From 44f02e7848ce0ffb4dd27bfc9b17a3d6ca7ccc88 Mon Sep 17 00:00:00 2001 From: Huang Rui Date: Tue, 15 Nov 2016 09:46:17 +0800 Subject: [PATCH] Use https with CA conf CA file is a new added config introduced to be used by Ceilometer-zvm. When zvm inspector needs to communicate with xcat, it will add the CA file into https communication so it can verify the xcat is the one that zvm inspector wants to communicate with. See following link for more info: https://bugs.launchpad.net/ossn/+bug/1188189 Change-Id: Ib7f1ce2d621f6dd2b5d3b9a63a004abffbc3f223 --- ceilometer_zvm/compute/virt/zvm/inspector.py | 3 ++ ceilometer_zvm/compute/virt/zvm/utils.py | 51 ++++++++++++++++++-- setup.cfg | 1 - 3 files changed, 51 insertions(+), 4 deletions(-) diff --git a/ceilometer_zvm/compute/virt/zvm/inspector.py b/ceilometer_zvm/compute/virt/zvm/inspector.py index d01c0f2..e4eaf72 100644 --- a/ceilometer_zvm/compute/virt/zvm/inspector.py +++ b/ceilometer_zvm/compute/virt/zvm/inspector.py @@ -49,6 +49,9 @@ zvm_ops = [ cfg.IntOpt('cache_update_interval', default=600, help="Cached data update interval"), + cfg.StrOpt('zvm_xcat_ca_file', + default=None, + help="CA file for https connection to xcat"), ] diff --git a/ceilometer_zvm/compute/virt/zvm/utils.py b/ceilometer_zvm/compute/virt/zvm/utils.py index 1445b93..040bcce 100644 --- a/ceilometer_zvm/compute/virt/zvm/utils.py +++ b/ceilometer_zvm/compute/virt/zvm/utils.py @@ -15,11 +15,14 @@ import contextlib import functools -import httplib +import os +from six.moves import http_client as httplib import socket +import ssl from ceilometer.compute.virt import inspector from ceilometer.i18n import _ +from ceilometer.i18n import _LW from oslo_config import cfg from oslo_log import log as logging from oslo_serialization import jsonutils @@ -102,14 +105,56 @@ class XCATUrl(object): return self._append_addp(rurl, addp) +class HTTPSClientAuthConnection(httplib.HTTPSConnection): + """For https://wiki.openstack.org/wiki/OSSN/OSSN-0033.""" + + def __init__(self, host, port, ca_file, timeout=None, key_file=None, + cert_file=None): + httplib.HTTPSConnection.__init__(self, host, port, + key_file=key_file, + cert_file=cert_file) + self.key_file = key_file + self.cert_file = cert_file + self.ca_file = ca_file + self.timeout = timeout + self.use_ca = True + + if self.ca_file is None: + LOG.debug("no xCAT CA file specified, this is considered " + "not secure") + self.use_ca = False + + def connect(self): + sock = socket.create_connection((self.host, self.port), self.timeout) + if self._tunnel_host: + self.sock = sock + self._tunnel() + + if (self.ca_file is not None and + not os.path.exists(self.ca_file)): + LOG.warning(_LW("the CA file %(ca_file) does not exist!"), + {'ca_file': self.ca_file}) + self.use_ca = False + + if not self.use_ca: + self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, + cert_reqs=ssl.CERT_NONE) + else: + self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, + ca_certs=self.ca_file, + cert_reqs=ssl.CERT_REQUIRED) + + class XCATConnection(object): """Https requests to xCAT web service.""" def __init__(self): """Initialize https connection to xCAT service.""" self.host = CONF.zvm.zvm_xcat_server - self.conn = httplib.HTTPSConnection(self.host, - timeout=CONF.zvm.zvm_xcat_connection_timeout) + self.port = 443 + self.conn = HTTPSClientAuthConnection(self.host, self.port, + CONF.zvm.zvm_xcat_ca_file, + timeout=CONF.zvm.zvm_xcat_connection_timeout) def request(self, method, url, body=None, headers={}): """Send https request to xCAT server. diff --git a/setup.cfg b/setup.cfg index 8ecde89..ae4fd75 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,5 @@ [metadata] name = ceilometer-zvm -version = 2015.2 summary = Ceilometer zvm specific implementation of virt inspector description-file = README.rst author = IBM