add "verify_ssl_path" config for barbican key manager
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.
Closes-Bug: #1876102
(cherry picked from commit 89f311dfbd264a5d4309ea1ca4283f2746d6fa24)
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
ramboman
3 years ago
| 63 | 63 | cfg.BoolOpt('verify_ssl', |
| 64 | 64 | default=True, |
| 65 | 65 | help='Specifies if insecure TLS (https) requests. If False, ' |
| 66 | 'the server\'s certificate will not be validated'), | |
| 66 | 'the server\'s certificate will not be validated, if ' | |
| 67 | 'True, we can set the verify_ssl_path config meanwhile.'), | |
| 68 | cfg.StrOpt('verify_ssl_path', | |
| 69 | default=None, | |
| 70 | help='A path to a bundle or CA certs to check against, or ' | |
| 71 | 'None for requests to attempt to locate and use ' | |
| 72 | 'certificates which verify_ssh is True. If verify_ssl ' | |
| 73 | 'is False, this is ignored.'), | |
| 67 | 74 | cfg.StrOpt('barbican_endpoint_type', |
| 68 | 75 | default='public', |
| 69 | 76 | choices=['public', 'internal', 'admin'], |
| 108 | 115 | |
| 109 | 116 | try: |
| 110 | 117 | auth = self._get_keystone_auth(context) |
| 111 | sess = session.Session(auth=auth, | |
| 112 | verify=self.conf.barbican.verify_ssl) | |
| 118 | verify_ssl = self.conf.barbican.verify_ssl | |
| 119 | verify_ssl_path = self.conf.barbican.verify_ssl_path | |
| 120 | verify = verify_ssl and verify_ssl_path or verify_ssl | |
| 121 | sess = session.Session(auth=auth, verify=verify) | |
| 113 | 122 | |
| 114 | 123 | self._barbican_endpoint = self._get_barbican_endpoint(auth, sess) |
| 115 | 124 | self._barbican_client = barbican_client_import.Client( |
| 40 | 40 | def set_defaults(conf, backend=None, barbican_endpoint=None, |
| 41 | 41 | barbican_api_version=None, auth_endpoint=None, |
| 42 | 42 | retry_delay=None, number_of_retries=None, verify_ssl=None, |
| 43 | verify_ssl_path=None, | |
| 43 | 44 | api_class=None, vault_root_token_id=None, |
| 44 | 45 | vault_approle_role_id=None, vault_approle_secret_id=None, |
| 45 | 46 | vault_kv_mountpoint=None, vault_url=None, |
| 56 | 57 | :param retry_delay: Use this attribute to set retry delay. |
| 57 | 58 | :param number_of_retries: Use this attribute to set number of retries. |
| 58 | 59 | :param verify_ssl: Use this to specify if ssl should be verified. |
| 60 | :param verify_ssl_path: Use this to specify the CA path. | |
| 59 | 61 | :param vault_root_token_id: Use this for the root token id for vault. |
| 60 | 62 | :param vault_approle_role_id: Use this for the approle role_id for vault. |
| 61 | 63 | :param vault_approle_secret_id: Use this for the approle secret_id |
| 101 | 103 | group=bkm._BARBICAN_OPT_GROUP) |
| 102 | 104 | if verify_ssl is not None: |
| 103 | 105 | conf.set_default('verify_ssl', verify_ssl, |
| 106 | group=bkm._BARBICAN_OPT_GROUP) | |
| 107 | if verify_ssl_path is not None: | |
| 108 | conf.set_default('verify_ssl_path', verify_ssl_path, | |
| 104 | 109 | group=bkm._BARBICAN_OPT_GROUP) |
| 105 | 110 | if barbican_endpoint_type is not None: |
| 106 | 111 | conf.set_default('barbican_endpoint_type', barbican_endpoint_type, |
| 61 | 61 | self.assertEqual(number_of_retries, |
| 62 | 62 | conf.barbican.number_of_retries) |
| 63 | 63 | |
| 64 | verify_ssl = True | |
| 65 | options.set_defaults(conf, verify_ssl=True) | |
| 64 | verify_ssl = False | |
| 65 | options.set_defaults(conf, verify_ssl=False) | |
| 66 | 66 | self.assertEqual(verify_ssl, |
| 67 | 67 | conf.barbican.verify_ssl) |
| 68 | ||
| 69 | verify_ssl_path = '/mnt' | |
| 70 | options.set_defaults(conf, verify_ssl_path='/mnt') | |
| 71 | self.assertEqual(verify_ssl_path, | |
| 72 | conf.barbican.verify_ssl_path) | |
| 68 | 73 | |
| 69 | 74 | barbican_endpoint_type = 'internal' |
| 70 | 75 | options.set_defaults(conf, barbican_endpoint_type='internal') |