On Mon, Jul 10, 2017 at 9:37 AM, Markos Gogoulos <mgogou...@mist.io> wrote:

> Hi all,
>
> I'm trying to disable SSL verification via an optional switch, for
> OpenStack connections. I cannot use the 'global' VERIFY_SSL_CERT in my
> case, because multiple OpenStack connections take place at the same time,
> some of them should perform SSL verification while others shouldn't.
>
> That is, by instantiating a libcloud connection driver, I'd like to specify
> a verify False/True switch, and this should affect  the resulting requests
> call.
>
> As far as I know there's not a directional relationship between a
> connection and driver, so this makes things harder and although I can
> 'store' the switch on the driver object, connection cannot read it.
>
> Do you have any ideas or suggestions what would be a simple way of
> achieving the above?
>
> Regards,
> Markos
>

It's not quite as simple as you'd hope due to the connection vs. driver
split, but here are diffs for how we did it. This should be relative
to apache-libcloud-1.0.0-pre1.

Jay

diff -r 17df54435983 -r 28d56440b52b libcloud/common/aws.py
--- a/libcloud/common/aws.py    Tue Mar 22 22:56:44 2016 +0000
+++ b/libcloud/common/aws.py    Wed Mar 23 22:46:52 2016 +0000
@@ -134,15 +134,19 @@

 class AWSTokenConnection(ConnectionUserAndKey):
     def __init__(self, user_id, key, secure=True,
-                 host=None, port=None, url=None, timeout=None,
proxy_url=None,
-                 token=None, retry_delay=None, backoff=None):
-        self.token = token
+                 host=None, port=None, url=None, timeout=None, **kwargs):
+                 # -redacted-
+                 # add kwargs to the various Libcloud Connection classes
+                 # so we can extend parameters
+                 #
+                 # proxy_url=None, token=None, retry_delay=None,
backoff=None):
+        self.token = kwargs.get('token', None)
         super(AWSTokenConnection, self).__init__(user_id, key,
secure=secure,
                                                  host=host, port=port,
url=url,
-                                                 timeout=timeout,
-                                                 retry_delay=retry_delay,
-                                                 backoff=backoff,
-                                                 proxy_url=proxy_url)
+                                                 timeout=timeout, **kwargs)
+                                                 # retry_delay=retry_delay,
+                                                 # backoff=backoff,
+                                                 # proxy_url=proxy_url)

     def add_default_params(self, params):
         # Even though we are adding it to the headers, we need it here too
diff -r 17df54435983 -r 28d56440b52b libcloud/common/base.py
--- a/libcloud/common/base.py   Tue Mar 22 22:56:44 2016 +0000
+++ b/libcloud/common/base.py   Wed Mar 23 22:46:52 2016 +0000
@@ -528,7 +528,12 @@
     allow_insecure = True

     def __init__(self, secure=True, host=None, port=None, url=None,
-                 timeout=None, proxy_url=None, retry_delay=None,
backoff=None):
+                 timeout=None, **kwargs):
+                 # -redacted-
+                 # add kwargs to the various Libcloud Connection classes
+                 # so we can extend parameters
+                 #
+                 # timeout=None, proxy_url=None, retry_delay=None,
backoff=None):
         self.secure = secure and 1 or 0
         self.ua = []
         self.context = {}
@@ -557,9 +562,12 @@
              self.request_path) = self._tuple_from_url(url)

         self.timeout = timeout or self.timeout
-        self.retry_delay = retry_delay
-        self.backoff = backoff
-        self.proxy_url = proxy_url
+        self.retry_delay = kwargs.get('retry_delay', None)
+        self.backoff = kwargs.get('backoff', None)
+        self.proxy_url = kwargs.get('proxy_url', None)
+
+        # -redacted-
+        self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None)

     def set_http_proxy(self, proxy_url):
         """
@@ -660,6 +668,10 @@
         if self.proxy_url:
             kwargs.update({'proxy_url': self.proxy_url})

+        # -redacted-
+        if self.verify_ssl_cert is not None:
+            kwargs['verify_ssl_cert'] = self.verify_ssl_cert
+
         connection = self.conn_classes[secure](**kwargs)
         # You can uncoment this line, if you setup a reverse proxy server
         # which proxies to your endpoint, and lets you easily capture
@@ -1023,7 +1035,9 @@
     Base connection class which accepts a single ``key`` argument.
     """
     def __init__(self, key, secure=True, host=None, port=None, url=None,
-                 timeout=None, proxy_url=None, backoff=None,
retry_delay=None):
+                 timeout=None, **kwargs):
+                 # -redacted-
+                 # timeout=None, proxy_url=None, backoff=None,
retry_delay=None):
         """
         Initialize `user_id` and `key`; set `secure` to an ``int`` based on
         passed value.
@@ -1031,9 +1045,10 @@
         super(ConnectionKey, self).__init__(secure=secure, host=host,
                                             port=port, url=url,
                                             timeout=timeout,
-                                            proxy_url=proxy_url,
-                                            backoff=backoff,
-                                            retry_delay=retry_delay)
+                                            **kwargs)
+                                            # proxy_url=proxy_url,
+                                            # backoff=backoff,
+                                            # retry_delay=retry_delay)
         self.key = key


@@ -1042,17 +1057,19 @@
     Base connection class which accepts a single ``cert_file`` argument.
     """
     def __init__(self, cert_file, secure=True, host=None, port=None,
url=None,
-                 proxy_url=None, timeout=None, backoff=None,
retry_delay=None):
+                 proxy_url=None, timeout=None, **kwargs):
+                 # -redacted-
+                 # backoff=None, retry_delay=None):
         """
         Initialize `cert_file`; set `secure` to an ``int`` based on
         passed value.
         """
         super(CertificateConnection, self).__init__(secure=secure,
host=host,
                                                     port=port, url=url,
-                                                    timeout=timeout,
-                                                    backoff=backoff,
-
 retry_delay=retry_delay,
-                                                    proxy_url=proxy_url)
+                                                    timeout=timeout,
**kwargs)
+                                                    # backoff=backoff,
+                                                    #
retry_delay=retry_delay,
+                                                    # proxy_url=proxy_url)

         self.cert_file = cert_file

@@ -1065,14 +1082,16 @@
     user_id = None

     def __init__(self, user_id, key, secure=True, host=None, port=None,
-                 url=None, timeout=None, proxy_url=None,
-                 backoff=None, retry_delay=None):
+                 url=None, timeout=None, **kwargs):
+                 # -redacted-
+                 # proxy_url=None, backoff=None, retry_delay=None):
         super(ConnectionUserAndKey, self).__init__(key, secure=secure,
                                                    host=host, port=port,
                                                    url=url,
timeout=timeout,
-                                                   backoff=backoff,
-                                                   retry_delay=retry_delay,
-                                                   proxy_url=proxy_url)
+                                                   **kwargs)
+                                                   # backoff=backoff,
+                                                   #
retry_delay=retry_delay,
+                                                   # proxy_url=proxy_url)
         self.user_id = user_id


@@ -1132,6 +1151,9 @@
         self.api_version = api_version
         self.region = region

+        # -redacted-
+        self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None)
+
         conn_kwargs = self._ex_connection_class_kwargs()
         conn_kwargs.update({'timeout': kwargs.pop('timeout', None),
                             'retry_delay': kwargs.pop('retry_delay', None),
diff -r 17df54435983 -r 28d56440b52b libcloud/common/openstack.py
--- a/libcloud/common/openstack.py      Tue Mar 22 22:56:44 2016 +0000
+++ b/libcloud/common/openstack.py      Wed Mar 23 22:46:52 2016 +0000
@@ -137,10 +137,15 @@
                  ex_force_service_type=None,
                  ex_force_service_name=None,
                  ex_force_service_region=None,
-                 retry_delay=None, backoff=None):
+                 retry_delay=None, backoff=None, **kwargs):
+                 # -redacted-
+                 # add kwargs to the various Libcloud Connection classes
+                 # so we can extend parameters
+
         super(OpenStackBaseConnection, self).__init__(
             user_id, key, secure=secure, timeout=timeout,
-            retry_delay=retry_delay, backoff=backoff, proxy_url=proxy_url)
+            retry_delay=retry_delay, backoff=backoff, proxy_url=proxy_url,
+            **kwargs)

         if ex_force_auth_version:
             self._auth_version = ex_force_auth_version
diff -r 17df54435983 -r 28d56440b52b libcloud/httplib_ssl.py
--- a/libcloud/httplib_ssl.py   Tue Mar 22 22:56:44 2016 +0000
+++ b/libcloud/httplib_ssl.py   Wed Mar 23 22:46:52 2016 +0000
@@ -201,6 +201,11 @@
         proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, None)
         proxy_url = kwargs.pop('proxy_url', proxy_url_env)

+        # httplib.HTTPConnection doesn't support general **kwargs, so
+        # strip off verify_ssl_cert (if present). It's only needed for
+        # HTTPS connections anyway.
+        kwargs.pop('verify_ssl_cert', None)
+
         super(LibcloudHTTPConnection, self).__init__(*args, **kwargs)

         if proxy_url:
@@ -221,7 +226,10 @@
         """
         Constructor
         """
-        self._setup_verify()
+        # -redacted-
+        verify_ssl_cert = kwargs.pop('verify_ssl_cert', None)
+        self._setup_verify(verify_ssl_cert)
+
         # Support for HTTP proxy
         proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, None)
         proxy_url = kwargs.pop('proxy_url', proxy_url_env)
@@ -231,7 +239,7 @@
         if proxy_url:
             self.set_http_proxy(proxy_url=proxy_url)

-    def _setup_verify(self):
+    def _setup_verify(self, verify_ssl_cert=None):
         """
         Setup Verify SSL or not

@@ -239,6 +247,11 @@
         the class overrides the connect() class method or runs the
         inherited httplib.HTTPSConnection connect()
         """
+        # Added per connection control over whether we should
+        # verify the certificate or not. If not specified, use
+        # original global default.
+        self.verify = verify_ssl_cert
+        if self.verify is None:
         self.verify = libcloud.security.VERIFY_SSL_CERT

         if self.verify:

Reply via email to