Specify CA store when making secure connections with urllib3

We have been using FileHandle classes mostly in cases when we have to
establish secure connection and we have an SSL thumbprint of the host we
connect to. However, there are also cases when we don't have a
thumbprint and we need CA store. This patch uses the requests library to
provide such CA store.

Change-Id: I8567c8c273a3bff41c4b80a77e1fa8af743bf98c
This commit is contained in:
Radoslav Gerganov 2018-05-18 13:18:58 +03:00
parent d9b09a58d5
commit 984efbdfd2
2 changed files with 7 additions and 3 deletions

View File

@ -78,7 +78,7 @@ class FileHandle(object):
cert_reqs = ssl.CERT_REQUIRED cert_reqs = ssl.CERT_REQUIRED
else: else:
cert_reqs = ssl.CERT_NONE cert_reqs = ssl.CERT_NONE
cacerts = None cacerts = requests.certs.where()
conn.set_cert(ca_certs=cacerts, cert_reqs=cert_reqs, conn.set_cert(ca_certs=cacerts, cert_reqs=cert_reqs,
assert_fingerprint=ssl_thumbprint) assert_fingerprint=ssl_thumbprint)
else: else:

View File

@ -20,6 +20,7 @@ Unit tests for read and write handles for image transfer.
import ssl import ssl
import mock import mock
import requests
import six import six
from oslo_vmware import exceptions from oslo_vmware import exceptions
@ -57,8 +58,10 @@ class FileHandleTest(base.TestCase):
ret = handle._create_connection('https://localhost/foo?q=bar', 'GET') ret = handle._create_connection('https://localhost/foo?q=bar', 'GET')
self.assertEqual(conn, ret) self.assertEqual(conn, ret)
ca_store = requests.certs.where()
conn.set_cert.assert_called_once_with( conn.set_cert.assert_called_once_with(
ca_certs=None, cert_reqs=ssl.CERT_NONE, assert_fingerprint=None) ca_certs=ca_store, cert_reqs=ssl.CERT_NONE,
assert_fingerprint=None)
conn.putrequest.assert_called_once_with('GET', '/foo?q=bar') conn.putrequest.assert_called_once_with('GET', '/foo?q=bar')
@mock.patch('urllib3.connection.HTTPSConnection') @mock.patch('urllib3.connection.HTTPSConnection')
@ -71,8 +74,9 @@ class FileHandleTest(base.TestCase):
cacerts=True) cacerts=True)
self.assertEqual(conn, ret) self.assertEqual(conn, ret)
ca_store = requests.certs.where()
conn.set_cert.assert_called_once_with( conn.set_cert.assert_called_once_with(
ca_certs=None, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_store, cert_reqs=ssl.CERT_REQUIRED,
assert_fingerprint=None) assert_fingerprint=None)
@mock.patch('urllib3.connection.HTTPSConnection') @mock.patch('urllib3.connection.HTTPSConnection')