Document "insecure" flag

I received a clouds.yaml with "insecure: True" which I had not seen before. There's no explicit mention of this in the documentation, but due to a name clash in the example in the reference it initially led me to believe it was a section of the config file. So firstly make the cloud names more verbose to illustrate what's going on, and add a mention of the "insecure" flag, but suggest using "verify". Similarly in the unit tests use more explicit cloud names to make it obvious what's going on. Add a test that ensures "insecure=True" implies "verify=False". Change-Id: I56fe7460431442ad4ca264e32d2494068cf7f05e
2018-11-05 19:59:17 +11:00 · 2018-11-05 19:59:17 +11:00 · 46ca87b8e8
commit 46ca87b8e8
parent 9070649469
2 changed files with 48 additions and 21 deletions
--- a/doc/source/user/config/configuration.rst
+++ b/doc/source/user/config/configuration.rst
@ -184,15 +184,28 @@ its file location needs to be set via `key`.

  # clouds.yaml
  clouds:
-    secure:
-      auth: ...
+    regular-secure-cloud:
+      auth:
+        auth_url: https://signed.cert.domain:5000
+        ...
+    unknown-ca-with-client-cert-secure-cloud:
+      auth:
+        auth_url: https://unknown.ca.but.secure.domain:5000
+        ...
      key: /home/myhome/client-cert.key
      cert: /home/myhome/client-cert.crt
      cacert: /home/myhome/ca.crt
-    insecure:
-      auth: ...
+    self-signed-insecure-cloud:
+      auth:
+        auth_url: https://self.signed.cert.domain:5000
+        ...
      verify: False

+Note for parity with ``openstack`` command-line options the `insecure`
+boolean is also recognised (with the opposite semantics to `verify`;
+i.e. `True` ignores certificate failures).  This should be considered
+deprecated for `verify`.
+
 Cache Settings
 --------------

--- a/openstack/tests/unit/test_connection.py
+++ b/openstack/tests/unit/test_connection.py
@ -29,14 +29,14 @@ CONFIG_CACERT = "TrustMe"

 CLOUD_CONFIG = """
 clouds:
-  sample:
+  sample-cloud:
    region_name: RegionOne
    auth:
      auth_url: {auth_url}
      username: {username}
      password: {password}
      project_name: {project}
-  insecure:
+  insecure-cloud:
    auth:
      auth_url: {auth_url}
      username: {username}
@ -44,7 +44,14 @@ clouds:
      project_name: {project}
    cacert: {cacert}
    verify: False
-  cacert:
+  insecure-cloud-alternative-format:
+    auth:
+      auth_url: {auth_url}
+      username: {username}
+      password: {password}
+      project_name: {project}
+    insecure: True
+  cacert-cloud:
    auth:
      auth_url: {auth_url}
      username: {username}
@ -73,7 +80,7 @@ class TestConnection(base.TestCase):
        self.use_keystone_v2()

    def test_other_parameters(self):
-        conn = connection.Connection(cloud='sample', cert='cert')
+        conn = connection.Connection(cloud='sample-cloud', cert='cert')
        self.assertEqual(conn.session.cert, 'cert')

    def test_session_provided(self):
@ -85,13 +92,13 @@ class TestConnection(base.TestCase):
        self.assertEqual('auth.example.com', conn.config.name)

    def test_task_manager_rate_scalar(self):
-        conn = connection.Connection(cloud='sample', rate_limit=20)
+        conn = connection.Connection(cloud='sample-cloud', rate_limit=20)
        self.assertEqual(1 / 20, conn.task_manager._get_wait('object-store'))
        self.assertEqual(1 / 20, conn.task_manager._get_wait(None))

    def test_task_manager_rate_dict(self):
        conn = connection.Connection(
-            cloud='sample',
+            cloud='sample-cloud',
            rate_limit={
                'compute': 20,
                'network': 10,
@ -101,7 +108,7 @@ class TestConnection(base.TestCase):
        self.assertIsNone(conn.task_manager._get_wait('object-store'))

    def test_create_session(self):
-        conn = connection.Connection(cloud='sample')
+        conn = connection.Connection(cloud='sample-cloud')
        self.assertIsNotNone(conn)
        # TODO(mordred) Rework this - we need to provide requests-mock
        # entries for each of the proxies below
@ -127,27 +134,27 @@ class TestConnection(base.TestCase):
        #                  conn.workflow.__class__.__module__)

    def test_create_connection_version_param_default(self):
-        c1 = connection.Connection(cloud='sample')
+        c1 = connection.Connection(cloud='sample-cloud')
        conn = connection.Connection(session=c1.session)
        self.assertEqual('openstack.identity.v3._proxy',
                         conn.identity.__class__.__module__)

    def test_create_connection_version_param_string(self):
-        c1 = connection.Connection(cloud='sample')
+        c1 = connection.Connection(cloud='sample-cloud')
        conn = connection.Connection(
            session=c1.session, identity_api_version='2')
        self.assertEqual('openstack.identity.v2._proxy',
                         conn.identity.__class__.__module__)

    def test_create_connection_version_param_int(self):
-        c1 = connection.Connection(cloud='sample')
+        c1 = connection.Connection(cloud='sample-cloud')
        conn = connection.Connection(
            session=c1.session, identity_api_version=3)
        self.assertEqual('openstack.identity.v3._proxy',
                         conn.identity.__class__.__module__)

    def test_create_connection_version_param_bogus(self):
-        c1 = connection.Connection(cloud='sample')
+        c1 = connection.Connection(cloud='sample-cloud')
        conn = connection.Connection(
            session=c1.session, identity_api_version='red')
        # TODO(mordred) This is obviously silly behavior
@ -155,7 +162,8 @@ class TestConnection(base.TestCase):
                         conn.identity.__class__.__module__)

    def test_from_config_given_config(self):
-        cloud_region = openstack.config.OpenStackConfig().get_one("sample")
+        cloud_region = (openstack.config.OpenStackConfig().
+                        get_one("sample-cloud"))

        sot = connection.from_config(config=cloud_region)

@ -169,7 +177,7 @@ class TestConnection(base.TestCase):
                         sot.config.config['auth']['project_name'])

    def test_from_config_given_cloud(self):
-        sot = connection.from_config(cloud="sample")
+        sot = connection.from_config(cloud="sample-cloud")

        self.assertEqual(CONFIG_USERNAME,
                         sot.config.config['auth']['username'])
@ -181,7 +189,8 @@ class TestConnection(base.TestCase):
                         sot.config.config['auth']['project_name'])

    def test_from_config_given_cloud_config(self):
-        cloud_region = openstack.config.OpenStackConfig().get_one("sample")
+        cloud_region = (openstack.config.OpenStackConfig().
+                        get_one("sample-cloud"))

        sot = connection.from_config(cloud_config=cloud_region)

@ -195,7 +204,7 @@ class TestConnection(base.TestCase):
                         sot.config.config['auth']['project_name'])

    def test_from_config_given_cloud_name(self):
-        sot = connection.from_config(cloud_name="sample")
+        sot = connection.from_config(cloud_name="sample-cloud")

        self.assertEqual(CONFIG_USERNAME,
                         sot.config.config['auth']['username'])
@ -207,12 +216,17 @@ class TestConnection(base.TestCase):
                         sot.config.config['auth']['project_name'])

    def test_from_config_verify(self):
-        sot = connection.from_config(cloud="insecure")
+        sot = connection.from_config(cloud="insecure-cloud")
        self.assertFalse(sot.session.verify)

-        sot = connection.from_config(cloud="cacert")
+        sot = connection.from_config(cloud="cacert-cloud")
        self.assertEqual(CONFIG_CACERT, sot.session.verify)

+    def test_from_config_insecure(self):
+        # Ensure that the "insecure=True" flag implies "verify=False"
+        sot = connection.from_config("insecure-cloud-alternative-format")
+        self.assertFalse(sot.session.verify)
+

 class TestNetworkConnection(base.TestCase):
    # We need to do the neutron adapter test differently because it needs