Check certificates for vim

This patch tries to fix the bug: https://bugs.launchpad.net/tacker/+bug/1719841 This is already fixed in master: https://review.openstack.org/#/c/529374/15 Change-Id: I0401e8e385a690695061e558c15856c8a2fe0db9 Signed-off-by: Manuel Buil <mbuil@suse.com>
2018-01-15 15:24:47 +01:00 · 2018-01-15 15:24:47 +01:00 · 90f5374f73
parent af41adc48c
commit 90f5374f73
5 changed files with 30 additions and 19 deletions
--- a/samples/vim/vim_config.yaml
+++ b/samples/vim/vim_config.yaml
@ -4,3 +4,4 @@ password: 'mySecretPW'
 project_name: 'nfv'
 project_domain_name: 'Default'
 user_domain_name: 'Default'
+cert_verify: 'False'
--- a/tacker/nfvo/drivers/vim/openstack_driver.py
+++ b/tacker/nfvo/drivers/vim/openstack_driver.py
@ -116,8 +116,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,

        Initialize keystoneclient with provided authentication attributes.
        """
+        verify = ('True' == vim_obj['auth_cred'].get('cert_verify', 'True')
+                 or False)
        auth_url = vim_obj['auth_url']
-        keystone_version = self._validate_auth_url(auth_url)
+        keystone_version = self._validate_auth_url(auth_url, verify=verify)
        auth_cred = self._get_auth_creds(keystone_version, vim_obj)
        return self._initialize_keystone(keystone_version, auth_cred)

@ -150,9 +152,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,

        return auth_plugin

-    def _validate_auth_url(self, auth_url):
+    def _validate_auth_url(self, auth_url, verify):
        try:
-            keystone_version = self.keystone.get_version(auth_url)
+            keystone_version = self.keystone.get_version(auth_url, verify)
        except Exception as e:
            LOG.error('VIM Auth URL invalid')
            raise nfvo.VimConnectionException(message=str(e))
@ -331,8 +333,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
        :param client_type: openstack client to initialize
        :return: initialized client
        """
+        verify = 'True' == vim_obj.get('cert_verify', 'True') or False
        auth_url = vim_obj['auth_url']
-        keystone_version = self._validate_auth_url(auth_url)
+        keystone_version = self._validate_auth_url(auth_url, verify=verify)
        auth_cred = self._get_auth_creds(keystone_version, vim_obj)
        auth_plugin = self._get_auth_plugin(keystone_version, **auth_cred)
        sess = session.Session(auth=auth_plugin)
@ -542,8 +545,10 @@ class NeutronClient(object):
    """Neutron Client class for networking-sfc driver"""

    def __init__(self, auth_attr):
-        auth = identity.Password(**auth_attr)
-        sess = session.Session(auth=auth)
+        auth_cred = auth_attr.copy()
+        verify = 'True' == auth_cred.pop('cert_verify', 'True') or False
+        auth = identity.Password(**auth_cred)
+        sess = session.Session(auth=auth, verify=verify)
        self.client = neutron_client.Client(session=sess)

    def flow_classifier_create(self, fc_dict):
--- a/tacker/tests/unit/db/utils.py
+++ b/tacker/tests/unit/db/utils.py
@ -147,12 +147,12 @@ def get_dummy_vnf_update_config():


 def get_vim_obj():
-    return {'vim': {'type': 'openstack', 'auth_url':
-                    'http://localhost:5000', 'vim_project': {'name':
-                    'test_project'}, 'auth_cred': {'username': 'test_user',
-                                                   'password':
-                                                       'test_password'},
-                            'name': 'VIM0',
+    return {'vim': {'type': 'openstack', 'auth_url': 'http://localhost:5000',
+                    'vim_project': {'name': 'test_project'},
+                    'auth_cred': {'username': 'test_user',
+                                  'password': 'test_password',
+                                  'cert_verify': 'True'},
+                    'name': 'VIM0',
                    'tenant_id': 'test-project'}}


@ -161,6 +161,7 @@ def get_vim_auth_obj():
            'password': 'test_password',
            'project_id': None,
            'project_name': 'test_project',
+            'cert_verify': 'True',
            'auth_url': 'http://localhost:5000/v3',
            'user_domain_name': 'default',
            'project_domain_name': 'default'}
--- a/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py
+++ b/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py
@ -90,6 +90,7 @@ class TestOpenstack_Driver(base.TestCase):
                'auth_cred': {'username': 'test_user',
                              'password': 'test_password',
                              'user_domain_name': 'default',
+                              'cert_verify': 'True',
                              'auth_url': 'http://localhost:5000'},
                'name': 'VIM0',
                'vim_project': {'name': 'test_project',
@ -103,6 +104,7 @@ class TestOpenstack_Driver(base.TestCase):
                              'user_domain_name': 'default',
                              'key_type': 'barbican_key',
                              'secret_uuid': 'fake-secret-uuid',
+                              'cert_verify': 'True',
                              'auth_url': 'http://localhost:5000'},
                'name': 'VIM0',
                'vim_project': {'name': 'test_project',
@ -131,8 +133,9 @@ class TestOpenstack_Driver(base.TestCase):
        mock_ks_client = mock.Mock(version='v2.0', **attrs)
        self.keystone.get_version.return_value = keystone_version
        auth_obj = {'tenant_name': 'test_project', 'username': 'test_user',
-                    'password': 'test_password', 'auth_url':
-                    'http://localhost:5000/v2.0', 'tenant_id': None}
+                    'password': 'test_password', 'cert_verify': 'True',
+                    'auth_url': 'http://localhost:5000/v2.0',
+                    'tenant_id': None}
        self._test_register_vim(self.vim_obj, mock_ks_client)
        self.keystone.initialize_client.assert_called_once_with(
            version=keystone_version, **auth_obj)
--- a/tacker/vnfm/keystone.py
+++ b/tacker/vnfm/keystone.py
@ -36,21 +36,22 @@ class Keystone(object):
    instance such as version, session and client
    """

-    def get_version(self, base_url=None):
+    def get_version(self, base_url=None, verify=True):
        try:
-            keystone_client = client.Client(auth_url=base_url)
+            keystone_client = client.Client(auth_url=base_url, verify=verify)
        except exceptions.ConnectionError:
            raise
        return keystone_client.version

-    def get_session(self, auth_plugin):
-        ses = session.Session(auth=auth_plugin)
+    def get_session(self, auth_plugin, verify):
+        ses = session.Session(auth=auth_plugin, verify=verify)
        return ses

    def get_endpoint(self, ses, service_type, region_name=None):
        return ses.get_endpoint(service_type, region_name)

    def initialize_client(self, version, **kwargs):
+        verify = 'True' == kwargs.pop('cert_verify', 'True') or False
        if version == 'v2.0':
            from keystoneclient.v2_0 import client
            if 'token' in kwargs:
@ -63,7 +64,7 @@ class Keystone(object):
                auth_plugin = identity.v3.Token(**kwargs)
            else:
                auth_plugin = identity.v3.Password(**kwargs)
-        ses = self.get_session(auth_plugin=auth_plugin)
+        ses = self.get_session(auth_plugin=auth_plugin, verify=verify)
        cli = client.Client(session=ses)
        return cli