Codebase list python-castellan / 46575f0
add "verify_ssl_path" config for barbican key manager Now we cann't use the verify_ssl if we set True, so we add the "verify_ssl_path" config to solve it. Closes-Bug: #1876102 (cherry picked from commit 89f311dfbd264a5d4309ea1ca4283f2746d6fa24) Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5 ramboman authored 3 years ago Luigi Toscano committed 3 years ago
4 changed file(s) with 30 addition(s) and 5 deletion(s). Raw diff Collapse all Expand all
6868 cfg.BoolOpt('verify_ssl',
6969 default=True,
7070 help='Specifies if insecure TLS (https) requests. If False, '
71 'the server\'s certificate will not be validated'),
71 'the server\'s certificate will not be validated, if '
72 'True, we can set the verify_ssl_path config meanwhile.'),
73 cfg.StrOpt('verify_ssl_path',
74 default=None,
75 help='A path to a bundle or CA certs to check against, or '
76 'None for requests to attempt to locate and use '
77 'certificates which verify_ssh is True. If verify_ssl '
78 'is False, this is ignored.'),
7279 cfg.StrOpt('barbican_endpoint_type',
7380 default='public',
7481 choices=['public', 'internal', 'admin'],
121128
122129 try:
123130 auth = self._get_keystone_auth(context)
124 sess = session.Session(auth=auth,
125 verify=self.conf.barbican.verify_ssl)
131 verify_ssl = self.conf.barbican.verify_ssl
132 verify_ssl_path = self.conf.barbican.verify_ssl_path
133 verify = verify_ssl and verify_ssl_path or verify_ssl
134 sess = session.Session(auth=auth, verify=verify)
126135
127136 self._barbican_endpoint = self._get_barbican_endpoint(auth, sess)
128137 self._barbican_client = barbican_client_import.Client(
3838 def set_defaults(conf, backend=None, barbican_endpoint=None,
3939 barbican_api_version=None, auth_endpoint=None,
4040 retry_delay=None, number_of_retries=None, verify_ssl=None,
41 verify_ssl_path=None,
4142 api_class=None, vault_root_token_id=None,
4243 vault_approle_role_id=None, vault_approle_secret_id=None,
4344 vault_kv_mountpoint=None, vault_url=None,
5455 :param retry_delay: Use this attribute to set retry delay.
5556 :param number_of_retries: Use this attribute to set number of retries.
5657 :param verify_ssl: Use this to specify if ssl should be verified.
58 :param verify_ssl_path: Use this to specify the CA path.
5759 :param vault_root_token_id: Use this for the root token id for vault.
5860 :param vault_approle_role_id: Use this for the approle role_id for vault.
5961 :param vault_approle_secret_id: Use this for the approle secret_id
9496 group=bkm.BARBICAN_OPT_GROUP)
9597 if verify_ssl is not None:
9698 conf.set_default('verify_ssl', verify_ssl,
99 group=bkm.BARBICAN_OPT_GROUP)
100 if verify_ssl_path is not None:
101 conf.set_default('verify_ssl_path', verify_ssl_path,
97102 group=bkm.BARBICAN_OPT_GROUP)
98103 if barbican_endpoint_type is not None:
99104 conf.set_default('barbican_endpoint_type', barbican_endpoint_type,
6161 self.assertEqual(number_of_retries,
6262 conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
6363
64 verify_ssl = True
65 options.set_defaults(conf, verify_ssl=True)
64 verify_ssl = False
65 options.set_defaults(conf, verify_ssl=False)
6666 self.assertEqual(verify_ssl,
6767 conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
68
69 verify_ssl_path = '/mnt'
70 options.set_defaults(conf, verify_ssl_path='/mnt')
71 self.assertEqual(verify_ssl_path,
72 conf.barbican.verify_ssl_path)
6873
6974 barbican_endpoint_type = 'internal'
7075 options.set_defaults(conf, barbican_endpoint_type='internal')
0 ---
1 fixes:
2 - |
3 Add a new parameter, ``verify_ssl_path``, that can be used to
4 configure the path to CA certs when verifying requests to
5 Barbican.