diff options
| author | Pavlo Shchelokovskyy <shchelokovskyy@gmail.com> | 2016-11-17 13:26:28 +0200 |
|---|---|---|
| committer | Pavlo Shchelokovskyy <shchelokovskyy@gmail.com> | 2017-01-13 11:33:44 +0200 |
| commit | fdd11b54a5e3d7a9ee89628baba2990e4e00abdd (patch) | |
| tree | 5a2fe131c6cc2c75cd03738ee6218bc54e0a2f07 /ironic_python_agent/tests/unit | |
| parent | 51ab461af85ab15fe321f84303a1151697b1e6eb (diff) | |
| download | ironic-python-agent-fdd11b54a5e3d7a9ee89628baba2990e4e00abdd.tar.gz | |
Configure and use SSL-related requests options
This patch adds standard SSL options to IPA config and makes use of them
when making HTTP requests.
For now, a single set of certificates is used when needed.
In the future configuration can be expanded to allow per-service
certificates.
Besides, the 'insecure' option (defaults to False) can be overridden
through kernel command line parameter 'ipa-insecure'.
This will allow running IPA in CI-like environments with self-signed SSL
certificates.
Change-Id: I259d9b3caa9ba1dc3d7382f375b8e086a5348d80
Closes-Bug: #1642515
Diffstat (limited to 'ironic_python_agent/tests/unit')
| -rw-r--r-- | ironic_python_agent/tests/unit/extensions/test_standby.py | 5 | ||||
| -rw-r--r-- | ironic_python_agent/tests/unit/test_inspector.py | 3 | ||||
| -rw-r--r-- | ironic_python_agent/tests/unit/test_utils.py | 30 |
3 files changed, 38 insertions, 0 deletions
diff --git a/ironic_python_agent/tests/unit/extensions/test_standby.py b/ironic_python_agent/tests/unit/extensions/test_standby.py index b76dd596..a57a5532 100644 --- a/ironic_python_agent/tests/unit/extensions/test_standby.py +++ b/ironic_python_agent/tests/unit/extensions/test_standby.py @@ -299,6 +299,7 @@ class TestStandbyExtension(test_base.BaseTestCase): standby._download_image(image_info) requests_mock.assert_called_once_with(image_info['urls'][0], + cert=None, verify=True, stream=True, proxies={}) write = file_mock.write write.assert_any_call('some') @@ -329,6 +330,7 @@ class TestStandbyExtension(test_base.BaseTestCase): standby._download_image(image_info) self.assertEqual(no_proxy, os.environ['no_proxy']) requests_mock.assert_called_once_with(image_info['urls'][0], + cert=None, verify=True, stream=True, proxies=proxies) write = file_mock.write write.assert_any_call('some') @@ -767,6 +769,7 @@ class TestStandbyExtension(test_base.BaseTestCase): self.agent_extension._stream_raw_image_onto_device(image_info, '/dev/foo') requests_mock.assert_called_once_with(image_info['urls'][0], + cert=None, verify=True, stream=True, proxies={}) expected_calls = [mock.call('some'), mock.call('content')] file_mock.write.assert_has_calls(expected_calls) @@ -790,6 +793,7 @@ class TestStandbyExtension(test_base.BaseTestCase): self.agent_extension._stream_raw_image_onto_device, image_info, '/dev/foo') requests_mock.assert_called_once_with(image_info['urls'][0], + cert=None, verify=True, stream=True, proxies={}) # Assert write was only called once and failed! file_mock.write.assert_called_once_with('some') @@ -863,5 +867,6 @@ class TestImageDownload(test_base.BaseTestCase): self.assertEqual(content, list(image_download)) requests_mock.assert_called_once_with(image_info['urls'][0], + cert=None, verify=True, stream=True, proxies={}) self.assertEqual(image_info['checksum'], image_download.md5sum()) diff --git a/ironic_python_agent/tests/unit/test_inspector.py b/ironic_python_agent/tests/unit/test_inspector.py index 95b5b059..2e47e871 100644 --- a/ironic_python_agent/tests/unit/test_inspector.py +++ b/ironic_python_agent/tests/unit/test_inspector.py @@ -145,6 +145,7 @@ class TestCallInspector(test_base.BaseTestCase): res = inspector.call_inspector(data, failures) mock_post.assert_called_once_with('url', + cert=None, verify=True, data='{"data": 42, "error": null}') self.assertEqual(mock_post.return_value.json.return_value, res) @@ -157,6 +158,7 @@ class TestCallInspector(test_base.BaseTestCase): res = inspector.call_inspector(data, failures) mock_post.assert_called_once_with('url', + cert=None, verify=True, data='{"data": 42, "error": "boom"}') self.assertEqual(mock_post.return_value.json.return_value, res) @@ -168,6 +170,7 @@ class TestCallInspector(test_base.BaseTestCase): res = inspector.call_inspector(data, failures) mock_post.assert_called_once_with('url', + cert=None, verify=True, data='{"data": 42, "error": null}') self.assertIsNone(res) diff --git a/ironic_python_agent/tests/unit/test_utils.py b/ironic_python_agent/tests/unit/test_utils.py index 487e6aee..0f8e3b85 100644 --- a/ironic_python_agent/tests/unit/test_utils.py +++ b/ironic_python_agent/tests/unit/test_utils.py @@ -455,3 +455,33 @@ class TestUtils(testtools.TestCase): file_list=['/var/log'], io_dict={'iptables': mock.ANY, 'ip_addr': mock.ANY, 'ps': mock.ANY, 'dmesg': mock.ANY, 'df': mock.ANY}) + + def test_get_ssl_client_options(self): + # defaults + conf = mock.Mock(insecure=False, cafile=None, + keyfile=None, certfile=None) + self.assertEqual((True, None), utils.get_ssl_client_options(conf)) + + # insecure=True overrides cafile + conf = mock.Mock(insecure=True, cafile='spam', + keyfile=None, certfile=None) + self.assertEqual((False, None), utils.get_ssl_client_options(conf)) + + # cafile returned as verify when not insecure + conf = mock.Mock(insecure=False, cafile='spam', + keyfile=None, certfile=None) + self.assertEqual(('spam', None), utils.get_ssl_client_options(conf)) + + # only both certfile and keyfile produce non-None result + conf = mock.Mock(insecure=False, cafile=None, + keyfile=None, certfile='ham') + self.assertEqual((True, None), utils.get_ssl_client_options(conf)) + + conf = mock.Mock(insecure=False, cafile=None, + keyfile='ham', certfile=None) + self.assertEqual((True, None), utils.get_ssl_client_options(conf)) + + conf = mock.Mock(insecure=False, cafile=None, + keyfile='spam', certfile='ham') + self.assertEqual((True, ('ham', 'spam')), + utils.get_ssl_client_options(conf)) |