#185: can now specify ca_cert

cloudify-cosmo · Jan 9, 2018 · a052b9e · a052b9e
1 parent 6e922be
commit a052b9e
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 9 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,15 +1,15 @@
-2.4.1.1
+2.4.1.1:
     - Fix router overwrite bug introduced in 2.4.1.
-2.4.1
+2.4.1:
     - Improve router update (configure step).
-2.4.0
+2.4.0:
     - Add Router Update (configure step).
 2.3.0:
     - Remove requirement on management_network_name property.
-2.2.0 :
+2.2.0:
     - Fix duplicated mapping key in plugin.yaml.
     - Create Server with security groups from instance relationships. This prevents a window of time when a server can
-    be unsecured. (OPENSTACK-38)
+      be unsecured. (OPENSTACK-38)
     - Fix floating IP detach issue. (OPENSTACK-12)
     - Allow openstack_config as runtime property. (OPENSTACK-112)
     - Fix key creation when folders don't exist.  (OPENSTACK-7)

diff --git a/openstack_plugin_common/__init__.py b/openstack_plugin_common/__init__.py
@@ -63,6 +63,9 @@
 MISSING_RESOURCE_MESSAGE = "Couldn't find a resource of " \
                            "type {0} with the name or id {1}"
 
+AUTH_PARAM_INSECURE = 'insecure'
+AUTH_PARM_CA_CERT = 'ca_cert'
+
 
 class ProviderContext(object):
 
@@ -498,7 +501,7 @@ class OpenStackClient(object):
         COMMON | {'project_id', 'project_name', 'user_domain_name'},
         COMMON | {'project_name', 'user_domain_name', 'project_domain_name'},
     ]
-    OPTIONAL_AUTH_PARAMS = {'insecure'}
+    OPTIONAL_AUTH_PARAMS = {AUTH_PARAM_INSECURE, AUTH_PARM_CA_CERT}
 
     def __init__(self, client_name, client_class, config=None, *args, **kw):
         cfg = Config.get()
@@ -586,15 +589,39 @@ def _split_config(cls, cfg):
 
     @staticmethod
     def _authenticate(cfg):
+        # 'verify' will contain one of the following:
+        #
+        # True: perform certificate validation against the underlying
+        #       CA certs bundle (note: this is the certs bundle used
+        #       by the 'requests' library, which is different from the
+        #       OS-provided one).
+        #
+        #       To get that, specify 'insecure: True'.
+        #
+        # False: disable certificate validation altogether.
+        #
+        #       To get that, specify 'insecure: False' (or any value
+        #       other than True).
+        #
+        # Any other string: path to the CA cert (or bundle) to verify
+        #                   against.
+        #
+        #                   To get that, specify 'ca_cert: path_to_file'
+        #                   and ensure 'insecure' is NOT specified.
         verify = True
-        if 'insecure' in cfg:
+        if AUTH_PARAM_INSECURE in cfg:
             cfg = cfg.copy()
             # NOTE: Next line will evaluate to False only when insecure is set
             # to True. Any other value (string etc.) will force verify to True.
             # This is done on purpose, since we do not wish to use insecure
             # connection by mistake.
-            verify = not (cfg['insecure'] is True)
-            del cfg['insecure']
+            verify = not (cfg[AUTH_PARAM_INSECURE] is True)
+            del cfg[AUTH_PARAM_INSECURE]
+        elif AUTH_PARM_CA_CERT in cfg:
+            cfg = cfg.copy()
+            verify = cfg[AUTH_PARM_CA_CERT]
+            del cfg[AUTH_PARM_CA_CERT]
+
         loader = loading.get_plugin_loader("password")
         auth = loader.load_from_options(**cfg)
         sess = session.Session(auth=auth, verify=verify)