From 8481315c4e758cf04520d03f6eeafb963a5bf0f8 Mon Sep 17 00:00:00 2001
From: Dave McCowan <dmccowan@cisco.com>
Date: Tue, 9 Feb 2016 23:50:06 -0500
Subject: [PATCH] Add support for TLS enabled endpoints

OpenStack supports endpoints that are protected by TLS.  URLs with
the https:// prefix can be found in the openrc file and also returned
from the keystone endpoint list.

VMTP, as a client, should be ready to send TLS enabled requests to
OpenStack and also verify the server side certificate that is sent
by the endpoint.

To validate a server side certificate, a client needs a copy of the
CA certificate representings the signing authority of the server
certificate.  For OpenStack, this CA certificat is pointed to by
the environment variable OS_CACERT.

The OpenStack client implementations accept the value in kwargs,
as either 'cacert' or 'ca_cert'.

Change-Id: I5b093d38ed51430d7c1ad09c65ec4961db818825
---
 vmtp/credentials.py | 8 ++++++++
 vmtp/vmtp.py        | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/vmtp/credentials.py b/vmtp/credentials.py
index ddb62b2..2249856 100644
--- a/vmtp/credentials.py
+++ b/vmtp/credentials.py
@@ -27,6 +27,8 @@ class Credentials(object):
         dct['password'] = self.rc_password
         dct['auth_url'] = self.rc_auth_url
         dct['tenant_name'] = self.rc_tenant_name
+        dct['cacert'] = self.rc_cacert
+        dct['ca_cert'] = self.rc_cacert
         return dct
 
     def get_nova_credentials(self):
@@ -35,6 +37,7 @@ class Credentials(object):
         dct['api_key'] = self.rc_password
         dct['auth_url'] = self.rc_auth_url
         dct['project_id'] = self.rc_tenant_name
+        dct['cacert'] = self.rc_cacert
         return dct
 
     def get_nova_credentials_v2(self):
@@ -51,6 +54,7 @@ class Credentials(object):
         self.rc_username = None
         self.rc_tenant_name = None
         self.rc_auth_url = None
+        self.rc_cacert = None
         success = True
 
         if openrc_file:
@@ -79,6 +83,8 @@ class Credentials(object):
                             self.rc_auth_url = value
                         elif name == 'TENANT_NAME':
                             self.rc_tenant_name = value
+                        elif name == "CACERT":
+                            self.rc_cacert = value
             else:
                 print 'Error: rc file does not exist %s' % (openrc_file)
                 success = False
@@ -94,6 +100,8 @@ class Credentials(object):
                 self.rc_username = os.environ['OS_USERNAME']
                 self.rc_auth_url = os.environ['OS_AUTH_URL']
                 self.rc_tenant_name = os.environ['OS_TENANT_NAME']
+            if 'OS_CACERT' in os.environ:
+                self.rc_cacert = os.environ['OS_CACERT']
 
         # always override with CLI argument if provided
         if pwd:
diff --git a/vmtp/vmtp.py b/vmtp/vmtp.py
index 4091123..d3b1d60 100755
--- a/vmtp/vmtp.py
+++ b/vmtp/vmtp.py
@@ -215,7 +215,8 @@ class VmtpTest(object):
                     glance_endpoint = keystone.service_catalog.url_for(
                         service_type='image', endpoint_type='publicURL')
                     self.glance_client = glanceclient.Client(
-                        glance_endpoint, token=keystone.auth_token)
+                        glance_endpoint, token=keystone.auth_token,
+                        cacert=creds['cacert'])
                     self.comp.upload_image_via_url(
                         self.glance_client,
                         self.config.image_name,