Thanks for the replies!
Anthony, this method works well for other providers (we use it for OnApp
and vCloud) but unfortunately not for OpenStack. Code is more complex
regarding the connection and somehow/somewhere whatever I set as the
verification gets lost/reset
Jay, I was hoping to avoid this, but ends up it's the only way to get
around! Thanks for the snippet, I'll perform a similar patch, since code is
different for the new libcloud version.
Regards,
Markos
On Mon, Jul 10, 2017 at 10:38 PM, Jay Rolette <role...@infinite.io> wrote:
> On Mon, Jul 10, 2017 at 2:34 PM, Jay Rolette <role...@infinite.io> wrote:
>
> >
> > On Mon, Jul 10, 2017 at 9:37 AM, Markos Gogoulos <mgogou...@mist.io>
> > wrote:
> >
> >> Hi all,
> >>
> >> I'm trying to disable SSL verification via an optional switch, for
> >> OpenStack connections. I cannot use the 'global' VERIFY_SSL_CERT in my
> >> case, because multiple OpenStack connections take place at the same
> time,
> >> some of them should perform SSL verification while others shouldn't.
> >>
> >> That is, by instantiating a libcloud connection driver, I'd like to
> >> specify
> >> a verify False/True switch, and this should affect the resulting
> requests
> >> call.
> >>
> >> As far as I know there's not a directional relationship between a
> >> connection and driver, so this makes things harder and although I can
> >> 'store' the switch on the driver object, connection cannot read it.
> >>
> >> Do you have any ideas or suggestions what would be a simple way of
> >> achieving the above?
> >>
> >> Regards,
> >> Markos
> >>
> >
> > It's not quite as simple as you'd hope due to the connection vs. driver
> > split, but here are diffs for how we did it. This should be relative
> > to apache-libcloud-1.0.0-pre1.
> >
> > Jay
> >
> > diff -r 17df54435983 -r 28d56440b52b libcloud/common/aws.py
> > --- a/libcloud/common/aws.py Tue Mar 22 22:56:44 2016 +0000
> > +++ b/libcloud/common/aws.py Wed Mar 23 22:46:52 2016 +0000
> > @@ -134,15 +134,19 @@
> >
> > class AWSTokenConnection(ConnectionUserAndKey):
> > def __init__(self, user_id, key, secure=True,
> > - host=None, port=None, url=None, timeout=None,
> > proxy_url=None,
> > - token=None, retry_delay=None, backoff=None):
> > - self.token = token
> > + host=None, port=None, url=None, timeout=None,
> **kwargs):
> > + # -redacted-
> > + # add kwargs to the various Libcloud Connection classes
> > + # so we can extend parameters
> > + #
> > + # proxy_url=None, token=None, retry_delay=None,
> > backoff=None):
> > + self.token = kwargs.get('token', None)
> > super(AWSTokenConnection, self).__init__(user_id, key,
> > secure=secure,
> > host=host, port=port,
> > url=url,
> > - timeout=timeout,
> > -
> retry_delay=retry_delay,
> > - backoff=backoff,
> > - proxy_url=proxy_url)
> > + timeout=timeout,
> > **kwargs)
> > + #
> > retry_delay=retry_delay,
> > + # backoff=backoff,
> > + # proxy_url=proxy_url)
> >
> > def add_default_params(self, params):
> > # Even though we are adding it to the headers, we need it here
> too
> > diff -r 17df54435983 -r 28d56440b52b libcloud/common/base.py
> > --- a/libcloud/common/base.py Tue Mar 22 22:56:44 2016 +0000
> > +++ b/libcloud/common/base.py Wed Mar 23 22:46:52 2016 +0000
> > @@ -528,7 +528,12 @@
> > allow_insecure = True
> >
> > def __init__(self, secure=True, host=None, port=None, url=None,
> > - timeout=None, proxy_url=None, retry_delay=None,
> > backoff=None):
> > + timeout=None, **kwargs):
> > + # -redacted-
> > + # add kwargs to the various Libcloud Connection classes
> > + # so we can extend parameters
> > + #
> > + # timeout=None, proxy_url=None, retry_delay=None,
> > backoff=None):
> > self.secure = secure and 1 or 0
> > self.ua = []
> > self.context = {}
> > @@ -557,9 +562,12 @@
> > self.request_path) = self._tuple_from_url(url)
> >
> > self.timeout = timeout or self.timeout
> > - self.retry_delay = retry_delay
> > - self.backoff = backoff
> > - self.proxy_url = proxy_url
> > + self.retry_delay = kwargs.get('retry_delay', None)
> > + self.backoff = kwargs.get('backoff', None)
> > + self.proxy_url = kwargs.get('proxy_url', None)
> > +
> > + # -redacted-
> > + self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None)
> >
> > def set_http_proxy(self, proxy_url):
> > """
> > @@ -660,6 +668,10 @@
> > if self.proxy_url:
> > kwargs.update({'proxy_url': self.proxy_url})
> >
> > + # -redacted-
> > + if self.verify_ssl_cert is not None:
> > + kwargs['verify_ssl_cert'] = self.verify_ssl_cert
> > +
> > connection = self.conn_classes[secure](**kwargs)
> > # You can uncoment this line, if you setup a reverse proxy
> server
> > # which proxies to your endpoint, and lets you easily capture
> > @@ -1023,7 +1035,9 @@
> > Base connection class which accepts a single ``key`` argument.
> > """
> > def __init__(self, key, secure=True, host=None, port=None, url=None,
> > - timeout=None, proxy_url=None, backoff=None,
> > retry_delay=None):
> > + timeout=None, **kwargs):
> > + # -redacted-
> > + # timeout=None, proxy_url=None, backoff=None,
> > retry_delay=None):
> > """
> > Initialize `user_id` and `key`; set `secure` to an ``int`` based
> > on
> > passed value.
> > @@ -1031,9 +1045,10 @@
> > super(ConnectionKey, self).__init__(secure=secure, host=host,
> > port=port, url=url,
> > timeout=timeout,
> > - proxy_url=proxy_url,
> > - backoff=backoff,
> > - retry_delay=retry_delay)
> > + **kwargs)
> > + # proxy_url=proxy_url,
> > + # backoff=backoff,
> > + # retry_delay=retry_delay)
> > self.key = key
> >
> >
> > @@ -1042,17 +1057,19 @@
> > Base connection class which accepts a single ``cert_file`` argument.
> > """
> > def __init__(self, cert_file, secure=True, host=None, port=None,
> > url=None,
> > - proxy_url=None, timeout=None, backoff=None,
> > retry_delay=None):
> > + proxy_url=None, timeout=None, **kwargs):
> > + # -redacted-
> > + # backoff=None, retry_delay=None):
> > """
> > Initialize `cert_file`; set `secure` to an ``int`` based on
> > passed value.
> > """
> > super(CertificateConnection, self).__init__(secure=secure,
> > host=host,
> > port=port, url=url,
> > - timeout=timeout,
> > - backoff=backoff,
> > -
> > retry_delay=retry_delay,
> > - proxy_url=proxy_url)
> > + timeout=timeout,
> > **kwargs)
> > + # backoff=backoff,
> > + #
> > retry_delay=retry_delay,
> > + #
> proxy_url=proxy_url)
> >
> > self.cert_file = cert_file
> >
> > @@ -1065,14 +1082,16 @@
> > user_id = None
> >
> > def __init__(self, user_id, key, secure=True, host=None, port=None,
> > - url=None, timeout=None, proxy_url=None,
> > - backoff=None, retry_delay=None):
> > + url=None, timeout=None, **kwargs):
> > + # -redacted-
> > + # proxy_url=None, backoff=None, retry_delay=None):
> > super(ConnectionUserAndKey, self).__init__(key, secure=secure,
> > host=host, port=port,
> > url=url,
> > timeout=timeout,
> > - backoff=backoff,
> > -
> > retry_delay=retry_delay,
> > - proxy_url=proxy_url)
> > + **kwargs)
> > + # backoff=backoff,
> > + #
> > retry_delay=retry_delay,
> > + #
> proxy_url=proxy_url)
> > self.user_id = user_id
> >
> >
> > @@ -1132,6 +1151,9 @@
> > self.api_version = api_version
> > self.region = region
> >
> > + # -redacted-
> > + self.verify_ssl_cert = kwargs.get('verify_ssl_cert', None)
> > +
> > conn_kwargs = self._ex_connection_class_kwargs()
> > conn_kwargs.update({'timeout': kwargs.pop('timeout', None),
> > 'retry_delay': kwargs.pop('retry_delay',
> > None),
> > diff -r 17df54435983 -r 28d56440b52b libcloud/common/openstack.py
> > --- a/libcloud/common/openstack.py Tue Mar 22 22:56:44 2016 +0000
> > +++ b/libcloud/common/openstack.py Wed Mar 23 22:46:52 2016 +0000
> > @@ -137,10 +137,15 @@
> > ex_force_service_type=None,
> > ex_force_service_name=None,
> > ex_force_service_region=None,
> > - retry_delay=None, backoff=None):
> > + retry_delay=None, backoff=None, **kwargs):
> > + # -redacted-
> > + # add kwargs to the various Libcloud Connection classes
> > + # so we can extend parameters
> > +
> > super(OpenStackBaseConnection, self).__init__(
> > user_id, key, secure=secure, timeout=timeout,
> > - retry_delay=retry_delay, backoff=backoff,
> proxy_url=proxy_url)
> > + retry_delay=retry_delay, backoff=backoff,
> proxy_url=proxy_url,
> > + **kwargs)
> >
> > if ex_force_auth_version:
> > self._auth_version = ex_force_auth_version
> > diff -r 17df54435983 -r 28d56440b52b libcloud/httplib_ssl.py
> > --- a/libcloud/httplib_ssl.py Tue Mar 22 22:56:44 2016 +0000
> > +++ b/libcloud/httplib_ssl.py Wed Mar 23 22:46:52 2016 +0000
> > @@ -201,6 +201,11 @@
> > proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME,
> > None)
> > proxy_url = kwargs.pop('proxy_url', proxy_url_env)
> >
> > + # httplib.HTTPConnection doesn't support general **kwargs, so
> > + # strip off verify_ssl_cert (if present). It's only needed for
> > + # HTTPS connections anyway.
> > + kwargs.pop('verify_ssl_cert', None)
> > +
> > super(LibcloudHTTPConnection, self).__init__(*args, **kwargs)
> >
> > if proxy_url:
> > @@ -221,7 +226,10 @@
> > """
> > Constructor
> > """
> > - self._setup_verify()
> > + # -redacted-
> > + verify_ssl_cert = kwargs.pop('verify_ssl_cert', None)
> > + self._setup_verify(verify_ssl_cert)
> > +
> > # Support for HTTP proxy
> > proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME,
> > None)
> > proxy_url = kwargs.pop('proxy_url', proxy_url_env)
> > @@ -231,7 +239,7 @@
> > if proxy_url:
> > self.set_http_proxy(proxy_url=proxy_url)
> >
> > - def _setup_verify(self):
> > + def _setup_verify(self, verify_ssl_cert=None):
> > """
> > Setup Verify SSL or not
> >
> > @@ -239,6 +247,11 @@
> > the class overrides the connect() class method or runs the
> > inherited httplib.HTTPSConnection connect()
> > """
> > + # Added per connection control over whether we should
> > + # verify the certificate or not. If not specified, use
> > + # original global default.
> > + self.verify = verify_ssl_cert
> > + if self.verify is None:
> > self.verify = libcloud.security.VERIFY_SSL_CERT
> >
> > if self.verify:
> >
> >
> Additional fix required for Python 3.5+:
>
> diff -r f8c37677f484 -r 7087a8f4114e libcloud/httplib_ssl.py
> --- a/libcloud/httplib_ssl.py Wed Jul 13 14:23:41 2016 +0000
> +++ b/libcloud/httplib_ssl.py Thu Jul 14 13:00:47 2016 -0500
> @@ -231,6 +231,10 @@
> # -redacted-
> verify_ssl_cert = kwargs.pop('verify_ssl_cert', None)
> self._setup_verify(verify_ssl_cert)
> + if not self.verify:
> + context = ssl.SSLContext (ssl.PROTOCOL_SSLv23)
> + context.check_hostname = False
> + kwargs['context'] = context
>
> # Support for HTTP proxy
> proxy_url_env = os.environ.get(HTTP_PROXY_ENV_VARIABLE_NAME,
> None)
>
