Add options to support TLS certificate verification

Add --os-cacert and --verify|--insecure options using the same sematics as the other project CLIs. --verify is included for completeness. Bug: 1236608 Change-Id: I8a116d790db5aa4cb17a2207efedce7cb229eba3
2013-10-07 12:23:00 -05:00
parent bca4cf9578
commit 3f9c68f1c6
7 changed files with 53 additions and 7 deletions
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@ -79,6 +79,9 @@ class OpenStackShell(app.App):
        # password flow auth
        self.auth_client = None

+        # Assume TLS host certificate verification is enabled
+        self.verify = True
+
        # NOTE(dtroyer): This hack changes the help action that Cliff
        #                automatically adds to the parser so we can defer
        #                its execution until after the api-versioned commands
@ -158,6 +161,22 @@ class OpenStackShell(app.App):
            metavar='<auth-region-name>',
            default=env('OS_REGION_NAME'),
            help='Authentication region name (Env: OS_REGION_NAME)')
+        parser.add_argument(
+            '--os-cacert',
+            metavar='<ca-bundle-file>',
+            default=env('OS_CACERT'),
+            help='CA certificate bundle file (Env: OS_CACERT)')
+        verify_group = parser.add_mutually_exclusive_group()
+        verify_group.add_argument(
+            '--verify',
+            action='store_true',
+            help='Verify server certificate (default)',
+        )
+        verify_group.add_argument(
+            '--insecure',
+            action='store_true',
+            help='Disable server certificate verification',
+        )
        parser.add_argument(
            '--os-default-domain',
            metavar='<auth-domain>',
@ -299,7 +318,9 @@ class OpenStackShell(app.App):
            username=self.options.os_username,
            password=self.options.os_password,
            region_name=self.options.os_region_name,
-            api_version=self.api_version)
+            verify=self.verify,
+            api_version=self.api_version,
+        )
        return

    def init_keyring_backend(self):
@ -387,7 +408,11 @@ class OpenStackShell(app.App):
            self.DeferredHelpAction(self.parser, self.parser, None, None)

        # Set up common client session
-        self.restapi = restapi.RESTApi()
+        if self.options.os_cacert:
+            self.verify = self.options.os_cacert
+        else:
+            self.verify = not self.options.insecure
+        self.restapi = restapi.RESTApi(verify=self.verify)

    def prepare_to_run_command(self, cmd):
        """Set up auth and API versions"""