[lxc-devel] [pylxd/master] Authenticate fixes

rockstar on Github lxc-bot at linuxcontainers.org
Thu Nov 17 23:02:13 UTC 2016 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 892 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161117/8e31ef25/attachment.bin>
-------------- next part --------------
From 7cc9c3692304aedf3748d191eab9904ac7e196f6 Mon Sep 17 00:00:00 2001
From: Paul Hummer <paul.hummer at canonical.com>
Date: Thu, 17 Nov 2016 15:48:42 -0700
Subject: [PATCH 1/5] Default cert parameter to the certs that were generated
 by `lxc $command`

---
 pylxd/client.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pylxd/client.py b/pylxd/client.py
index 768a9d8..b6408e4 100644
--- a/pylxd/client.py
+++ b/pylxd/client.py
@@ -181,6 +181,10 @@ class Client(object):
 
     """
 
+    DEFAULT_CERTS = (
+        os.path.expanduser('~/.config/lxc/client.crt'),
+        os.path.expanduser('~/.config/lxc/client.key'))
+
     def __init__(self, endpoint=None, version='1.0', cert=None, verify=True):
         self.cert = cert
         if endpoint is not None:
@@ -188,6 +192,11 @@ def __init__(self, endpoint=None, version='1.0', cert=None, verify=True):
                 self.api = _APINode('http+unix://{}'.format(
                     parse.quote(endpoint, safe='')))
             else:
+                # Extra trailing slashes cause LXD to 301
+                if cert is None and (
+                        os.path.exists(self.DEFAULT_CERTS[0]) and
+                        os.path.exists(self.DEFAULT_CERTS[1])):
+                    cert = self.DEFAULT_CERTS
                 self.api = _APINode(endpoint, cert=cert, verify=verify)
         else:
             if 'LXD_DIR' in os.environ:
@@ -224,7 +233,7 @@ def trusted(self):
     def authenticate(self, password):
         if self.trusted:
             return
-        cert = open(self.cert[0]).read().encode('utf-8')
+        cert = open(self.api.session.cert[0]).read().encode('utf-8')
         self.certificates.create(password, cert)
 
         # Refresh the host info

From 00a6cf6a621f98aa8674eb1af6c3606cbc6c61e9 Mon Sep 17 00:00:00 2001
From: Paul Hummer <paul.hummer at canonical.com>
Date: Thu, 17 Nov 2016 15:49:29 -0700
Subject: [PATCH 2/5] Strip trailing slashes

This was a hell of a bug. LXD returns 301 redirects to the actual
URL. The `requests` library then switches from a POST to GET, and
this caused the `Client.authenticate` method to fail.
---
 pylxd/client.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pylxd/client.py b/pylxd/client.py
index b6408e4..606f11f 100644
--- a/pylxd/client.py
+++ b/pylxd/client.py
@@ -193,6 +193,7 @@ def __init__(self, endpoint=None, version='1.0', cert=None, verify=True):
                     parse.quote(endpoint, safe='')))
             else:
                 # Extra trailing slashes cause LXD to 301
+                endpoint = endpoint.rstrip('/')
                 if cert is None and (
                         os.path.exists(self.DEFAULT_CERTS[0]) and
                         os.path.exists(self.DEFAULT_CERTS[1])):

From a41c503d9c59b5332e99f127dabcb5fc5e2a7b28 Mon Sep 17 00:00:00 2001
From: Paul Hummer <paul.hummer at canonical.com>
Date: Thu, 17 Nov 2016 15:50:48 -0700
Subject: [PATCH 3/5] Add integration test for Client.authenticate

---
 integration/test_client.py | 35 +++++++++++++++++++++++++++++++++++
 run_integration_tests      |  5 ++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 integration/test_client.py

diff --git a/integration/test_client.py b/integration/test_client.py
new file mode 100644
index 0000000..949c32e
--- /dev/null
+++ b/integration/test_client.py
@@ -0,0 +1,35 @@
+# Copyright (c) 2016 Canonical Ltd
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+import pylxd
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+from integration.testing import IntegrationTestCase
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+class TestClient(IntegrationTestCase):
+    """Tests for `Client`."""
+
+    def test_authenticate(self):
+        # This is another test with multiple assertions, as it is a test of
+        # flow, rather than a single source of functionality.
+        client = pylxd.Client('https://127.0.0.1:8443/', verify=False)
+
+        self.assertFalse(client.trusted)
+
+        client.authenticate('password')
+
+        self.assertTrue(client.trusted)
diff --git a/run_integration_tests b/run_integration_tests
index cdba3ee..625d402 100755
--- a/run_integration_tests
+++ b/run_integration_tests
@@ -11,9 +11,12 @@ sleep 5  # Wait for the network to come up
 lxc exec $CONTAINER_NAME -- apt-get update
 lxc exec $CONTAINER_NAME -- apt-get install -y tox python3-dev libssl-dev libffi-dev build-essential
 
+lxc exec $CONTAINER_NAME -- lxc config set core.trust_password password
+lxc exec $CONTAINER_NAME -- lxc config set core.https_address [::]
+
 lxc exec $CONTAINER_NAME -- mkdir -p /opt/pylxd
 # NOTE: rockstar (13 Sep 2016) - --recursive is not supported in lxd <2.1, so
 # until we have pervasive support for that, we'll do this tar hack.
 tar cf - * .git | lxc exec $CONTAINER_NAME -- tar xf - -C /opt/pylxd
 lxc exec $CONTAINER_NAME -- /bin/sh -c "cd /opt/pylxd && tox -eintegration"
-lxc delete --force $CONTAINER_NAME
+#lxc delete --force $CONTAINER_NAME

From 94f5a2c8d9be5144758b4b2071f84858e4e5cd6f Mon Sep 17 00:00:00 2001
From: Paul Hummer <paul.hummer at canonical.com>
Date: Thu, 17 Nov 2016 15:55:50 -0700
Subject: [PATCH 4/5] Fix unit test

---
 pylxd/tests/test_client.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pylxd/tests/test_client.py b/pylxd/tests/test_client.py
index 6eda6da..2fe573d 100644
--- a/pylxd/tests/test_client.py
+++ b/pylxd/tests/test_client.py
@@ -131,7 +131,7 @@ def test_authenticate(self):
         certs = (
             os.path.join(os.path.dirname(__file__), 'lxd.crt'),
             os.path.join(os.path.dirname(__file__), 'lxd.key'))
-        an_client = client.Client(cert=certs)
+        an_client = client.Client('https://lxd', cert=certs)
 
         get_count = []
 

From ba6b8882901c2759b226ea929a00addfdcf7539e Mon Sep 17 00:00:00 2001
From: Paul Hummer <paul.hummer at canonical.com>
Date: Thu, 17 Nov 2016 15:58:25 -0700
Subject: [PATCH 5/5] Delete the integration test container on completion

---
 run_integration_tests | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/run_integration_tests b/run_integration_tests
index 625d402..c1467db 100755
--- a/run_integration_tests
+++ b/run_integration_tests
@@ -19,4 +19,4 @@ lxc exec $CONTAINER_NAME -- mkdir -p /opt/pylxd
 # until we have pervasive support for that, we'll do this tar hack.
 tar cf - * .git | lxc exec $CONTAINER_NAME -- tar xf - -C /opt/pylxd
 lxc exec $CONTAINER_NAME -- /bin/sh -c "cd /opt/pylxd && tox -eintegration"
-#lxc delete --force $CONTAINER_NAME
+lxc delete --force $CONTAINER_NAME

More information about the lxc-devel mailing list