def _get_cert_provider(self, nsx_cert, key):
cert_file = self.certpath
data_cert_file = nsx_cert
data_key_file = key
if (not os.path.isfile(data_key_file)
and not os.path.isfile(data_cert_file)):
print("Filepaths %s and %s do not exist for PEM encoded NSX "
"certificate and key pair." %
(data_cert_file, data_key_file))
return
# Cert file was not created or is no longer found in filesystem
filenames = [data_key_file, data_cert_file]
# Create a single file from the cert and key data since NSX expects
# one single file for certificate.
with open(cert_file, 'w') as c_file:
for filename in filenames:
try:
with open(filename) as fname:
for line in fname:
c_file.write(line)
except Exception as e:
print("Unable to write file %s to create client cert: "
"%s" % (filename, str(e)))
return
print("Successfully created certificate file %s for NSX client "
"connection." % cert_file)
return client_cert.ClientCertProvider(cert_file)
def get_client_cert_provider(conf_path=cfg.CONF.nsx_v3):
if not conf_path.nsx_use_client_auth:
return None
if conf_path.nsx_client_cert_storage.lower() == 'none':
# Admin is responsible for providing cert file, the plugin
# should not touch it
return client_cert.ClientCertProvider(conf_path.nsx_client_cert_file)
if conf_path.nsx_client_cert_storage.lower() == 'nsx-db':
# Cert data is stored in DB, and written to file system only
# when new connection is opened, and deleted immediately after.
return DbCertProvider
def get_client_cert_provider():
if not cfg.CONF.nsx_v3.nsx_use_client_auth:
return None
if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == 'none':
# Admin is responsible for providing cert file, the plugin
# should not touch it
return client_cert.ClientCertProvider(
cfg.CONF.nsx_v3.nsx_client_cert_file)
if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == 'nsx-db':
# Cert data is stored in DB, and written to file system only
# when new connection is opened, and deleted immediately after.
# Pid is appended to avoid file collisions between neutron servers
return DbCertProvider()
def get_nsxlib_config_with_client_cert():
return config.NsxLibConfig(
client_cert_provider=client_cert.ClientCertProvider(CLIENT_CERT),
retries=NSX_HTTP_RETRIES,
insecure=NSX_INSECURE,
ca_file=NSX_CERT,
concurrent_connections=NSX_CONCURENT_CONN,
http_timeout=NSX_HTTP_TIMEOUT,
http_read_timeout=NSX_HTTP_READ_TIMEOUT,
conn_idle_timeout=NSX_CONN_IDLE_TIME,
http_provider=None,
nsx_api_managers=[],
plugin_scope=PLUGIN_SCOPE,
plugin_tag=PLUGIN_TAG,
plugin_ver=PLUGIN_VER)
def test_new_connection_with_client_auth(self):
mock_api = mock.Mock()
mock_api.nsxlib_config = mock.Mock()
mock_api.nsxlib_config.retries = 100
mock_api.nsxlib_config.insecure = True
mock_api.nsxlib_config.ca_file = None
mock_api.nsxlib_config.http_timeout = 99
mock_api.nsxlib_config.conn_idle_timeout = 39
cert_provider_inst = client_cert.ClientCertProvider('/etc/cert.pem')
mock_api.nsxlib_config.client_cert_provider = cert_provider_inst
provider = cluster.NSXRequestsHTTPProvider()
with mock.patch.object(cluster.TimeoutSession,
'request',
return_value=get_sess_create_resp()):
session = provider.new_connection(
mock_api,
cluster.Provider('9.8.7.6', 'https://9.8.7.6', None, None,
None))
self.assertIsNone(session.auth)
self.assertFalse(session.verify)
self.assertEqual(cert_provider_inst, session.cert_provider)
self.assertEqual(99, session.timeout)
