4 files changed, 62 insertions, 0 deletions

diff --git a/openstackclient/common/clientmanager.py b/openstackclient/common/clientmanager.py
index 56ddcbad..6d23b55e 100644
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@@ -110,6 +110,15 @@ class ClientManager(object):
             self._cacert = verify
             self._insecure = False
 
+        # Set up client certificate and key
+        # NOTE(cbrandily): This converts client certificate/key to requests
+        #                  cert argument: None (no client certificate), a path
+        #                  to client certificate or a tuple with client
+        #                  certificate/key paths.
+        self._cert = self._cli_options.cert
+        if self._cert and self._cli_options.key:
+            self._cert = self._cert, self._cli_options.key
+
         # Get logging from root logger
         root_logger = logging.getLogger('')
         LOG.setLevel(root_logger.getEffectiveLevel())
@@ -194,6 +203,7 @@ class ClientManager(object):
             auth=self.auth,
             session=request_session,
             verify=self._verify,
+            cert=self._cert,
             user_agent=USER_AGENT,
         )
 
diff --git a/openstackclient/shell.py b/openstackclient/shell.py
index 7750f2a3..b7bc7b1a 100644
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@@ -189,6 +189,18 @@ class OpenStackShell(app.App):
             dest='cacert',
             default=utils.env('OS_CACERT'),
             help='CA certificate bundle file (Env: OS_CACERT)')
+        parser.add_argument(
+            '--os-cert',
+            metavar='<certificate-file>',
+            dest='cert',
+            default=utils.env('OS_CERT'),
+            help='Client certificate bundle file (Env: OS_CERT)')
+        parser.add_argument(
+            '--os-key',
+            metavar='<key-file>',
+            dest='key',
+            default=utils.env('OS_KEY'),
+            help='Client certificate key file (Env: OS_KEY)')
         verify_group = parser.add_mutually_exclusive_group()
         verify_group.add_argument(
             '--verify',
diff --git a/openstackclient/tests/common/test_clientmanager.py b/openstackclient/tests/common/test_clientmanager.py
index 2bd9e783..6fc5b41e 100644
--- a/openstackclient/tests/common/test_clientmanager.py
+++ b/openstackclient/tests/common/test_clientmanager.py
@@ -58,6 +58,8 @@ class FakeOptions(object):
         self.interface = None
         self.url = None
         self.auth = {}
+        self.cert = None
+        self.key = None
         self.default_domain = 'default'
         self.__dict__.update(kwargs)
 
@@ -268,6 +270,21 @@ class TestClientManager(utils.TestCase):
         self.assertEqual('cafile', client_manager._cacert)
         self.assertTrue(client_manager.is_network_endpoint_enabled())
 
+    def test_client_manager_password_no_cert(self):
+        client_manager = clientmanager.ClientManager(
+            cli_options=FakeOptions())
+        self.assertIsNone(client_manager._cert)
+
+    def test_client_manager_password_client_cert(self):
+        client_manager = clientmanager.ClientManager(
+            cli_options=FakeOptions(cert='cert'))
+        self.assertEqual('cert', client_manager._cert)
+
+    def test_client_manager_password_client_cert_and_key(self):
+        client_manager = clientmanager.ClientManager(
+            cli_options=FakeOptions(cert='cert', key='key'))
+        self.assertEqual(('cert', 'key'), client_manager._cert)
+
     def _select_auth_plugin(self, auth_params, api_version, auth_plugin_name):
         auth_params['auth_type'] = auth_plugin_name
         auth_params['identity_api_version'] = api_version
diff --git a/openstackclient/tests/test_shell.py b/openstackclient/tests/test_shell.py
index 4058f1f8..ab97dd91 100644
--- a/openstackclient/tests/test_shell.py
+++ b/openstackclient/tests/test_shell.py
@@ -80,6 +80,8 @@ CLOUD_2 = {
             'region_name': 'occ-cloud,krikkit,occ-env',
             'log_file': '/tmp/test_log_file',
             'log_level': 'debug',
+            'cert': 'mycert',
+            'key': 'mickey',
         }
     }
 }
@@ -562,6 +564,24 @@ class TestShellCli(TestShell):
         self.assertEqual('foo', _shell.options.cacert)
         self.assertFalse(_shell.verify)
 
+    def test_shell_args_cert_options(self):
+        _shell = make_shell()
+
+        # Default
+        fake_execute(_shell, "list user")
+        self.assertEqual('', _shell.options.cert)
+        self.assertEqual('', _shell.options.key)
+
+        # --os-cert
+        fake_execute(_shell, "--os-cert mycert list user")
+        self.assertEqual('mycert', _shell.options.cert)
+        self.assertEqual('', _shell.options.key)
+
+        # --os-key
+        fake_execute(_shell, "--os-key mickey list user")
+        self.assertEqual('', _shell.options.cert)
+        self.assertEqual('mickey', _shell.options.key)
+
     def test_default_env(self):
         flag = ""
         kwargs = {
@@ -665,6 +685,9 @@ class TestShellCli(TestShell):
             _shell.cloud.config['region_name'],
         )
 
+        self.assertEqual('mycert', _shell.cloud.config['cert'])
+        self.assertEqual('mickey', _shell.cloud.config['key'])
+
     @mock.patch("os_client_config.config.OpenStackConfig._load_vendor_file")
     @mock.patch("os_client_config.config.OpenStackConfig._load_config_file")
     def test_shell_args_precedence(self, config_mock, vendor_mock):