On Mon, Jul 10, 2017 at 9:37 AM, Markos Gogoulos <mgogou...@mist.io> wrote:
> Hi all, > > I'm trying to disable SSL verification via an optional switch, for > OpenStack connections. I cannot use the 'global' VERIFY_SSL_CERT in my > case, because multiple OpenStack connections take place at the same time, > some of them should perform SSL verification while others shouldn't. > > That is, by instantiating a libcloud connection driver, I'd like to specify > a verify False/True switch, and this should affect the resulting requests > call. > > As far as I know there's not a directional relationship between a > connection and driver, so this makes things harder and although I can > 'store' the switch on the driver object, connection cannot read it. > > Do you have any ideas or suggestions what would be a simple way of > achieving the above? > > Regards, > Markos > It's not quite as simple as you'd hope due to the connection vs. driver split, but here are diffs for how we did it. This should be relative to apache-libcloud-1.0.0-pre1. Jay diff -r 17df54435983 -r 28d56440b52b libcloud/common/aws.py --- a/libcloud/common/aws.py Tue Mar 22 22:56:44 2016 +0000 +++ b/libcloud/common/aws.py Wed Mar 23 22:46:52 2016 +0000 @@ -134,15 +134,19 @@ class AWSTokenConnection(ConnectionUserAndKey): def __init__(self, user_id, key, secure=True, - host=None, port=None, url=None, timeout=None, proxy_url=None, - token=None, retry_delay=None, backoff=None): - self.token = token + host=None, port=None, url=None, timeout=None, **kwargs): + # -redacted- + # add kwargs to the various Libcloud Connection classes + # so we can extend parameters + # + # proxy_url=None, token=None, retry_delay=None, backoff=None): + self.token = kwargs.get('token', None) super(AWSTokenConnection, self).__init__(user_id, key, secure=secure, host=host, port=port, url=url, - timeout=timeout, - retry_delay=retry_delay, - backoff=backoff, - proxy_url=proxy_url) + timeout=timeout, **kwargs) + # retry_delay=retry_delay, + # backoff=backoff, + # proxy_url=proxy_url) def add_default_params(self, params): # Even though we are adding it to the headers, we need it here too diff -r 17df54435983 -r 28d56440b52b libcloud/common/base.py --- a/libcloud/common/base.py Tue Mar 22 22:56:44 2016 +0000 +++ b/libcloud/common/base.py Wed Mar 23 22:46:52 2016 +0000 @@ -528,7 +528,12 @@ allow_insecure = True def __init__(self, secure=True, host=None, port=None, url=None, - timeout=None, proxy_url=None, retry_delay=None, backoff=None): + timeout=None, **kwargs): + # -redacted- + # add kwargs to the various Libcloud Connection classes + # so we can extend parameters + # + # timeout=None, proxy_url=None, retry_delay=None, backoff=None): self.secure = secure and 1 or 0 self.ua = [] self.context = {} @@ -557,9 +562,12 @@ self.request_path) = self._tuple_from_url(url) self.timeout = timeout or self.timeout - self.retry_delay = retry_delay - self.backoff = backoff - self.proxy_url = proxy_url + self.retry_delay = kwargs.get('retry_delay', None) + self.backoff = kwargs.get('backoff', None) + self.proxy_url = kwargs.get('proxy_url', None) + + # -redacted- + self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None) def set_http_proxy(self, proxy_url): """ @@ -660,6 +668,10 @@ if self.proxy_url: kwargs.update({'proxy_url': self.proxy_url}) + # -redacted- + if self.verify_ssl_cert is not None: + kwargs['verify_ssl_cert'] = self.verify_ssl_cert + connection = self.conn_classes[secure](**kwargs) # You can uncoment this line, if you setup a reverse proxy server # which proxies to your endpoint, and lets you easily capture @@ -1023,7 +1035,9 @@ Base connection class which accepts a single ``key`` argument. """ def __init__(self, key, secure=True, host=None, port=None, url=None, - timeout=None, proxy_url=None, backoff=None, retry_delay=None): + timeout=None, **kwargs): + # -redacted- + # timeout=None, proxy_url=None, backoff=None, retry_delay=None): """ Initialize `user_id` and `key`; set `secure` to an ``int`` based on passed value. @@ -1031,9 +1045,10 @@ super(ConnectionKey, self).__init__(secure=secure, host=host, port=port, url=url, timeout=timeout, - proxy_url=proxy_url, - backoff=backoff, - retry_delay=retry_delay) + **kwargs) + # proxy_url=proxy_url, + # backoff=backoff, + # retry_delay=retry_delay) self.key = key @@ -1042,17 +1057,19 @@ Base connection class which accepts a single ``cert_file`` argument. """ def __init__(self, cert_file, secure=True, host=None, port=None, url=None, - proxy_url=None, timeout=None, backoff=None, retry_delay=None): + proxy_url=None, timeout=None, **kwargs): + # -redacted- + # backoff=None, retry_delay=None): """ Initialize `cert_file`; set `secure` to an ``int`` based on passed value. """ super(CertificateConnection, self).__init__(secure=secure, host=host, port=port, url=url, - timeout=timeout, - backoff=backoff, - retry_delay=retry_delay, - proxy_url=proxy_url) + timeout=timeout, **kwargs) + # backoff=backoff, + # retry_delay=retry_delay, + # proxy_url=proxy_url) self.cert_file = cert_file @@ -1065,14 +1082,16 @@ user_id = None def __init__(self, user_id, key, secure=True, host=None, port=None, - url=None, timeout=None, proxy_url=None, - backoff=None, retry_delay=None): + url=None, timeout=None, **kwargs): + # -redacted- + # proxy_url=None, backoff=None, retry_delay=None): super(ConnectionUserAndKey, self).__init__(key, secure=secure, host=host, port=port, url=url, timeout=timeout, - backoff=backoff, - retry_delay=retry_delay, - proxy_url=proxy_url) + **kwargs) + # backoff=backoff, + # retry_delay=retry_delay, + # proxy_url=proxy_url) self.user_id = user_id @@ -1132,6 +1151,9 @@ self.api_version = api_version self.region = region + # -redacted- + self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None) + conn_kwargs = self._ex_connection_class_kwargs() conn_kwargs.update({'timeout': kwargs.pop('timeout', None), 'retry_delay': kwargs.pop('retry_delay', None), diff -r 17df54435983 -r 28d56440b52b libcloud/common/openstack.py --- a/libcloud/common/openstack.py Tue Mar 22 22:56:44 2016 +0000 +++ b/libcloud/common/openstack.py Wed Mar 23 22:46:52 2016 +0000 @@ -137,10 +137,15 @@ ex_force_service_type=None, ex_force_service_name=None, ex_force_service_region=None, - retry_delay=None, backoff=None): + retry_delay=None, backoff=None, **kwargs): + # -redacted- + # add kwargs to the various Libcloud Connection classes + # so we can extend parameters + super(OpenStackBaseConnection, self).__init__( user_id, key, secure=secure, timeout=timeout, - retry_delay=retry_delay, backoff=backoff, proxy_url=proxy_url) + retry_delay=retry_delay, backoff=backoff, proxy_url=proxy_url, + **kwargs) if ex_force_auth_version: self._auth_version = ex_force_auth_version diff -r 17df54435983 -r 28d56440b52b libcloud/httplib_ssl.py --- a/libcloud/httplib_ssl.py Tue Mar 22 22:56:44 2016 +0000 +++ b/libcloud/httplib_ssl.py Wed Mar 23 22:46:52 2016 +0000 @@ -201,6 +201,11 @@ proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, None) proxy_url = kwargs.pop('proxy_url', proxy_url_env) + # httplib.HTTPConnection doesn't support general **kwargs, so + # strip off verify_ssl_cert (if present). It's only needed for + # HTTPS connections anyway. + kwargs.pop('verify_ssl_cert', None) + super(LibcloudHTTPConnection, self).__init__(*args, **kwargs) if proxy_url: @@ -221,7 +226,10 @@ """ Constructor """ - self._setup_verify() + # -redacted- + verify_ssl_cert = kwargs.pop('verify_ssl_cert', None) + self._setup_verify(verify_ssl_cert) + # Support for HTTP proxy proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, None) proxy_url = kwargs.pop('proxy_url', proxy_url_env) @@ -231,7 +239,7 @@ if proxy_url: self.set_http_proxy(proxy_url=proxy_url) - def _setup_verify(self): + def _setup_verify(self, verify_ssl_cert=None): """ Setup Verify SSL or not @@ -239,6 +247,11 @@ the class overrides the connect() class method or runs the inherited httplib.HTTPSConnection connect() """ + # Added per connection control over whether we should + # verify the certificate or not. If not specified, use + # original global default. + self.verify = verify_ssl_cert + if self.verify is None: self.verify = libcloud.security.VERIFY_SSL_CERT if self.verify: