openstack
/
cinder
Code Issues Proposed changes

Merge "Enable certificate verification during image copy"

This commit is contained in:
Jenkins 2015-09-19 19:50:18 +00:00 committed by Gerrit Code Review
parent 722b601df9 6592d8cff5
commit 4401b32f26
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
cinder/tests/unit/test_vmware_vmdk.py
View File

@ -2389,6 +2389,51 @@ class VMwareVcVmdkDriverTestCase(VMwareEsxVmdkDriverTestCase):
generate_uuid,
extend_disk)
def _test_copy_image(self, download_flat_image, session, vops,
expected_cacerts=False):
dc_name = mock.sentinel.dc_name
vops.get_entity_name.return_value = dc_name
context = mock.sentinel.context
dc_ref = mock.sentinel.dc_ref
image_service = mock.sentinel.image_service
image_id = mock.sentinel.image_id
image_size_in_bytes = 102400
ds_name = mock.sentinel.ds_name
upload_file_path = mock.sentinel.upload_file_path
self._driver._copy_image(
context, dc_ref, image_service, image_id, image_size_in_bytes,
ds_name, upload_file_path)
vops.get_entity_name.assert_called_once_with(dc_ref)
cookies = session.vim.client.options.transport.cookiejar
download_flat_image.assert_called_once_with(
context, self.IMG_TX_TIMEOUT, image_service, image_id,
image_size=image_size_in_bytes, host=self.IP, port=self.PORT,
data_center_name=dc_name, datastore_name=ds_name, cookies=cookies,
file_path=upload_file_path, cacerts=expected_cacerts)
@mock.patch.object(VMDK_DRIVER, 'volumeops')
@mock.patch.object(VMDK_DRIVER, 'session')
@mock.patch('oslo_vmware.image_transfer.download_flat_image')
def test_copy_image(self, download_flat_image, session, vops):
# Default value of vmware_ca_file is not None; it should be passed
# to download_flat_image as cacerts.
self._test_copy_image(download_flat_image, session, vops,
expected_cacerts=self._config.vmware_ca_file)
@mock.patch.object(VMDK_DRIVER, 'volumeops')
@mock.patch.object(VMDK_DRIVER, 'session')
@mock.patch('oslo_vmware.image_transfer.download_flat_image')
def test_copy_image_insecure(self, download_flat_image, session, vops):
# Set config options to allow insecure connections.
self._config.vmware_ca_file = None
self._config.vmware_insecure = True
# Since vmware_ca_file is unset and vmware_insecure is True,
# dowload_flat_image should be called with cacerts=False.
self._test_copy_image(download_flat_image, session, vops)
@mock.patch.object(VMDK_DRIVER, '_copy_temp_virtual_disk')
@mock.patch.object(VMDK_DRIVER, '_get_temp_image_folder')
@mock.patch(

12
cinder/volume/drivers/vmware/vmdk.py
View File

@ -816,6 +816,8 @@ class VMwareEsxVmdkDriver(driver.VolumeDriver):
timeout = self.configuration.vmware_image_transfer_timeout_secs
host_ip = self.configuration.vmware_host_ip
ca_file = self.configuration.vmware_ca_file
insecure = self.configuration.vmware_insecure
cookies = self.session.vim.client.options.transport.cookiejar
dc_name = self.volumeops.get_entity_name(dc_ref)
@ -823,6 +825,13 @@ class VMwareEsxVmdkDriver(driver.VolumeDriver):
{'image_id': image_id,
'path': upload_file_path})
# TODO(vbala): add config option to override non-default port
# ca_file is used for verifying vCenter certificate if it is set.
# If ca_file is unset and insecure is False, the default CA truststore
# is used for verification. We should pass cacerts=True in this
# case. If ca_file is unset and insecure is True, there is no
# certificate verification, and we should pass cacerts=False.
cacerts = ca_file if ca_file else not insecure
image_transfer.download_flat_image(context,
timeout,
image_service,
@ -833,7 +842,8 @@ class VMwareEsxVmdkDriver(driver.VolumeDriver):
data_center_name=dc_name,
datastore_name=ds_name,
cookies=cookies,
file_path=upload_file_path)
file_path=upload_file_path,
cacerts=cacerts)
LOG.debug("Image: %(image_id)s copied to %(path)s.",
{'image_id': image_id,
'path': upload_file_path})