        with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '127.0.0.1', CONF.eventlet_server.public_port, CLIENT, CLIENT)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -92,7 +109,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Admin
        with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '::1', CONF.eventlet_server.admin_port)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -100,7 +117,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Public
        with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '::1', CONF.eventlet_server.public_port)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -119,7 +136,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Admin
        with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '::1', CONF.eventlet_server.admin_port, CLIENT, CLIENT)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -127,7 +144,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Public
        with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '::1', CONF.eventlet_server.public_port, CLIENT, CLIENT)
            conn.request('GET', '/')
            resp = conn.getresponse()
@ -140,7 +157,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Admin
        with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '127.0.0.1', CONF.eventlet_server.admin_port)
            try:
                conn.request('GET', '/')
@ -150,7 +167,7 @@ class SSLTestCase(tests.TestCase):

        # Verify Public
        with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                '127.0.0.1', CONF.eventlet_server.public_port)
            try:
                conn.request('GET', '/')