Enable AAF RootCA in rest call to MUSIC

Add AAF RootCA cert in the rest call Switch to Https interface Issue-ID: OPTFRA-562 Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com> Change-Id: Ie1860fe8f8ceb11d911d3f1fd83c1b6feea9b8f5 Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com>
author: Ruoyu Ying <ruoyu.ying@intel.com> 2019-08-15 19:34:32 +0800
committer: Ruoyu Ying <ruoyu.ying@intel.com> 2019-08-31 08:59:16 +0800
commit: 4337dfb81c893522af34e9869f65f5a73b72d7b5 (patch)
tree: 62031eee4ced02d7fd570bc9897c55b2d6aef3b7
parent: 6b09bcaf2cea9abd3151dcf5dcd159ce684fc479 (diff)
7 files changed, 26 insertions, 0 deletions
diff --git a/conductor.conf b/conductor.conf
index 0c0ae2b..75e4e70 100755
--- a/conductor.conf
+++ b/conductor.conf
@@ -470,6 +470,10 @@ replication_factor = 3
 #music_new_version = <None>
 music_new_version = True
 
+# Enabling HTTPs mode (boolean value)
+#enable_https_mode = <None>
+enable_https_mode = False
+
 # for version (string value)
 #music_version = <None>
 music_version = "3.0.23"
@@ -485,6 +489,10 @@ music_version = "3.0.23"
 # AAF namespace field used in MUSIC request header (string value)
 #aafns = <None>
 
+# Certificate Authority Bundle file in pem format. Must contain the appropriate
+# trust chain for the Certificate file. (string value)
+#certificate_authority_bundle_file = certificate_authority_bundle.pem
+certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer
 
 [prometheus]
 
diff --git a/conductor/conductor/common/music/api.py b/conductor/conductor/common/music/api.py
index dc351c6..0ca4301 100644
--- a/conductor/conductor/common/music/api.py
+++ b/conductor/conductor/common/music/api.py
@@ -84,10 +84,16 @@ MUSIC_API_OPTS = [
     cfg.IntOpt('third_datacenter_replicas',
                help='Number of replicas in third data center'),
     cfg.BoolOpt('music_new_version', help='new or old version'),
+    cfg.BoolOpt('enable_https_mode', help='enable HTTPs mode for music connection'),
     cfg.StrOpt('music_version', help='for version'),
     cfg.StrOpt('aafuser', help='username value that used for creating basic authorization header'),
     cfg.StrOpt('aafpass', help='password value that used for creating basic authorization header'),
     cfg.StrOpt('aafns', help='AAF namespace field used in MUSIC request header'),
+    cfg.StrOpt('certificate_authority_bundle_file',
+               default='certificate_authority_bundle.pem',
+               help='Certificate Authority Bundle file in pem format. '
+                    'Must contain the appropriate trust chain for the '
+                    'Certificate file.'),
 ]
 
 CONF.register_opts(MUSIC_API_OPTS, group='music_api')
@@ -131,6 +137,13 @@ class MusicAPI(object):
         }
         self.rest = rest.REST(**kwargs)
 
+        # Set one parameter for connection mode
+        # Currently depend on music version
+        if (CONF.music_api.enable_https_mode):
+            self.rest.server_url = 'https://{}:{}/{}'.format(
+                host, port, version, path.rstrip('/').lstrip('/'))
+            self.rest.session.verify = CONF.music_api.certificate_authority_bundle_file
+
         if(CONF.music_api.music_new_version):
             MUSIC_version = CONF.music_api.music_version.split(".")
 
diff --git a/conductor/conductor/tests/unit/controller/test_translator.py b/conductor/conductor/tests/unit/controller/test_translator.py
index 2eea9b5..0d4048a 100644
--- a/conductor/conductor/tests/unit/controller/test_translator.py
+++ b/conductor/conductor/tests/unit/controller/test_translator.py
@@ -48,6 +48,7 @@ class TestNoExceptionTranslator(unittest.TestCase):
         cfg.CONF.set_override('keyspace', 'conductor')
         cfg.CONF.set_override('keyspace', 'conductor_rpc', 'messaging_server')
         cfg.CONF.set_override('concurrent', True, 'controller')
+        cfg.CONF.set_override('certificate_authority_bundle_file', '../AAF_RootCA.cer', 'music_api')
         conf = cfg.CONF
         self.Translator = Translator(
             conf, 'some_template', str(uuid.uuid4()), get_template())
diff --git a/conductor/conductor/tests/unit/controller/test_translator_svc.py b/conductor/conductor/tests/unit/controller/test_translator_svc.py
index c94ad15..a99aa5b 100644
--- a/conductor/conductor/tests/unit/controller/test_translator_svc.py
+++ b/conductor/conductor/tests/unit/controller/test_translator_svc.py
@@ -52,6 +52,7 @@ class TestTranslatorServiceNoException(unittest.TestCase):
         cfg.CONF.set_override('concurrent', True, 'controller')
         cfg.CONF.set_override('keyspace',
                               'conductor_rpc', 'messaging_server')
+        cfg.CONF.set_override('certificate_authority_bundle_file', '../AAF_RootCA.cer', 'music_api')
         self.conf = cfg.CONF
         self.Plan = plan_prepare(self.conf)
         kwargs = self.Plan
diff --git a/conductor/conductor/tests/unit/music/test_api.py b/conductor/conductor/tests/unit/music/test_api.py
index 6908ee2..90bd57d 100644
--- a/conductor/conductor/tests/unit/music/test_api.py
+++ b/conductor/conductor/tests/unit/music/test_api.py
@@ -28,6 +28,7 @@ class TestMusicApi(unittest.TestCase):
 
     def setUp(self):
         cfg.CONF.set_override('debug', True, 'music_api')
+        cfg.CONF.set_override('certificate_authority_bundle_file', '../AAF_RootCA.cer', 'music_api')
         self.mock_lock_id = mock.patch.object(MusicAPI, '_lock_id_create',
                                               return_value='12345678')
         self.mock_lock_acquire = mock.patch.object(MusicAPI,
diff --git a/conductor/conductor/tests/unit/reservation/test_service.py b/conductor/conductor/tests/unit/reservation/test_service.py
index 210d85a..a8e7687 100644
--- a/conductor/conductor/tests/unit/reservation/test_service.py
+++ b/conductor/conductor/tests/unit/reservation/test_service.py
@@ -31,6 +31,7 @@ from mock import patch
 import json
 
 def plan_prepare(conf):
+    cfg.CONF.set_override('certificate_authority_bundle_file', '../AAF_RootCA.cer', 'music_api')
     music = api.API()
     music.keyspace_create(keyspace=conf.keyspace)
     plan_tmp = base.create_dynamic_model(
diff --git a/conductor/conductor/tests/unit/solver/test_order_lock_service.py b/conductor/conductor/tests/unit/solver/test_order_lock_service.py
index 141aa6e..cb56466 100644
--- a/conductor/conductor/tests/unit/solver/test_order_lock_service.py
+++ b/conductor/conductor/tests/unit/solver/test_order_lock_service.py
@@ -31,6 +31,7 @@ from oslo_config import cfg
 class TestOrdersLockingService(unittest.TestCase):
     def setUp(self):
         # Initialize music API
+        cfg.CONF.set_override('certificate_authority_bundle_file', '../AAF_RootCA.cer', 'music_api')
         music = api.API()
         cfg.CONF.set_override('keyspace', 'conductor')
         music.keyspace_create(keyspace=cfg.CONF.keyspace)
author	Ruoyu Ying <ruoyu.ying@intel.com>	2019-08-15 19:34:32 +0800
committer	Ruoyu Ying <ruoyu.ying@intel.com>	2019-08-31 08:59:16 +0800
commit	4337dfb81c893522af34e9869f65f5a73b72d7b5 (patch)
tree	62031eee4ced02d7fd570bc9897c55b2d6aef3b7
parent	6b09bcaf2cea9abd3151dcf5dcd159ce684fc479 (diff)