Enable certificate verification during image copy

The VMDK driver config options 'vmware_ca_file' and 'vmware_insecure'
are ignored while copying sparse or preallocated vmdk images to vCenter
datastores for volume creation. Therefore, the vCenter certificate is
not verified during image copy.

This patch sets appropriate parameters in the oslo.vmware API (for
copying images) call to enable vCenter certificate verification.

Closes-bug: #1493331
Change-Id: I04f6a6def9867a573258b0d37693b1824e415838

diff --git a/cinder/tests/unit/test_vmware_vmdk.py b/cinder/tests/unit/test_vmware_vmdk.py
index 14a770a5f94bd043a3d4bc72a2fce2fe307f7efd..b59d824b2aca66277dc452f34653cb5152e87fdb 100644 (file)
--- a/cinder/tests/unit/test_vmware_vmdk.py
+++ b/cinder/tests/unit/test_vmware_vmdk.py
@@ -2389,6 +2389,51 @@ class VMwareVcVmdkDriverTestCase(VMwareEsxVmdkDriverTestCase):
             generate_uuid,
             extend_disk)
 
+    def _test_copy_image(self, download_flat_image, session, vops,
+                         expected_cacerts=False):
+
+        dc_name = mock.sentinel.dc_name
+        vops.get_entity_name.return_value = dc_name
+
+        context = mock.sentinel.context
+        dc_ref = mock.sentinel.dc_ref
+        image_service = mock.sentinel.image_service
+        image_id = mock.sentinel.image_id
+        image_size_in_bytes = 102400
+        ds_name = mock.sentinel.ds_name
+        upload_file_path = mock.sentinel.upload_file_path
+        self._driver._copy_image(
+            context, dc_ref, image_service, image_id, image_size_in_bytes,
+            ds_name, upload_file_path)
+
+        vops.get_entity_name.assert_called_once_with(dc_ref)
+        cookies = session.vim.client.options.transport.cookiejar
+        download_flat_image.assert_called_once_with(
+            context, self.IMG_TX_TIMEOUT, image_service, image_id,
+            image_size=image_size_in_bytes, host=self.IP, port=self.PORT,
+            data_center_name=dc_name, datastore_name=ds_name, cookies=cookies,
+            file_path=upload_file_path, cacerts=expected_cacerts)
+
+    @mock.patch.object(VMDK_DRIVER, 'volumeops')
+    @mock.patch.object(VMDK_DRIVER, 'session')
+    @mock.patch('oslo_vmware.image_transfer.download_flat_image')
+    def test_copy_image(self, download_flat_image, session, vops):
+        # Default value of vmware_ca_file is not None; it should be passed
+        # to download_flat_image as cacerts.
+        self._test_copy_image(download_flat_image, session, vops,
+                              expected_cacerts=self._config.vmware_ca_file)
+
+    @mock.patch.object(VMDK_DRIVER, 'volumeops')
+    @mock.patch.object(VMDK_DRIVER, 'session')
+    @mock.patch('oslo_vmware.image_transfer.download_flat_image')
+    def test_copy_image_insecure(self, download_flat_image, session, vops):
+        # Set config options to allow insecure connections.
+        self._config.vmware_ca_file = None
+        self._config.vmware_insecure = True
+        # Since vmware_ca_file is unset and vmware_insecure is True,
+        # dowload_flat_image should be called with cacerts=False.
+        self._test_copy_image(download_flat_image, session, vops)
+
     @mock.patch.object(VMDK_DRIVER, '_copy_temp_virtual_disk')
     @mock.patch.object(VMDK_DRIVER, '_get_temp_image_folder')
     @mock.patch(

diff --git a/cinder/volume/drivers/vmware/vmdk.py b/cinder/volume/drivers/vmware/vmdk.py
index 72de97cbad2d062a8ce648ad6b2d14a35f2d3163..5f365786fb347993193bb7a343c1aed327c66ee4 100644 (file)
--- a/cinder/volume/drivers/vmware/vmdk.py
+++ b/cinder/volume/drivers/vmware/vmdk.py
@@ -813,6 +813,8 @@ class VMwareEsxVmdkDriver(driver.VolumeDriver):
 
         timeout = self.configuration.vmware_image_transfer_timeout_secs
         host_ip = self.configuration.vmware_host_ip
+        ca_file = self.configuration.vmware_ca_file
+        insecure = self.configuration.vmware_insecure
         cookies = self.session.vim.client.options.transport.cookiejar
         dc_name = self.volumeops.get_entity_name(dc_ref)
 
@@ -820,6 +822,13 @@ class VMwareEsxVmdkDriver(driver.VolumeDriver):
                   {'image_id': image_id,
                    'path': upload_file_path})
         # TODO(vbala): add config option to override non-default port
+
+        # ca_file is used for verifying vCenter certificate if it is set.
+        # If ca_file is unset and insecure is False, the default CA truststore
+        # is used for verification. We should pass cacerts=True in this
+        # case. If ca_file is unset and insecure is True, there is no
+        # certificate verification, and we should pass cacerts=False.
+        cacerts = ca_file if ca_file else not insecure
         image_transfer.download_flat_image(context,
                                            timeout,
                                            image_service,
@@ -830,7 +839,8 @@ class VMwareEsxVmdkDriver(driver.VolumeDriver):
                                            data_center_name=dc_name,
                                            datastore_name=ds_name,
                                            cookies=cookies,
-                                           file_path=upload_file_path)
+                                           file_path=upload_file_path,
+                                           cacerts=cacerts)
         LOG.debug("Image: %(image_id)s copied to %(path)s.",
                   {'image_id': image_id,
                    'path': upload_file_path})