Add insecure option for swift backup

When running backups with the swift backup driver and an
https url for the swift endpoint, the config option
backup_swift_ca_cert_file must point to a valid server side
cert.

For test purposes, it is useful to be able to ignore
cert errors while still making a SSL/TLS connection, the way
one can with https:// urls and the curl command and the
swift client itself.

This commit adds a boolean CONFIG option, 'backup_swift_auth_insecure',
whose default value is False, in which case there is no change from
current behavior.  If this option is set to True, however, cert validation
is skipped for SSL/TLS.

DocImpact

Change-Id: I1ca88d8e083d95c2bdb86ae79a4d66e04f521ddb

diff --git a/cinder/backup/drivers/swift.py b/cinder/backup/drivers/swift.py
index 8570ad2c5297c6170f547ac90c0c9be963cab41b..68a9f3e51d31f7694ab0cefaa297c85b1d21d358 100644 (file)
--- a/cinder/backup/drivers/swift.py
+++ b/cinder/backup/drivers/swift.py
@@ -35,6 +35,8 @@
                                None (to disable), zlib and bz2 (default: zlib)
 :backup_swift_ca_cert_file: The location of the CA certificate file to use
                             for swift client requests (default: None)
+:backup_swift_auth_insecure: If true, bypass verification of server's
+                             certificate for SSL connections (default: False)
 """
 
 import hashlib
@@ -107,6 +109,10 @@ swiftbackup_service_opts = [
                default=None,
                help='Location of the CA certificate file to use for swift '
                     'client requests.'),
+    cfg.BoolOpt('backup_swift_auth_insecure',
+                default=False,
+                help='Bypass verification of server certificate when '
+                     'making SSL connection to Swift.'),
 ]
 
 CONF = cfg.CONF
@@ -153,6 +159,7 @@ class SwiftBackupDriver(chunkeddriver.ChunkedBackupDriver):
         self.swift_backoff = CONF.backup_swift_retry_backoff
         LOG.debug('Connect to %s in "%s" mode', CONF.backup_swift_url,
                   CONF.backup_swift_auth)
+        self.backup_swift_auth_insecure = CONF.backup_swift_auth_insecure
         if CONF.backup_swift_auth == 'single_user':
             if CONF.backup_swift_user is None:
                 LOG.error(_LE("single_user auth mode enabled, "
@@ -167,12 +174,15 @@ class SwiftBackupDriver(chunkeddriver.ChunkedBackupDriver):
                 key=CONF.backup_swift_key,
                 retries=self.swift_attempts,
                 starting_backoff=self.swift_backoff,
+                insecure=self.backup_swift_auth_insecure,
                 cacert=CONF.backup_swift_ca_cert_file)
         else:
             self.conn = swift.Connection(retries=self.swift_attempts,
                                          preauthurl=self.swift_url,
                                          preauthtoken=self.context.auth_token,
                                          starting_backoff=self.swift_backoff,
+                                         insecure= (
+                                             self.backup_swift_auth_insecure),
                                          cacert=CONF.backup_swift_ca_cert_file)
 
     class SwiftObjectWriter(object):

diff --git a/cinder/tests/unit/test_backup_swift.py b/cinder/tests/unit/test_backup_swift.py
index c5d639923a8305d35c468c6420bf457413529221..5c57b2b2864ad072538a816abac0e7c6cb042bfc 100644 (file)
--- a/cinder/tests/unit/test_backup_swift.py
+++ b/cinder/tests/unit/test_backup_swift.py
@@ -18,6 +18,7 @@ Tests for Backup swift code.
 """
 
 import bz2
+import ddt
 import filecmp
 import hashlib
 import os
@@ -42,6 +43,8 @@ from cinder.tests.unit.backup import fake_swift_client2
 
 CONF = cfg.CONF
 
+ANY = mock.ANY
+
 
 def fake_md5(arg):
     class result(object):
@@ -52,6 +55,7 @@ def fake_md5(arg):
     return ret
 
 
+@ddt.ddt
 class BackupSwiftTestCase(test.TestCase):
     """Test Case for swift."""
 
@@ -125,6 +129,41 @@ class BackupSwiftTestCase(test.TestCase):
                           swift_dr.SwiftBackupDriver,
                           self.ctxt)
 
+    @ddt.data(
+        {'auth': 'single_user', 'insecure': True},
+        {'auth': 'single_user', 'insecure': False},
+        {'auth': 'per_user', 'insecure': True},
+        {'auth': 'per_user', 'insecure': False},
+    )
+    @ddt.unpack
+    def test_backup_swift_auth_insecure(self, auth, insecure):
+        self.override_config("backup_swift_auth_insecure", insecure)
+        self.override_config('backup_swift_auth', auth)
+        if auth == 'single_user':
+            self.override_config('backup_swift_user', 'swift-user')
+
+        mock_connection = self.mock_object(swift, 'Connection')
+
+        swift_dr.SwiftBackupDriver(self.ctxt)
+
+        if auth == 'single_user':
+            mock_connection.assert_called_once_with(insecure=insecure,
+                                                    authurl=ANY,
+                                                    auth_version=ANY,
+                                                    tenant_name=ANY,
+                                                    user=ANY,
+                                                    key=ANY,
+                                                    retries=ANY,
+                                                    starting_backoff=ANY,
+                                                    cacert=ANY)
+        else:
+            mock_connection.assert_called_once_with(insecure=insecure,
+                                                    retries=ANY,
+                                                    preauthurl=ANY,
+                                                    preauthtoken=ANY,
+                                                    starting_backoff=ANY,
+                                                    cacert=ANY)
+
     def test_backup_uncompressed(self):
         self._create_backup_db_entry()
         self.flags(backup_compression_algorithm='none')