Add ssl support for manila API access

Currently, Manila does not support secure access the manila APIs, obviously, this is a defect for manila service. This change is to add ssl support for manila project. Closes-bug: #1732844 Closes-bug: #1730529 Change-Id: I2dbc52ce95933e648cc065b2b2112788bf4484d0
2017-11-17 13:22:01 +08:00 · 2017-11-17 13:22:01 +08:00 · fa5b81f903
commit fa5b81f903
parent 6985c77ee5
3 changed files with 20 additions and 6 deletions
--- a/doc/source/configuration/tables/manila-ca.inc
+++ b/doc/source/configuration/tables/manila-ca.inc
@ -18,9 +18,5 @@
     - Description
   * - **[DEFAULT]**
     -
-   * - ``ssl_ca_file`` = ``None``
-     - (String) CA certificate file to use to verify connecting clients.
-   * - ``ssl_cert_file`` = ``None``
-     - (String) Certificate file to use when starting the server securely.
-   * - ``ssl_key_file`` = ``None``
-     - (String) Private key file to use when starting the server securely.
+   * - ``osapi_share_use_ssl`` = ``False``
+     - (Boolean) Wraps the socket in a SSL context if True is set.
--- a/manila/service.py
+++ b/manila/service.py
@ -60,6 +60,10 @@ service_opts = [
    cfg.IntOpt('osapi_share_workers',
               default=1,
               help='Number of workers for OpenStack Share API service.'),
+    cfg.BoolOpt('osapi_share_use_ssl',
+                default=False,
+                help='Wraps the socket in a SSL context if True is set. '
+                     'A certificate file and key file must be specified.'),
 ]

 CONF = cfg.CONF
@ -290,6 +294,7 @@ class WSGIService(service.ServiceBase):
        self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")
        self.port = getattr(CONF, '%s_listen_port' % name, 0)
        self.workers = getattr(CONF, '%s_workers' % name, None)
+        self.use_ssl = getattr(CONF, '%s_use_ssl' % name, False)
        if self.workers is not None and self.workers < 1:
            LOG.warning(
                "Value of config option %(name)s_workers must be integer "
@ -302,6 +307,7 @@ class WSGIService(service.ServiceBase):
            self.app,
            host=self.host,
            port=self.port,
+            use_ssl=self.use_ssl
        )

    def _get_manager(self):
--- a/manila/tests/test_service.py
+++ b/manila/tests/test_service.py
@ -226,3 +226,15 @@ class TestWSGIService(test.TestCase):
        self.test_service.start()
        self.assertGreater(self.test_service.server._pool.size, 0)
        wsgi.Loader.load_app.assert_called_once_with("test_service")
+
+    @mock.patch('oslo_service.wsgi.Server')
+    @mock.patch('oslo_service.wsgi.Loader')
+    def test_ssl_enabled(self, mock_loader, mock_server):
+        self.override_config('osapi_share_use_ssl', True)
+
+        service.WSGIService("osapi_share")
+        mock_server.assert_called_once_with(mock.ANY, mock.ANY, mock.ANY,
+                                            port=mock.ANY, host=mock.ANY,
+                                            use_ssl=True)
+
+        self.assertTrue(mock_loader.called)