From fdd11b54a5e3d7a9ee89628baba2990e4e00abdd Mon Sep 17 00:00:00 2001
From: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Date: Thu, 17 Nov 2016 13:26:28 +0200
Subject: Configure and use SSL-related requests options

This patch adds standard SSL options to IPA config and makes use of them
when making HTTP requests.

For now, a single set of certificates is used when needed.
In the future configuration can be expanded to allow per-service
certificates.

Besides, the 'insecure' option (defaults to False) can be overridden
through kernel command line parameter 'ipa-insecure'.
This will allow running IPA in CI-like environments with self-signed SSL
certificates.

Change-Id: I259d9b3caa9ba1dc3d7382f375b8e086a5348d80
Closes-Bug: #1642515
---
 ironic_python_agent/tests/unit/test_utils.py | 30 ++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'ironic_python_agent/tests/unit/test_utils.py')

diff --git a/ironic_python_agent/tests/unit/test_utils.py b/ironic_python_agent/tests/unit/test_utils.py
index 487e6aee..0f8e3b85 100644
--- a/ironic_python_agent/tests/unit/test_utils.py
+++ b/ironic_python_agent/tests/unit/test_utils.py
@@ -455,3 +455,33 @@ class TestUtils(testtools.TestCase):
             file_list=['/var/log'],
             io_dict={'iptables': mock.ANY, 'ip_addr': mock.ANY, 'ps': mock.ANY,
                      'dmesg': mock.ANY, 'df': mock.ANY})
+
+    def test_get_ssl_client_options(self):
+        # defaults
+        conf = mock.Mock(insecure=False, cafile=None,
+                         keyfile=None, certfile=None)
+        self.assertEqual((True, None), utils.get_ssl_client_options(conf))
+
+        # insecure=True overrides cafile
+        conf = mock.Mock(insecure=True, cafile='spam',
+                         keyfile=None, certfile=None)
+        self.assertEqual((False, None), utils.get_ssl_client_options(conf))
+
+        # cafile returned as verify when not insecure
+        conf = mock.Mock(insecure=False, cafile='spam',
+                         keyfile=None, certfile=None)
+        self.assertEqual(('spam', None), utils.get_ssl_client_options(conf))
+
+        # only both certfile and keyfile produce non-None result
+        conf = mock.Mock(insecure=False, cafile=None,
+                         keyfile=None, certfile='ham')
+        self.assertEqual((True, None), utils.get_ssl_client_options(conf))
+
+        conf = mock.Mock(insecure=False, cafile=None,
+                         keyfile='ham', certfile=None)
+        self.assertEqual((True, None), utils.get_ssl_client_options(conf))
+
+        conf = mock.Mock(insecure=False, cafile=None,
+                         keyfile='spam', certfile='ham')
+        self.assertEqual((True, ('ham', 'spam')),
+                         utils.get_ssl_client_options(conf))
-- 
cgit v1.2.1