x/cloudbase-init
Code Issues Proposed changes

Get credentials from metadata for WinRM auth plugin

Browse Source 
ConfigWinRMCertificateAuthPlugin plugin depends on SetUserPasswordPlugin
and CreateUserPlugin in order to retrieve the credentials which will
be used for setting up the WinRM authentication. This is not desirable,
since ConfigWinRMCertificateAuthPlugin can't run independently
of the other two. This patch obtains the username from the config file,
if it is not found in the shared data dictionary and it retrieves
the password using get_admin_password from the metadata service, if it
is not found in the shared data dictionary.

Change-Id: I587782ff9cb8989bf01f6d86dbdbd1fa6ec53d1b
Closes-Bug: #1433174
This commit is contained in:
Claudiu Popa 2015-04-03 18:09:04 +03:00
parent b56f0d2aa7
commit affb4fec98
2 changed files with 49 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cloudbaseinit/plugins/windows/winrmcertificateauth.py
View File

@ -12,6 +12,8 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo.config import cfg
from cloudbaseinit import exception from cloudbaseinit import exception
from cloudbaseinit.openstack.common import log as logging from cloudbaseinit.openstack.common import log as logging
from cloudbaseinit.osutils import factory as osutils_factory from cloudbaseinit.osutils import factory as osutils_factory
@ -22,23 +24,30 @@ from cloudbaseinit.utils.windows import winrmconfig
from cloudbaseinit.utils.windows import x509 from cloudbaseinit.utils.windows import x509
CONF = cfg.CONF
CONF.import_opt('username', 'cloudbaseinit.plugins.common.createuser')
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
class ConfigWinRMCertificateAuthPlugin(base.BasePlugin): class ConfigWinRMCertificateAuthPlugin(base.BasePlugin):
def _get_credentials(self, shared_data): @staticmethod
user_name = shared_data.get(constants.SHARED_DATA_USERNAME) def _get_credentials(service, shared_data):
user_name = shared_data.get(constants.SHARED_DATA_USERNAME,
CONF.username)
if not user_name: if not user_name:
raise exception.CloudbaseInitException( raise exception.CloudbaseInitException(
"Cannot execute plugin as the username has not been set in " "Cannot execute plugin as the username has not been set in "
"the plugins shared data") "the plugins shared data, nor it was found in config file.")
password = shared_data.get(constants.SHARED_DATA_PASSWORD) password = shared_data.get(constants.SHARED_DATA_PASSWORD)
if not password: if not password:
raise exception.CloudbaseInitException( password = service.get_admin_password()
"Cannot execute plugin as the password has not been set in the" if not password:
" plugins shared data") raise exception.CloudbaseInitException(
"Cannot execute plugin as the password has not been set "
"in the plugins shared data, nor it was retrieved "
"from the metadata service.")
# For security reasons unset the password in the shared_data # For security reasons unset the password in the shared_data
# as it is currently not needed by other plugins # as it is currently not needed by other plugins
@ -47,7 +56,7 @@ class ConfigWinRMCertificateAuthPlugin(base.BasePlugin):
return (user_name, password) return (user_name, password)
def execute(self, service, shared_data): def execute(self, service, shared_data):
user_name, password = self._get_credentials(shared_data) user_name, password = self._get_credentials(service, shared_data)
certs_data = service.get_client_auth_certs() certs_data = service.get_client_auth_certs()
if not certs_data: if not certs_data:

58
cloudbaseinit/tests/plugins/windows/test_winrmcertificateauth.py
View File

@ -23,6 +23,7 @@ except ImportError:
from cloudbaseinit import exception from cloudbaseinit import exception
from cloudbaseinit.plugins.common import base from cloudbaseinit.plugins.common import base
from cloudbaseinit.plugins.common import constants from cloudbaseinit.plugins.common import constants
from cloudbaseinit.tests import testutils
class ConfigWinRMCertificateAuthPluginTests(unittest.TestCase): class ConfigWinRMCertificateAuthPluginTests(unittest.TestCase):
@ -51,35 +52,41 @@ class ConfigWinRMCertificateAuthPluginTests(unittest.TestCase):
def tearDown(self): def tearDown(self):
self._module_patcher.stop() self._module_patcher.stop()
def _test_get_credentials(self, fake_user, fake_password): @testutils.ConfPatcher('username', '')
mock_shared_data = mock.MagicMock() def test_get_credentials_no_username(self):
mock_shared_data.get.side_effect = [fake_user, fake_password] with self.assertRaises(exception.CloudbaseInitException) as cm:
if fake_user is None or fake_password is None: self._certif_auth._get_credentials(mock.sentinel.service, {})
self.assertRaises(exception.CloudbaseInitException,
self._certif_auth._get_credentials,
mock_shared_data)
else:
response = self._certif_auth._get_credentials(mock_shared_data)
expected = [mock.call(constants.SHARED_DATA_USERNAME),
mock.call(constants.SHARED_DATA_PASSWORD)]
self.assertEqual(expected, mock_shared_data.get.call_args_list)
mock_shared_data.__setitem__.assert_called_once_with( expected_message = (
'admin_password', None) "Cannot execute plugin as the username has not been set in "
"the plugins shared data, nor it was found in config file.")
self.assertEqual(expected_message, str(cm.exception))
self.assertEqual((fake_user, fake_password), response) def test_get_credentials_no_password(self):
mock_service = mock.Mock()
mock_service.get_admin_password.return_value = None
def test_test_get_credentials(self): with self.assertRaises(exception.CloudbaseInitException) as cm:
self._test_get_credentials(fake_user='fake user', self._certif_auth._get_credentials(mock_service, {})
fake_password='fake password')
def test_test_get_credentials_no_user(self): expected_message = (
self._test_get_credentials(fake_user=None, "Cannot execute plugin as the password has not been set "
fake_password='fake password') "in the plugins shared data, nor it was retrieved "
"from the metadata service.")
self.assertEqual(expected_message, str(cm.exception))
mock_service.get_admin_password.assert_called_once_with()
def test_test_get_credentials_no_password(self): def test_get_credentials_get_admin_password(self):
self._test_get_credentials(fake_user='fake user', mock_service = mock.Mock()
fake_password=None) mock_service.get_admin_password.return_value = mock.sentinel.password
shared_data = {constants.SHARED_DATA_USERNAME: mock.sentinel.username}
result = self._certif_auth._get_credentials(mock_service, shared_data)
self.assertIsNone(shared_data[constants.SHARED_DATA_PASSWORD])
self.assertEqual((mock.sentinel.username, mock.sentinel.password),
result)
mock_service.get_admin_password.assert_called_once_with()
@mock.patch('cloudbaseinit.plugins.windows.winrmcertificateauth' @mock.patch('cloudbaseinit.plugins.windows.winrmcertificateauth'
'.ConfigWinRMCertificateAuthPlugin._get_credentials') '.ConfigWinRMCertificateAuthPlugin._get_credentials')
@ -127,7 +134,8 @@ class ConfigWinRMCertificateAuthPluginTests(unittest.TestCase):
self.assertEqual(expected_set_token_calls, self.assertEqual(expected_set_token_calls,
set_uac_rs.call_args_list) set_uac_rs.call_args_list)
mock_get_credentials.assert_called_once_with('fake data') mock_get_credentials.assert_called_once_with(
mock_service, 'fake data')
mock_import_cert.assert_called_once_with( mock_import_cert.assert_called_once_with(
cert_data, store_name=self.winrmcert.x509.STORE_NAME_ROOT) cert_data, store_name=self.winrmcert.x509.STORE_NAME_ROOT)