Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Mitaka:Staging
openstack-cinder
0001-Added-config-option-to-enable-SSL.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Added-config-option-to-enable-SSL.patch of Package openstack-cinder
From ef50234d7fd272928e3a42c07b8d6770aaee239b Mon Sep 17 00:00:00 2001 From: Justin A Wilson <justin.wilson@intel.com> Date: Tue, 9 Aug 2016 17:59:59 +0300 Subject: [PATCH] Added config option to enable SSL Added option, osapi_volume_use_ssl, to the Cinder configuration that restores its capability of utilizing SSL to encrypt the traffic to and from the endpoint. Change-Id: I6ecd6eda1eb0300e53b3088cd36c7e22dc79240d Closes-Bug: 1590901 --- cinder/service.py | 10 +- cinder/tests/unit/test_service_ssl.py | 217 ++++++++++++++++++++++++++++++++++ 2 files changed, 225 insertions(+), 2 deletions(-) create mode 100644 cinder/tests/unit/test_service_ssl.py diff --git a/cinder/service.py b/cinder/service.py index b57db2e..b3872c1 100644 --- a/cinder/service.py +++ b/cinder/service.py @@ -68,7 +68,11 @@ service_opts = [ help='Port on which OpenStack Volume API listens'), cfg.IntOpt('osapi_volume_workers', help='Number of workers for OpenStack Volume API service. ' - 'The default is equal to the number of CPUs available.'), ] + 'The default is equal to the number of CPUs available.'), + cfg.BoolOpt('osapi_volume_use_ssl', + default=False, + help='Wraps the socket in a SSL context if True is set.' + 'A certificate file and key file must be specified.'), ] CONF = cfg.CONF @@ -375,6 +379,7 @@ class WSGIService(service.ServiceBase): self.app = self.loader.load_app(name) self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0") self.port = getattr(CONF, '%s_listen_port' % name, 0) + self.use_ssl = getattr(CONF, '%s_use_ssl' % name, False) self.workers = (getattr(CONF, '%s_workers' % name, None) or processutils.get_worker_count()) if self.workers and self.workers < 1: @@ -390,7 +395,8 @@ class WSGIService(service.ServiceBase): name, self.app, host=self.host, - port=self.port) + port=self.port, + use_ssl=self.use_ssl) def _get_manager(self): """Initialize a Manager object appropriate for this service. diff --git a/cinder/tests/unit/test_service_ssl.py b/cinder/tests/unit/test_service_ssl.py new file mode 100644 index 0000000..6968775 --- /dev/null +++ b/cinder/tests/unit/test_service_ssl.py @@ -0,0 +1,217 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from cinder import service +from cinder import test +import mock +import os +from oslo_config import cfg +from oslo_service import sslutils + +test_service_opts = [ + cfg.BoolOpt('test_osapi_volume_use_ssl', + default=False, + help='Wraps the socket in a SSL context if True is set.' + 'A certificate file and key file must be specified.'), + cfg.StrOpt('test_cert_file', + help="Certificate file to use when starting " + "the server securely.", + deprecated_group='DEFAULT', + deprecated_name='ssl_cert_file'), + cfg.StrOpt('test_key_file', + help="Private key file to use when starting " + "the server securely.", + deprecated_group='DEFAULT', + deprecated_name='ssl_key_file'), ] + +ssl_opts = [ + cfg.StrOpt('ca_file', + help="CA certificate file to use to verify " + "connecting clients.", + deprecated_group='DEFAULT', + deprecated_name='ssl_ca_file'), + cfg.StrOpt('cert_file', + help="Certificate file to use when starting " + "the server securely.", + deprecated_group='DEFAULT', + deprecated_name='ssl_cert_file'), + cfg.StrOpt('key_file', + help="Private key file to use when starting " + "the server securely.", + deprecated_group='DEFAULT', + deprecated_name='ssl_key_file'), + cfg.StrOpt('version', + help='SSL version to use (valid only if SSL enabled). ' + 'Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, ' + 'TLSv1_1, and TLSv1_2 may be available on some ' + 'distributions.' + ), + cfg.StrOpt('ciphers', + help='Sets the list of available ciphers. value should be a ' + 'string in the OpenSSL cipher list format.' + ), +] + +CONF = cfg.CONF +CONF.register_opts(test_service_opts) +CONF.register_opts(ssl_opts, 'ssl') + +SSL_CERT_DIR = os.path.normpath(os.path.join( + os.path.dirname(os.path.abspath(__file__)), + 'ssl_cert')) + +CERT_FILE = os.path.join(SSL_CERT_DIR, 'certificate.crt') +KEY_FILE = os.path.join(SSL_CERT_DIR, 'privatekey.key') + + +class TestWSGIService(test.TestCase): + + def setUp(self): + super(TestWSGIService, self).setUp() + + @mock.patch('oslo_service.wsgi.Loader') + def test_ssl_default(self, mock_loader): + self.override_config('osapi_volume_listen_port', 0) # random port + self.override_config('osapi_volume_use_ssl', + CONF.test_osapi_volume_use_ssl) + self.override_config("cert_file", CONF.test_cert_file, 'ssl') + self.override_config('key_file', CONF.test_key_file, 'ssl') + + # Test WSGI service + test_service = service.WSGIService("osapi_volume") + + # use_ssl should be false when using default settings + self.assertEqual(test_service.use_ssl, + CONF.test_osapi_volume_use_ssl) # false by default + + test_service.stop() + test_service.wait() # wait for service to stop + + self.assertTrue(mock_loader.called) + + @mock.patch('os.path.exists') + @mock.patch('oslo_service.wsgi.Loader') + def test_ssl_enabled_no_cert_no_key(self, mock_loader, mock_path_check): + mock_path_check.side_effect = [False, False, False] + # Override ssl enabler without certificate and private key + self.override_config('osapi_volume_listen_port', 0) # random port + self.override_config('osapi_volume_use_ssl', True) + + """ sslutils.is_enabled will determine whether or not to wrap the + socket in ssl + sslutils.is_enabled should raise an exception when either no cert + file or no key file, but not when both (runs without ssl) + """ + + # self.assertRaises(RuntimeError, sslutils.is_enabled, CONF) + + # Now test WSGI service + try: + test_service = service.WSGIService("osapi_volume") + except RuntimeError: + print('!!!!!!!! Should not have failed !!!!!!!!') # noqa + pass + else: + test_service.stop() + test_service.wait() # wait for service to stop + print('Runs without SSL. No key, no cert') # noqa + + self.assertTrue(mock_loader.called) + + @mock.patch('os.path.exists') + @mock.patch('oslo_service.wsgi.Loader') + def test_ssl_enabled_has_cert_no_key(self, mock_loader, mock_path_check): + mock_path_check.side_effect = [True, False, False] + # Override ssl enabler without private key + self.override_config('osapi_volume_listen_port', 0) # random port + self.override_config('osapi_volume_use_ssl', True) + self.override_config("cert_file", CERT_FILE, 'ssl') + self.override_config('key_file', '', 'ssl') + + """ sslutils.is_enabled will determine whether or not to wrap the + socket in ssl + sslutils.is_enabled should raise an exception when either no cert + file or no key file + """ + + self.assertRaises(RuntimeError, sslutils.is_enabled, CONF) + + # Now test WSGI service + try: + test_service = service.WSGIService("osapi_volume") + except RuntimeError: + print('!!!!!!!! Failed as it should have !!!!!!!!') # noqa + pass + else: + test_service.stop() + test_service.wait() # wait for service to stop + + self.assertTrue(mock_loader.called) + + @mock.patch('os.path.exists') + @mock.patch('oslo_service.wsgi.Loader') + def test_ssl_enabled_no_cert_has_key(self, mock_loader, mock_path_check): + mock_path_check.side_effect = [True, False, False] + # Override ssl enabler without certificate + self.override_config('osapi_volume_listen_port', 0) # random port + self.override_config('osapi_volume_use_ssl', True) + self.override_config("cert_file", '', 'ssl') + self.override_config('key_file', KEY_FILE, 'ssl') + + """ sslutils.is_enabled will determine whether or not to wrap the + socket in ssl + sslutils.is_enabled should raise an exception when either no cert + file or no key file + """ + + self.assertRaises(RuntimeError, sslutils.is_enabled, CONF) + + # Now test WSGI service + try: + test_service = service.WSGIService("osapi_volume") + except RuntimeError: + print('!!!!!!!! Failed as it should have !!!!!!!!') # noqa + pass + else: + test_service.stop() + test_service.wait() # wait for service to stop + + self.assertTrue(mock_loader.called) + + @mock.patch('os.path.exists') + @mock.patch('oslo_service.wsgi.Loader') + def test_ssl_enabled_has_cert_and_key(self, mock_loader, mock_path_check): + # Override ssl enabler with cert and key + self.override_config('osapi_volume_listen_port', 0) # random port + self.override_config('osapi_volume_use_ssl', True) + self.override_config("cert_file", CERT_FILE, 'ssl') + self.override_config('key_file', KEY_FILE, 'ssl') + + """ sslutils.is_enabled will determine whether or not to wrap the + socket in ssl + sslutils.is_enabled should raise an exception when either no cert + file or no key file + """ + + # self.assert(RuntimeError, sslutils.is_enabled, CONF) + + # Now test WSGI service + try: + test_service = service.WSGIService("osapi_volume") + except RuntimeError: + print('!!!!!!!! Should have not failed !!!!!!!!') # noqa + raise + + test_service.stop() + test_service.wait() # wait for service to stop + + self.assertTrue(mock_loader.called) -- 2.7.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor