From c347cd2bf4f3b3f02e41f07edbf7960ff59110cd Mon Sep 17 00:00:00 2001 From: gugl Date: Mon, 26 Feb 2018 15:45:14 -0800 Subject: [PATCH] Fixed the problem for SSL certificate access failure When specify OPENSTACK_SSL_NO_VERIFY = False, monascaclient throws an exception when access alarms, alarm definitions and notifictions. Changed parameter cert to verify so it takes boolean or passes the certificate file. Also added unit tests for api.client Story: 2001601 Task: 6555 Change-Id: Ib068bdc3fae1ebdb2bda8d7b6c24a725cef5b24b Depends-On: https://review.openstack.org/550130 --- monitoring/api/client.py | 14 ++- monitoring/test/client_tests.py | 161 ++++++++++++++++++++++++++++++++ monitoring/test/settings.py | 5 + 3 files changed, 178 insertions(+), 2 deletions(-) create mode 100644 monitoring/test/client_tests.py diff --git a/monitoring/api/client.py b/monitoring/api/client.py index b9aef1ad..d8c4d20e 100644 --- a/monitoring/api/client.py +++ b/monitoring/api/client.py @@ -67,6 +67,15 @@ def _get_auth_params_from_request(request): ) +def _get_to_verify(insecure, cacert): + to_verify = cacert + + if insecure: + to_verify = False + + return to_verify + + @memoized.memoized_with_request(_get_auth_params_from_request) def monascaclient(request_auth_params, version=None): @@ -87,13 +96,14 @@ def monascaclient(request_auth_params, version=None): LOG.debug('Monasca::Client ' % (monasca_url, version)) + to_verify = _get_to_verify(INSECURE, CACERT) + c = mon_client.Client(api_version=version, token=token_id, project_id=project_id, user_domain_id=user_domain_id, project_domain_id=project_domain_id, - insecure=INSECURE, - cert=CACERT, + verify=to_verify, auth_url=auth_url, endpoint=monasca_url) return c diff --git a/monitoring/test/client_tests.py b/monitoring/test/client_tests.py new file mode 100644 index 00000000..e46ba880 --- /dev/null +++ b/monitoring/test/client_tests.py @@ -0,0 +1,161 @@ +# Copyright 2018 OP5 AB +# (c) Copyright 2018 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +from django.conf import settings as d_settings +from django.test.utils import override_settings +from mock import Mock +from mock import patch + +from monascaclient import client as mon_client + +from monitoring.test import helpers +from monitoring.api.client import _get_auth_params_from_request +from monitoring.api.client import _get_to_verify +from monitoring.api.client import monascaclient as api_mon_client + + +def _mock_url_for(request, service_name): + return getattr(request, service_name) + + +def _mock_get_auth_params(request=None): + return (923, '22', 789, 55, 'monitoring_url', 'identity_url') + + +def _mock_request(): + request = Mock() + request.user.user_domain_id = 923 + request.user.token.id = '22' + request.user.tenant_id = 789 + request.user.token.project = {'domain_id': 55} + request.monitoring = 'monitoring_url' + request.identity = 'identity_url' + return request + + +def _mock_client_args(verify): + return ('2_0', '22', 789, 55, 923, verify, 'identity_url', 'monitoring_url') + + +def _expected_session_args(verify): + return { + 'auth_url': 'identity_url', 'user_domain_id': 55, 'project_id': 789, + 'token': '22', 'endpoint': 'monitoring_url', 'verify': verify, + 'project_domain_id': 923 + } + + +class ClientTests(helpers.TestCase): + + @override_settings(OPENSTACK_SSL_NO_VERIFY=False) + @override_settings(OPENSTACK_SSL_CACERT='/etc/ssl/certs/some.crt') + def test_ssl_verify_with_cert(self): + insecure = getattr(d_settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cert = getattr(d_settings, 'OPENSTACK_SSL_CACERT', None) + to_verify = _get_to_verify(insecure, cert) + + self.assertEqual(to_verify, '/etc/ssl/certs/some.crt') + + @override_settings(OPENSTACK_SSL_NO_VERIFY=True) + def test_no_ssl_verify(self): + insecure = getattr(d_settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cert = getattr(d_settings, 'OPENSTACK_SSL_CACERT', None) + to_verify = _get_to_verify(insecure, cert) + + self.assertFalse(to_verify) + + def test_get_auth_params_from_request(self): + mock_request = _mock_request() + with patch('openstack_dashboard.api.base.url_for', + side_effect=_mock_url_for): + auth_params = _get_auth_params_from_request(mock_request) + + self.assertEqual( + auth_params, + (923, '22', 789, 55, 'monitoring_url', 'identity_url')) + + @patch('monascaclient.client._session') + def test_client_no_verify_params_for_session(self, mock_session): + ( + version, + token, + project_id, + user_domain_id, + project_domain_id, + verify, + auth_url, + endpoint + ) = _mock_client_args(False) + + the_client = mon_client.Client( + api_version=version, + token=token, + project_id=project_id, + user_domain_id=user_domain_id, + project_domain_id=project_domain_id, + verify=verify, + auth_url=auth_url, + endpoint=endpoint + ) + + self.assertIsNotNone(the_client) + mock_session.assert_called_with(_expected_session_args(False)) + + @patch('monascaclient.client._session') + def test_client_verify_params_for_session(self, mock_session): + cert = '/etc/ssl/certs/some.crt' + ( + version, + token, + project_id, + user_domain_id, + project_domain_id, + verify, + auth_url, + endpoint + ) = _mock_client_args(cert) + + the_client = mon_client.Client( + api_version=version, + token=token, + project_id=project_id, + user_domain_id=user_domain_id, + project_domain_id=project_domain_id, + verify=verify, + auth_url=auth_url, + endpoint=endpoint + ) + + self.assertIsNotNone(the_client) + mock_session.assert_called_with(_expected_session_args(cert)) + + @patch('monascaclient.client.Client') + def test_client(self, mock_Client): + with patch('openstack_dashboard.api.base.url_for', + side_effect=_mock_url_for): + with patch('monitoring.api.client._get_auth_params_from_request', + side_effect=_get_auth_params_from_request): + api_client = api_mon_client(_mock_request(), '2_0') + self.assertIsNotNone(api_client) + mock_Client.assert_called_with( + api_version='2_0', + auth_url='identity_url', + endpoint='monitoring_url', + project_domain_id=55, + project_id=789, + token='22', + user_domain_id=923, + verify='/etc/ssl/certs/some2.crt') diff --git a/monitoring/test/settings.py b/monitoring/test/settings.py index 78dc942c..85e195db 100644 --- a/monitoring/test/settings.py +++ b/monitoring/test/settings.py @@ -125,3 +125,8 @@ NOSE_ARGS = ['--nocapture', '--cover-inclusive', '--with-xunit', '--all-modules'] + + +OPENSTACK_SSL_NO_VERIFY = False + +OPENSTACK_SSL_CACERT = '/etc/ssl/certs/some2.crt'