From 091b4d1d186565e5e9b70ddd72b95487a3e753e8 Mon Sep 17 00:00:00 2001
From: Stan Lagun <slagun@mirantis.com>
Date: Fri, 6 May 2016 07:51:24 -0700
Subject: [PATCH] Allow insecure SSL communications with RabbitMQ

Add insecure option to [rabbitmq] section of murano.conf

This is a partial fix because it improves Engine <-> RMQ
 communications but the same problem exist on
 Agent <-> RMQ side

 Partial-Bug: #1578421

Change-Id: I55207c3016da12be45918a7dc33795abf69627b4
---
 doc/source/install/ssl.rst                           |  1 +
 meta/io.murano/Classes/Environment.yaml              |  1 +
 .../Classes/resources/LinuxMuranoInstance.yaml       |  1 +
 meta/io.murano/Resources/Agent-v2.template           |  3 +++
 murano/cmd/manage.py                                 |  1 -
 murano/common/config.py                              |  4 ++++
 murano/common/messaging/mqclient.py                  | 12 +++++++++---
 murano/engine/system/common.py                       |  3 ++-
 8 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/doc/source/install/ssl.rst b/doc/source/install/ssl.rst
index 6578e58b7..c94ddffba 100644
--- a/doc/source/install/ssl.rst
+++ b/doc/source/install/ssl.rst
@@ -96,6 +96,7 @@ Just set *ssl* parameter to True to enable ssl.
     password = guest
     virtual_host = /
     ssl = True
+    insecure = False
 
 If you want to configure Murano Agent in a different way change
 the default template. It can be found in Murano Core Library, located at *http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template*. Take
diff --git a/meta/io.murano/Classes/Environment.yaml b/meta/io.murano/Classes/Environment.yaml
index db0bcccd5..3685377f8 100644
--- a/meta/io.murano/Classes/Environment.yaml
+++ b/meta/io.murano/Classes/Environment.yaml
@@ -61,6 +61,7 @@ Properties:
           virtual_host: $.string() or '/'
           ssl: $.bool() or false
           ca_certs: $.string() or ''
+          insecure: $.bool() or false
     Usage: Config
 
   region:
diff --git a/meta/io.murano/Classes/resources/LinuxMuranoInstance.yaml b/meta/io.murano/Classes/resources/LinuxMuranoInstance.yaml
index 7a644ba09..a5ebfeb35 100644
--- a/meta/io.murano/Classes/resources/LinuxMuranoInstance.yaml
+++ b/meta/io.murano/Classes/resources/LinuxMuranoInstance.yaml
@@ -74,6 +74,7 @@ Methods:
             "%RABBITMQ_PASSWORD%": $rabbitMqParams.password
             "%RABBITMQ_VHOST%": $rabbitMqParams.virtual_host
             "%RABBITMQ_SSL%": str($rabbitMqParams.ssl).toLower()
+            "%RABBITMQ_INSECURE%": str($rabbitMqParams.insecure).toLower()
             "%RABBITMQ_INPUT_QUEUE%": $.agent.queueName()
             "%RESULT_QUEUE%": $environment.agentListener.queueName()
         - $scriptReplacements:
diff --git a/meta/io.murano/Resources/Agent-v2.template b/meta/io.murano/Resources/Agent-v2.template
index 5fe1be8eb..a06a4f578 100644
--- a/meta/io.murano/Resources/Agent-v2.template
+++ b/meta/io.murano/Resources/Agent-v2.template
@@ -24,6 +24,9 @@ port = %RABBITMQ_PORT%
 # Use SSL for RabbitMQ connections (True or False)
 ssl = %RABBITMQ_SSL%
 
+# Do not verify SSL certificates
+insecure = %RABBITMQ_INSECURE%
+
 # Path to SSL CA certificate or empty to allow self signed server certificate
 ca_certs = '/etc/murano/certs/ca_certs'
 
diff --git a/murano/cmd/manage.py b/murano/cmd/manage.py
index 9fedeb771..a8ca9eb70 100644
--- a/murano/cmd/manage.py
+++ b/murano/cmd/manage.py
@@ -17,7 +17,6 @@
   This file is about to be deprecated, please use python-muranoclient.
   *** Deprecation warning ***
 """
-
 import sys
 import traceback
 
diff --git a/murano/common/config.py b/murano/common/config.py
index 9f62b8ce9..8054bf52c 100644
--- a/murano/common/config.py
+++ b/murano/common/config.py
@@ -57,6 +57,10 @@ rabbit_opts = [
 
     cfg.StrOpt('ca_certs', default='',
                help='SSL cert file (valid only if SSL enabled).'),
+
+    cfg.BoolOpt('insecure', default=False,
+                help='This option explicitly allows Murano to perform '
+                     '"insecure" SSL connections to RabbitMQ'),
 ]
 
 heat_opts = [
diff --git a/murano/common/messaging/mqclient.py b/murano/common/messaging/mqclient.py
index d5f22ed3f..d2057ee1d 100644
--- a/murano/common/messaging/mqclient.py
+++ b/murano/common/messaging/mqclient.py
@@ -25,13 +25,19 @@ kombu = patcher.import_patched('kombu')
 
 class MqClient(object):
     def __init__(self, login, password, host, port, virtual_host,
-                 ssl=False, ca_certs=None):
+                 ssl=False, ca_certs=None, insecure=False):
         ssl_params = None
 
-        if ssl is True:
+        if ssl:
+            cert_reqs = ssl_module.CERT_REQUIRED
+            if insecure:
+                if ca_certs:
+                    cert_reqs = ssl_module.CERT_OPTIONAL
+                else:
+                    cert_reqs = ssl_module.CERT_NONE
             ssl_params = {
                 'ca_certs': ca_certs,
-                'cert_reqs': ssl_module.CERT_REQUIRED
+                'cert_reqs': cert_reqs
             }
 
         self._connection = kombu.Connection(
diff --git a/murano/engine/system/common.py b/murano/engine/system/common.py
index ab7770467..116524265 100644
--- a/murano/engine/system/common.py
+++ b/murano/engine/system/common.py
@@ -29,6 +29,7 @@ def create_rmq_client():
         'port': rabbitmq.port,
         'virtual_host': rabbitmq.virtual_host,
         'ssl': rabbitmq.ssl,
-        'ca_certs': rabbitmq.ca_certs.strip() or None
+        'ca_certs': rabbitmq.ca_certs.strip() or None,
+        'insecure': rabbitmq.insecure
     }
     return mqclient.MqClient(**connection_params)