Use https with CA conf

CA file is a new added config introduced to be used by Ceilometer-zvm. When zvm inspector needs to communicate with xcat, it will add the CA file into https communication so it can verify the xcat is the one that zvm inspector wants to communicate with. See following link for more info: https://bugs.launchpad.net/ossn/+bug/1188189 Change-Id: Ib7f1ce2d621f6dd2b5d3b9a63a004abffbc3f223
2016-11-15 09:46:17 +08:00 · 2016-11-15 09:46:17 +08:00 · 44f02e7848
commit 44f02e7848
parent ea63de838f
3 changed files with 51 additions and 4 deletions
--- a/ceilometer_zvm/compute/virt/zvm/inspector.py
+++ b/ceilometer_zvm/compute/virt/zvm/inspector.py
@ -49,6 +49,9 @@ zvm_ops = [
    cfg.IntOpt('cache_update_interval',
               default=600,
               help="Cached data update interval"),
+    cfg.StrOpt('zvm_xcat_ca_file',
+               default=None,
+               help="CA file for https connection to xcat"),
 ]


--- a/ceilometer_zvm/compute/virt/zvm/utils.py
+++ b/ceilometer_zvm/compute/virt/zvm/utils.py
@ -15,11 +15,14 @@

 import contextlib
 import functools
-import httplib
+import os
+from six.moves import http_client as httplib
 import socket
+import ssl

 from ceilometer.compute.virt import inspector
 from ceilometer.i18n import _
+from ceilometer.i18n import _LW
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
@ -102,14 +105,56 @@ class XCATUrl(object):
        return self._append_addp(rurl, addp)


+class HTTPSClientAuthConnection(httplib.HTTPSConnection):
+    """For https://wiki.openstack.org/wiki/OSSN/OSSN-0033."""
+
+    def __init__(self, host, port, ca_file, timeout=None, key_file=None,
+                 cert_file=None):
+        httplib.HTTPSConnection.__init__(self, host, port,
+                                         key_file=key_file,
+                                         cert_file=cert_file)
+        self.key_file = key_file
+        self.cert_file = cert_file
+        self.ca_file = ca_file
+        self.timeout = timeout
+        self.use_ca = True
+
+        if self.ca_file is None:
+            LOG.debug("no xCAT CA file specified, this is considered "
+                      "not secure")
+            self.use_ca = False
+
+    def connect(self):
+        sock = socket.create_connection((self.host, self.port), self.timeout)
+        if self._tunnel_host:
+            self.sock = sock
+            self._tunnel()
+
+        if (self.ca_file is not None and
+                not os.path.exists(self.ca_file)):
+            LOG.warning(_LW("the CA file %(ca_file) does not exist!"),
+                        {'ca_file': self.ca_file})
+            self.use_ca = False
+
+        if not self.use_ca:
+            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
+                                        cert_reqs=ssl.CERT_NONE)
+        else:
+            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
+                                        ca_certs=self.ca_file,
+                                        cert_reqs=ssl.CERT_REQUIRED)
+
+
 class XCATConnection(object):
    """Https requests to xCAT web service."""

    def __init__(self):
        """Initialize https connection to xCAT service."""
        self.host = CONF.zvm.zvm_xcat_server
-        self.conn = httplib.HTTPSConnection(self.host,
-                                timeout=CONF.zvm.zvm_xcat_connection_timeout)
+        self.port = 443
+        self.conn = HTTPSClientAuthConnection(self.host, self.port,
+                        CONF.zvm.zvm_xcat_ca_file,
+                        timeout=CONF.zvm.zvm_xcat_connection_timeout)

    def request(self, method, url, body=None, headers={}):
        """Send https request to xCAT server.
--- a/setup.cfg
+++ b/setup.cfg
@ -1,6 +1,5 @@
 [metadata]
 name = ceilometer-zvm
-version = 2015.2
 summary = Ceilometer zvm specific implementation of virt inspector
 description-file = README.rst
 author = IBM