Skip to content
This repository was archived by the owner on Jul 16, 2020. It is now read-only.

Commit 439629d

Browse files
authored
Merge pull request #600 from rbradford/tls-pool-change
Merge supplied command line CA file with system pool
2 parents db03203 + 53cf7ad commit 439629d

File tree

3 files changed

+55
-9
lines changed

3 files changed

+55
-9
lines changed

ciao-cli/README.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ The options are:
1919

2020
-alsologtostderr
2121
log to standard error as well as files
22+
-ca-file string
23+
CA Certificate
2224
-computeport int
2325
Openstack Compute API port (default 8774)
2426
-controller string
@@ -61,7 +63,7 @@ Use "ciao-cli command -help" for more information about that command.
6163

6264
## Ciao environment variables
6365

64-
ciao-cli first look for Ciao specific environment variables to retrieve
66+
ciao-cli first looks for Ciao specific environment variables to retrieve
6567
credentials and networking information:
6668

6769
* `CIAO_CONTROLLER` exports the Ciao controller URL
@@ -70,6 +72,7 @@ credentials and networking information:
7072
* `CIAO_USERNAME` exports the Ciao username
7173
* `CIAO_PASSWORD` export the Ciao password for `CIAO_USERNAME`
7274
* `CIAO_TENANT_NAME` export the Ciao tenant name for `CIAO_USERNAME`
75+
* `CIAO_CA_CERT_FILE` (optional) use the supplied certificate as the CA
7376

7477
All those environment variables can be set through an rc file.
7578
For example:
@@ -89,11 +92,9 @@ or overridden from the `ciao-cli` command line.
8992

9093
## Keystone certificates
9194

92-
ciao-cli interact with the CIAO keystone instance over HTTPS.
93-
As such you will have to install the keystone CA certificate locally
94-
in order for ciao-cli to verify the keystone identity.
95-
96-
CA certificate installation is a distribution specific process. For example:
95+
ciao-cli interacts with the CIAO keystone instance over HTTPS. As such you
96+
will need to have the keystone CA certificate available in order to make
97+
requests. You can either install the CA certificate system-wide:
9798

9899
* On Fedora:
99100
```shell
@@ -107,6 +108,9 @@ sudo cp keystone_ca_cert.pem /usr/local/share/ca-certificates/keystone.crt
107108
sudo update-ca-certificates
108109
```
109110

111+
Or, alternatively the CA certificate may be specified with the `-ca-file`
112+
command line or with the `CIAO_CA_CERT_FILE` environment variable.
113+
110114
## Priviledged versus non priviledged CIAO users
111115

112116
Administrators of a CIAO cluster are privileged users that are part of the

ciao-cli/identity.go

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,9 @@
1717
package main
1818

1919
import (
20+
"crypto/tls"
2021
"fmt"
22+
"net/http"
2123

2224
"github.com/mitchellh/mapstructure"
2325
"github.com/rackspace/gophercloud"
@@ -121,7 +123,20 @@ func getScopedToken(username string, password string, projectScope string) (stri
121123
AllowReauth: true,
122124
}
123125

124-
provider, err := openstack.AuthenticatedClient(opt)
126+
provider, err := openstack.NewClient(opt.IdentityEndpoint)
127+
if err != nil {
128+
errorf("Could not get ProviderClient %s\n", err)
129+
return "", "", "", nil
130+
}
131+
132+
if caCertPool != nil {
133+
transport := &http.Transport{
134+
TLSClientConfig: &tls.Config{RootCAs: caCertPool},
135+
}
136+
provider.HTTPClient.Transport = transport
137+
}
138+
139+
err = openstack.Authenticate(provider, opt)
125140
if err != nil {
126141
errorf("Could not get AuthenticatedClient %s\n", err)
127142
return "", "", "", nil

ciao-cli/main.go

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ package main
1919
import (
2020
"bytes"
2121
"crypto/tls"
22+
"crypto/x509"
2223
"encoding/json"
2324
"flag"
2425
"fmt"
@@ -130,6 +131,7 @@ var (
130131
tenantID = flag.String("tenant-id", "", "Tenant UUID")
131132
tenantName = flag.String("tenant-name", "", "Tenant name")
132133
computePort = flag.Int("computeport", openstackComputePort, "Openstack Compute API port")
134+
caCertFile = flag.String("ca-file", "", "CA Certificate")
133135
)
134136

135137
const (
@@ -139,8 +141,11 @@ const (
139141
ciaoPasswordEnv = "CIAO_PASSWORD"
140142
ciaoComputePortEnv = "CIAO_COMPUTEPORT"
141143
ciaoTenantNameEnv = "CIAO_TENANT_NAME"
144+
ciaoCACertFileEnv = "CIAO_CA_CERT_FILE"
142145
)
143146

147+
var caCertPool *x509.CertPool
148+
144149
type queryValue struct {
145150
name, value string
146151
}
@@ -195,8 +200,11 @@ func sendHTTPRequestToken(method string, url string, values []queryValue, token
195200
req.Header.Set("Accept", "application/json")
196201
}
197202

198-
warningf("Skipping TLS verification\n")
199-
tlsConfig := &tls.Config{InsecureSkipVerify: true}
203+
tlsConfig := &tls.Config{}
204+
205+
if caCertPool != nil {
206+
tlsConfig.RootCAs = caCertPool
207+
}
200208

201209
transport := &http.Transport{
202210
TLSClientConfig: tlsConfig,
@@ -266,6 +274,7 @@ func getCiaoEnvVariables() {
266274
password := os.Getenv(ciaoPasswordEnv)
267275
port := os.Getenv(ciaoComputePortEnv)
268276
tenant := os.Getenv(ciaoTenantNameEnv)
277+
ca := os.Getenv(ciaoCACertFileEnv)
269278

270279
infof("Ciao environment variables:\n")
271280
infof("\t%s:%s\n", ciaoIdentityEnv, identity)
@@ -274,6 +283,7 @@ func getCiaoEnvVariables() {
274283
infof("\t%s:%s\n", ciaoPasswordEnv, password)
275284
infof("\t%s:%s\n", ciaoComputePortEnv, port)
276285
infof("\t%s:%s\n", ciaoTenantNameEnv, tenantName)
286+
infof("\t%s:%s\n", ciaoCACertFileEnv, ca)
277287

278288
if identity != "" && *identityURL == "" {
279289
*identityURL = identity
@@ -298,6 +308,10 @@ func getCiaoEnvVariables() {
298308
if tenant != "" && *tenantName == "" {
299309
*tenantName = tenant
300310
}
311+
312+
if ca != "" && *caCertFile == "" {
313+
*caCertFile = ca
314+
}
301315
}
302316

303317
func checkCompulsoryOptions() {
@@ -339,6 +353,19 @@ func main() {
339353
usage()
340354
}
341355

356+
/* Load CA file if necessary */
357+
if *caCertFile != "" {
358+
caCert, err := ioutil.ReadFile(*caCertFile)
359+
if err != nil {
360+
fatalf("Unable to load requested CA certificate: %s\n", err)
361+
}
362+
caCertPool, err = x509.SystemCertPool()
363+
if err != nil {
364+
fatalf("Unable to create system certificate pool: %s\n", err)
365+
}
366+
caCertPool.AppendCertsFromPEM(caCert)
367+
}
368+
342369
/* If we're missing the tenant name let's try to fetch one */
343370
if *tenantName == "" {
344371
*tenantName, *tenantID, err = getTenant(*identityUser, *identityPassword, *tenantID)

0 commit comments

Comments
 (0)