On Mon, Jul 10, 2017 at 2:34 PM, Jay Rolette <role...@infinite.io> wrote:
> > On Mon, Jul 10, 2017 at 9:37 AM, Markos Gogoulos <mgogou...@mist.io> > wrote: > >> Hi all, >> >> I'm trying to disable SSL verification via an optional switch, for >> OpenStack connections. I cannot use the 'global' VERIFY_SSL_CERT in my >> case, because multiple OpenStack connections take place at the same time, >> some of them should perform SSL verification while others shouldn't. >> >> That is, by instantiating a libcloud connection driver, I'd like to >> specify >> a verify False/True switch, and this should affect the resulting requests >> call. >> >> As far as I know there's not a directional relationship between a >> connection and driver, so this makes things harder and although I can >> 'store' the switch on the driver object, connection cannot read it. >> >> Do you have any ideas or suggestions what would be a simple way of >> achieving the above? >> >> Regards, >> Markos >> > > It's not quite as simple as you'd hope due to the connection vs. driver > split, but here are diffs for how we did it. This should be relative > to apache-libcloud-1.0.0-pre1. > > Jay > > diff -r 17df54435983 -r 28d56440b52b libcloud/common/aws.py > --- a/libcloud/common/aws.py Tue Mar 22 22:56:44 2016 +0000 > +++ b/libcloud/common/aws.py Wed Mar 23 22:46:52 2016 +0000 > @@ -134,15 +134,19 @@ > > class AWSTokenConnection(ConnectionUserAndKey): > def __init__(self, user_id, key, secure=True, > - host=None, port=None, url=None, timeout=None, > proxy_url=None, > - token=None, retry_delay=None, backoff=None): > - self.token = token > + host=None, port=None, url=None, timeout=None, **kwargs): > + # -redacted- > + # add kwargs to the various Libcloud Connection classes > + # so we can extend parameters > + # > + # proxy_url=None, token=None, retry_delay=None, > backoff=None): > + self.token = kwargs.get('token', None) > super(AWSTokenConnection, self).__init__(user_id, key, > secure=secure, > host=host, port=port, > url=url, > - timeout=timeout, > - retry_delay=retry_delay, > - backoff=backoff, > - proxy_url=proxy_url) > + timeout=timeout, > **kwargs) > + # > retry_delay=retry_delay, > + # backoff=backoff, > + # proxy_url=proxy_url) > > def add_default_params(self, params): > # Even though we are adding it to the headers, we need it here too > diff -r 17df54435983 -r 28d56440b52b libcloud/common/base.py > --- a/libcloud/common/base.py Tue Mar 22 22:56:44 2016 +0000 > +++ b/libcloud/common/base.py Wed Mar 23 22:46:52 2016 +0000 > @@ -528,7 +528,12 @@ > allow_insecure = True > > def __init__(self, secure=True, host=None, port=None, url=None, > - timeout=None, proxy_url=None, retry_delay=None, > backoff=None): > + timeout=None, **kwargs): > + # -redacted- > + # add kwargs to the various Libcloud Connection classes > + # so we can extend parameters > + # > + # timeout=None, proxy_url=None, retry_delay=None, > backoff=None): > self.secure = secure and 1 or 0 > self.ua = [] > self.context = {} > @@ -557,9 +562,12 @@ > self.request_path) = self._tuple_from_url(url) > > self.timeout = timeout or self.timeout > - self.retry_delay = retry_delay > - self.backoff = backoff > - self.proxy_url = proxy_url > + self.retry_delay = kwargs.get('retry_delay', None) > + self.backoff = kwargs.get('backoff', None) > + self.proxy_url = kwargs.get('proxy_url', None) > + > + # -redacted- > + self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None) > > def set_http_proxy(self, proxy_url): > """ > @@ -660,6 +668,10 @@ > if self.proxy_url: > kwargs.update({'proxy_url': self.proxy_url}) > > + # -redacted- > + if self.verify_ssl_cert is not None: > + kwargs['verify_ssl_cert'] = self.verify_ssl_cert > + > connection = self.conn_classes[secure](**kwargs) > # You can uncoment this line, if you setup a reverse proxy server > # which proxies to your endpoint, and lets you easily capture > @@ -1023,7 +1035,9 @@ > Base connection class which accepts a single ``key`` argument. > """ > def __init__(self, key, secure=True, host=None, port=None, url=None, > - timeout=None, proxy_url=None, backoff=None, > retry_delay=None): > + timeout=None, **kwargs): > + # -redacted- > + # timeout=None, proxy_url=None, backoff=None, > retry_delay=None): > """ > Initialize `user_id` and `key`; set `secure` to an ``int`` based > on > passed value. > @@ -1031,9 +1045,10 @@ > super(ConnectionKey, self).__init__(secure=secure, host=host, > port=port, url=url, > timeout=timeout, > - proxy_url=proxy_url, > - backoff=backoff, > - retry_delay=retry_delay) > + **kwargs) > + # proxy_url=proxy_url, > + # backoff=backoff, > + # retry_delay=retry_delay) > self.key = key > > > @@ -1042,17 +1057,19 @@ > Base connection class which accepts a single ``cert_file`` argument. > """ > def __init__(self, cert_file, secure=True, host=None, port=None, > url=None, > - proxy_url=None, timeout=None, backoff=None, > retry_delay=None): > + proxy_url=None, timeout=None, **kwargs): > + # -redacted- > + # backoff=None, retry_delay=None): > """ > Initialize `cert_file`; set `secure` to an ``int`` based on > passed value. > """ > super(CertificateConnection, self).__init__(secure=secure, > host=host, > port=port, url=url, > - timeout=timeout, > - backoff=backoff, > - > retry_delay=retry_delay, > - proxy_url=proxy_url) > + timeout=timeout, > **kwargs) > + # backoff=backoff, > + # > retry_delay=retry_delay, > + # proxy_url=proxy_url) > > self.cert_file = cert_file > > @@ -1065,14 +1082,16 @@ > user_id = None > > def __init__(self, user_id, key, secure=True, host=None, port=None, > - url=None, timeout=None, proxy_url=None, > - backoff=None, retry_delay=None): > + url=None, timeout=None, **kwargs): > + # -redacted- > + # proxy_url=None, backoff=None, retry_delay=None): > super(ConnectionUserAndKey, self).__init__(key, secure=secure, > host=host, port=port, > url=url, > timeout=timeout, > - backoff=backoff, > - > retry_delay=retry_delay, > - proxy_url=proxy_url) > + **kwargs) > + # backoff=backoff, > + # > retry_delay=retry_delay, > + # proxy_url=proxy_url) > self.user_id = user_id > > > @@ -1132,6 +1151,9 @@ > self.api_version = api_version > self.region = region > > + # -redacted- > + self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None) > + > conn_kwargs = self._ex_connection_class_kwargs() > conn_kwargs.update({'timeout': kwargs.pop('timeout', None), > 'retry_delay': kwargs.pop('retry_delay', > None), > diff -r 17df54435983 -r 28d56440b52b libcloud/common/openstack.py > --- a/libcloud/common/openstack.py Tue Mar 22 22:56:44 2016 +0000 > +++ b/libcloud/common/openstack.py Wed Mar 23 22:46:52 2016 +0000 > @@ -137,10 +137,15 @@ > ex_force_service_type=None, > ex_force_service_name=None, > ex_force_service_region=None, > - retry_delay=None, backoff=None): > + retry_delay=None, backoff=None, **kwargs): > + # -redacted- > + # add kwargs to the various Libcloud Connection classes > + # so we can extend parameters > + > super(OpenStackBaseConnection, self).__init__( > user_id, key, secure=secure, timeout=timeout, > - retry_delay=retry_delay, backoff=backoff, proxy_url=proxy_url) > + retry_delay=retry_delay, backoff=backoff, proxy_url=proxy_url, > + **kwargs) > > if ex_force_auth_version: > self._auth_version = ex_force_auth_version > diff -r 17df54435983 -r 28d56440b52b libcloud/httplib_ssl.py > --- a/libcloud/httplib_ssl.py Tue Mar 22 22:56:44 2016 +0000 > +++ b/libcloud/httplib_ssl.py Wed Mar 23 22:46:52 2016 +0000 > @@ -201,6 +201,11 @@ > proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, > None) > proxy_url = kwargs.pop('proxy_url', proxy_url_env) > > + # httplib.HTTPConnection doesn't support general **kwargs, so > + # strip off verify_ssl_cert (if present). It's only needed for > + # HTTPS connections anyway. > + kwargs.pop('verify_ssl_cert', None) > + > super(LibcloudHTTPConnection, self).__init__(*args, **kwargs) > > if proxy_url: > @@ -221,7 +226,10 @@ > """ > Constructor > """ > - self._setup_verify() > + # -redacted- > + verify_ssl_cert = kwargs.pop('verify_ssl_cert', None) > + self._setup_verify(verify_ssl_cert) > + > # Support for HTTP proxy > proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, > None) > proxy_url = kwargs.pop('proxy_url', proxy_url_env) > @@ -231,7 +239,7 @@ > if proxy_url: > self.set_http_proxy(proxy_url=proxy_url) > > - def _setup_verify(self): > + def _setup_verify(self, verify_ssl_cert=None): > """ > Setup Verify SSL or not > > @@ -239,6 +247,11 @@ > the class overrides the connect() class method or runs the > inherited httplib.HTTPSConnection connect() > """ > + # Added per connection control over whether we should > + # verify the certificate or not. If not specified, use > + # original global default. > + self.verify = verify_ssl_cert > + if self.verify is None: > self.verify = libcloud.security.VERIFY_SSL_CERT > > if self.verify: > > Additional fix required for Python 3.5+: diff -r f8c37677f484 -r 7087a8f4114e libcloud/httplib_ssl.py --- a/libcloud/httplib_ssl.py Wed Jul 13 14:23:41 2016 +0000 +++ b/libcloud/httplib_ssl.py Thu Jul 14 13:00:47 2016 -0500 @@ -231,6 +231,10 @@ # -redacted- verify_ssl_cert = kwargs.pop('verify_ssl_cert', None) self._setup_verify(verify_ssl_cert) + if not self.verify: + context = ssl.SSLContext (ssl.PROTOCOL_SSLv23) + context.check_hostname = False + kwargs['context'] = context # Support for HTTP proxy proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME, None)