diff --git a/openstack/config/cloud_region.py b/openstack/config/cloud_region.py index 0bc7f68f7..d32cac4f5 100644 --- a/openstack/config/cloud_region.py +++ b/openstack/config/cloud_region.py @@ -174,11 +174,16 @@ class CloudRegion(object): def get_requests_verify_args(self): """Return the verify and cert values for the requests library.""" - if self.config.get('verify') and self.config.get('cacert'): - verify = self.config.get('cacert') + insecure = self.config.get('insecure', False) + verify = self.config.get('verify', True) + cacert = self.config.get('cacert') + # Insecure is the most aggressive setting, so it wins + if insecure: + verify = False + if verify and cacert: + verify = cacert else: - verify = self.config.get('verify') - if self.config.get('cacert'): + if cacert: warnings.warn( "You are specifying a cacert for the cloud {full_name}" " but also to ignore the host verification. The host SSL" diff --git a/openstack/tests/unit/config/test_cloud_config.py b/openstack/tests/unit/config/test_cloud_config.py index dc0fc080a..fb2f54eb1 100644 --- a/openstack/tests/unit/config/test_cloud_config.py +++ b/openstack/tests/unit/config/test_cloud_config.py @@ -99,6 +99,11 @@ class TestCloudRegion(base.TestCase): (verify, cert) = cc.get_requests_verify_args() self.assertTrue(verify) + config_dict['insecure'] = True + cc = cloud_region.CloudRegion("test1", "region-xx", config_dict) + (verify, cert) = cc.get_requests_verify_args() + self.assertFalse(verify) + def test_verify_cacert(self): config_dict = copy.deepcopy(fake_config_dict) config_dict['cacert'] = "certfile" @@ -113,6 +118,11 @@ class TestCloudRegion(base.TestCase): (verify, cert) = cc.get_requests_verify_args() self.assertEqual("certfile", verify) + config_dict['insecure'] = True + cc = cloud_region.CloudRegion("test1", "region-xx", config_dict) + (verify, cert) = cc.get_requests_verify_args() + self.assertEqual(False, verify) + def test_cert_with_key(self): config_dict = copy.deepcopy(fake_config_dict) config_dict['cacert'] = None