From 984efbdfd2e765ba5a82c7a8c496c0e202b2e96f Mon Sep 17 00:00:00 2001
From: Radoslav Gerganov <rgerganov@vmware.com>
Date: Fri, 18 May 2018 13:18:58 +0300
Subject: [PATCH] Specify CA store when making secure connections with urllib3

We have been using FileHandle classes mostly in cases when we have to
establish secure connection and we have an SSL thumbprint of the host we
connect to. However, there are also cases when we don't have a
thumbprint and we need CA store. This patch uses the requests library to
provide such CA store.

Change-Id: I8567c8c273a3bff41c4b80a77e1fa8af743bf98c
---
 oslo_vmware/rw_handles.py            | 2 +-
 oslo_vmware/tests/test_rw_handles.py | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/oslo_vmware/rw_handles.py b/oslo_vmware/rw_handles.py
index e2f1bed0..3a01ed9d 100644
--- a/oslo_vmware/rw_handles.py
+++ b/oslo_vmware/rw_handles.py
@@ -78,7 +78,7 @@ class FileHandle(object):
                     cert_reqs = ssl.CERT_REQUIRED
                 else:
                     cert_reqs = ssl.CERT_NONE
-                cacerts = None
+                cacerts = requests.certs.where()
             conn.set_cert(ca_certs=cacerts, cert_reqs=cert_reqs,
                           assert_fingerprint=ssl_thumbprint)
         else:
diff --git a/oslo_vmware/tests/test_rw_handles.py b/oslo_vmware/tests/test_rw_handles.py
index ba33ce54..064ad8ec 100644
--- a/oslo_vmware/tests/test_rw_handles.py
+++ b/oslo_vmware/tests/test_rw_handles.py
@@ -20,6 +20,7 @@ Unit tests for read and write handles for image transfer.
 import ssl
 
 import mock
+import requests
 import six
 
 from oslo_vmware import exceptions
@@ -57,8 +58,10 @@ class FileHandleTest(base.TestCase):
         ret = handle._create_connection('https://localhost/foo?q=bar', 'GET')
 
         self.assertEqual(conn, ret)
+        ca_store = requests.certs.where()
         conn.set_cert.assert_called_once_with(
-            ca_certs=None, cert_reqs=ssl.CERT_NONE, assert_fingerprint=None)
+            ca_certs=ca_store, cert_reqs=ssl.CERT_NONE,
+            assert_fingerprint=None)
         conn.putrequest.assert_called_once_with('GET', '/foo?q=bar')
 
     @mock.patch('urllib3.connection.HTTPSConnection')
@@ -71,8 +74,9 @@ class FileHandleTest(base.TestCase):
                                         cacerts=True)
 
         self.assertEqual(conn, ret)
+        ca_store = requests.certs.where()
         conn.set_cert.assert_called_once_with(
-            ca_certs=None, cert_reqs=ssl.CERT_REQUIRED,
+            ca_certs=ca_store, cert_reqs=ssl.CERT_REQUIRED,
             assert_fingerprint=None)
 
     @mock.patch('urllib3.connection.HTTPSConnection')