add "verify_ssl_path" config for barbican key manager
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.
Closes-Bug: #1876102
(cherry picked from commit 89f311dfbd264a5d4309ea1ca4283f2746d6fa24)
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
ramboman authored 3 years ago
Luigi Toscano committed 3 years ago
68 | 68 | cfg.BoolOpt('verify_ssl', |
69 | 69 | default=True, |
70 | 70 | help='Specifies if insecure TLS (https) requests. If False, ' |
71 | 'the server\'s certificate will not be validated'), | |
71 | 'the server\'s certificate will not be validated, if ' | |
72 | 'True, we can set the verify_ssl_path config meanwhile.'), | |
73 | cfg.StrOpt('verify_ssl_path', | |
74 | default=None, | |
75 | help='A path to a bundle or CA certs to check against, or ' | |
76 | 'None for requests to attempt to locate and use ' | |
77 | 'certificates which verify_ssh is True. If verify_ssl ' | |
78 | 'is False, this is ignored.'), | |
72 | 79 | cfg.StrOpt('barbican_endpoint_type', |
73 | 80 | default='public', |
74 | 81 | choices=['public', 'internal', 'admin'], |
121 | 128 | |
122 | 129 | try: |
123 | 130 | auth = self._get_keystone_auth(context) |
124 | sess = session.Session(auth=auth, | |
125 | verify=self.conf.barbican.verify_ssl) | |
131 | verify_ssl = self.conf.barbican.verify_ssl | |
132 | verify_ssl_path = self.conf.barbican.verify_ssl_path | |
133 | verify = verify_ssl and verify_ssl_path or verify_ssl | |
134 | sess = session.Session(auth=auth, verify=verify) | |
126 | 135 | |
127 | 136 | self._barbican_endpoint = self._get_barbican_endpoint(auth, sess) |
128 | 137 | self._barbican_client = barbican_client_import.Client( |
38 | 38 | def set_defaults(conf, backend=None, barbican_endpoint=None, |
39 | 39 | barbican_api_version=None, auth_endpoint=None, |
40 | 40 | retry_delay=None, number_of_retries=None, verify_ssl=None, |
41 | verify_ssl_path=None, | |
41 | 42 | api_class=None, vault_root_token_id=None, |
42 | 43 | vault_approle_role_id=None, vault_approle_secret_id=None, |
43 | 44 | vault_kv_mountpoint=None, vault_url=None, |
54 | 55 | :param retry_delay: Use this attribute to set retry delay. |
55 | 56 | :param number_of_retries: Use this attribute to set number of retries. |
56 | 57 | :param verify_ssl: Use this to specify if ssl should be verified. |
58 | :param verify_ssl_path: Use this to specify the CA path. | |
57 | 59 | :param vault_root_token_id: Use this for the root token id for vault. |
58 | 60 | :param vault_approle_role_id: Use this for the approle role_id for vault. |
59 | 61 | :param vault_approle_secret_id: Use this for the approle secret_id |
94 | 96 | group=bkm.BARBICAN_OPT_GROUP) |
95 | 97 | if verify_ssl is not None: |
96 | 98 | conf.set_default('verify_ssl', verify_ssl, |
99 | group=bkm.BARBICAN_OPT_GROUP) | |
100 | if verify_ssl_path is not None: | |
101 | conf.set_default('verify_ssl_path', verify_ssl_path, | |
97 | 102 | group=bkm.BARBICAN_OPT_GROUP) |
98 | 103 | if barbican_endpoint_type is not None: |
99 | 104 | conf.set_default('barbican_endpoint_type', barbican_endpoint_type, |
61 | 61 | self.assertEqual(number_of_retries, |
62 | 62 | conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries) |
63 | 63 | |
64 | verify_ssl = True | |
65 | options.set_defaults(conf, verify_ssl=True) | |
64 | verify_ssl = False | |
65 | options.set_defaults(conf, verify_ssl=False) | |
66 | 66 | self.assertEqual(verify_ssl, |
67 | 67 | conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl) |
68 | ||
69 | verify_ssl_path = '/mnt' | |
70 | options.set_defaults(conf, verify_ssl_path='/mnt') | |
71 | self.assertEqual(verify_ssl_path, | |
72 | conf.barbican.verify_ssl_path) | |
68 | 73 | |
69 | 74 | barbican_endpoint_type = 'internal' |
70 | 75 | options.set_defaults(conf, barbican_endpoint_type='internal') |