From 10d3b27283697f2c5be971daf7ef0ea7373fe4c8 Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Mon, 5 Jan 2015 14:14:40 +0000
Subject: [PATCH] Deal with PEP-0476 certificate chaining checking

PEP-0476 introduced more thorough certificate chain verification
for HTTPS connectivity; this was introduced in Python 2.7.9, and
breaks a number of unit tests in the keystone codebase.

Disable certificate chain verification for keystone SSL tests
using the backwards compatible SSLContext provided for this
purpose.

Conflicts:
	keystone/tests/test_ssl.py

Change-Id: I6b5e975ed4c9abf3571212ba0e172eb653bb9281
Closes-Bug: #1403068
(cherry picked from commit 89aec92962a551dc06520e284dadc63a0a58ad2c)
---
 keystone/tests/test_ssl.py | 37 +++++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/keystone/tests/test_ssl.py b/keystone/tests/test_ssl.py
index ecfdf3b8f0..8c142ac34e 100644
--- a/keystone/tests/test_ssl.py
+++ b/keystone/tests/test_ssl.py
@@ -35,8 +35,25 @@ CLIENT = os.path.join(CERTDIR, 'middleware.pem')
 class SSLTestCase(tests.TestCase):
     def setUp(self):
         super(SSLTestCase, self).setUp()
+        # NOTE(jamespage):
+        # Deal with more secure certificate chain verification
+        # introduced in python 2.7.9 under PEP-0476
+        # https://github.com/python/peps/blob/master/pep-0476.txt
+        self.context = None
+        if hasattr(ssl, '_create_unverified_context'):
+            self.context = ssl._create_unverified_context()
         self.load_backends()
 
+    def get_HTTPSConnection(self, *args):
+        """Simple helper to configure HTTPSConnection objects."""
+        if self.context:
+            return environment.httplib.HTTPSConnection(
+                *args,
+                context=self.context
+            )
+        else:
+            return environment.httplib.HTTPSConnection(*args)
+
     def test_1way_ssl_ok(self):
         """Make sure both public and admin API work with 1-way SSL."""
         paste_conf = self._paste_config('keystone')
@@ -44,7 +61,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Admin
         with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '127.0.0.1', CONF.admin_port)
             conn.request('GET', '/')
             resp = conn.getresponse()
@@ -52,7 +69,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Public
         with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '127.0.0.1', CONF.public_port)
             conn.request('GET', '/')
             resp = conn.getresponse()
@@ -68,7 +85,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Admin
         with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '127.0.0.1', CONF.admin_port, CLIENT, CLIENT)
             conn.request('GET', '/')
             resp = conn.getresponse()
@@ -76,7 +93,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Public
         with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '127.0.0.1', CONF.public_port, CLIENT, CLIENT)
             conn.request('GET', '/')
             resp = conn.getresponse()
@@ -91,14 +108,14 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Admin
         with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection('::1', CONF.admin_port)
+            conn = self.get_HTTPSConnection('::1', CONF.admin_port)
             conn.request('GET', '/')
             resp = conn.getresponse()
             self.assertEqual(300, resp.status)
 
         # Verify Public
         with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection('::1', CONF.public_port)
+            conn = self.get_HTTPSConnection('::1', CONF.public_port)
             conn.request('GET', '/')
             resp = conn.getresponse()
             self.assertEqual(300, resp.status)
@@ -116,7 +133,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Admin
         with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '::1', CONF.admin_port, CLIENT, CLIENT)
             conn.request('GET', '/')
             resp = conn.getresponse()
@@ -124,7 +141,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Public
         with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '::1', CONF.public_port, CLIENT, CLIENT)
             conn.request('GET', '/')
             resp = conn.getresponse()
@@ -137,7 +154,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Admin
         with appserver.AppServer(paste_conf, appserver.ADMIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '127.0.0.1', CONF.admin_port)
             try:
                 conn.request('GET', '/')
@@ -147,7 +164,7 @@ class SSLTestCase(tests.TestCase):
 
         # Verify Public
         with appserver.AppServer(paste_conf, appserver.MAIN, **ssl_kwargs):
-            conn = environment.httplib.HTTPSConnection(
+            conn = self.get_HTTPSConnection(
                 '127.0.0.1', CONF.public_port)
             try:
                 conn.request('GET', '/')