XtremIO: Set the location of a CA certificate

* The current CA verification will only work for known CAs which
  are bundled with requests.
  The extra parameter allows to configure a custom location for
  the CA bundle, which can be relavnt to all drivers.

Closes-Bug: #1528855
Change-Id: I335ba99a9bc1546b6e70ac9879449a4e0f03c16e

diff --git a/cinder/tests/unit/test_emc_xtremio.py b/cinder/tests/unit/test_emc_xtremio.py
index fb2a032c4bc4ed144e76d24723b7d79f0f105d9f..32b3d26909f9e85833104c38aa334dc50caee02b 100644 (file)
--- a/cinder/tests/unit/test_emc_xtremio.py
+++ b/cinder/tests/unit/test_emc_xtremio.py
@@ -571,9 +571,11 @@ class EMCXIODriverTestCase(test.TestCase):
         configuration.san_password = ''
         configuration.san_ip = ''
         configuration.xtremio_cluster_name = ''
+        configuration.driver_ssl_cert_verify = True
+        configuration.driver_ssl_cert_path = '/test/path/root_ca.crt'
 
         def safe_get(key):
-            getattr(configuration, key)
+            return getattr(configuration, key)
 
         configuration.safe_get = safe_get
         self.driver = xtremio.XtremIOISCSIDriver(configuration=configuration)
@@ -601,6 +603,17 @@ class EMCXIODriverTestCase(test.TestCase):
         req.side_effect = busy_request
         self.driver.create_volume(self.data.test_volume)
 
+    def test_verify_cert(self, req):
+        good_response = mock.MagicMock()
+        good_response.status_code = 200
+
+        def request_verify_cert(*args, **kwargs):
+            self.assertEqual(kwargs['verify'], '/test/path/root_ca.crt')
+            return good_response
+
+        req.side_effect = request_verify_cert
+        self.driver.client.req('volumes')
+
 
 @mock.patch('cinder.volume.drivers.emc.xtremio.XtremIOClient.req')
 class EMCXIODriverFibreChannelTestCase(test.TestCase):

diff --git a/cinder/volume/driver.py b/cinder/volume/driver.py
index dc579eed10f5697a6e31d34e288cf75c1760933c..378b2a5e40a5ae74ab8340e9ec42639530c5b107 100644 (file)
--- a/cinder/volume/driver.py
+++ b/cinder/volume/driver.py
@@ -204,6 +204,10 @@ volume_opts = [
                 default=False,
                 help='If set to True the http client will validate the SSL '
                      'certificate of the backend endpoint.'),
+    cfg.StrOpt('driver_ssl_cert_path',
+               help='Can be used to specify a non default path to a '
+               'CA_BUNDLE file or directory with certificates of '
+               'trusted CAs, which will be used to validate the backend'),
     cfg.ListOpt('trace_flags',
                 help='List of options that control which trace info '
                      'is written to the DEBUG log level to assist '

diff --git a/cinder/volume/drivers/emc/xtremio.py b/cinder/volume/drivers/emc/xtremio.py
index 55e7a1125e209940faa9ca33aa75b7621302c656..d46473315776d948b5220c4cb0ae9dd8694bcfa3 100644 (file)
--- a/cinder/volume/drivers/emc/xtremio.py
+++ b/cinder/volume/drivers/emc/xtremio.py
@@ -88,8 +88,12 @@ class XtremIOClient(object):
         self.configuration = configuration
         self.cluster_id = cluster_id
         self.verify = (self.configuration.
-                       safe_get('driver_ssl_cert_verify')
-                       or False)
+                       safe_get('driver_ssl_cert_verify') or False)
+        if self.verify:
+            verify_path = (self.configuration.
+                           safe_get('driver_ssl_cert_path') or None)
+            if verify_path:
+                self.verify = verify_path
 
     def get_base_url(self, ver):
         if ver == 'v1':