add-certificate-data-support (#261)

CHANGELOG.txt

@@ -1,3 +1,5 @@
+2.20.9:
+  - add certificate_data to connection config.
 2.20.8:
   - add plugin_1_5.yaml and handle ctx.plugin properties.
 2.20.7:

cloudify_vsphere/__version__.py

@@ -1 +1 @@
-version = '2.20.8'
+version = '2.20.9'

plugin.yaml

@@ -6,7 +6,7 @@ plugins:
   vsphere:
     executor: central_deployment_agent
     package_name: cloudify-vsphere-plugin
-    package_version: '2.20.8'
+    package_version: '2.20.9'
 
 data_types:
 
@@ -39,6 +39,9 @@ data_types:
       certificate_path:
         type: string
         required: false
+      certificate_data:
+        type: string
+        required: false
 
   cloudify.datatypes.vsphere.ServerProperties:
     properties:

plugin_1_4.yaml

@@ -6,7 +6,7 @@ plugins:
   vsphere:
     executor: central_deployment_agent
     package_name: cloudify-vsphere-plugin
-    package_version: '2.20.8'
+    package_version: '2.20.9'
 
 data_types:
 
@@ -68,6 +68,10 @@ data_types:
           It is not supported to set this while allow_insecure is set to 'true'.
         type: string
         required: false
+      certificate_data:
+        type: string
+        description: The PEM encoded certificate for the vCenter.
+        required: false
 
   cloudify.datatypes.vsphere.ServerProperties:
     properties:

plugin_1_5.yaml

@@ -6,7 +6,7 @@ plugins:
   vsphere:
     executor: central_deployment_agent
     package_name: cloudify-vsphere-plugin
-    package_version: '2.20.8'
+    package_version: '2.20.9'
     properties_description: |
       Manage vSphere resources.
     properties:
@@ -46,6 +46,10 @@ plugins:
         type: string
         display_label: Certificate path for the vCenter.
         description: The path to the PEM encoded certificate for the vCenter.
+      certificate_data:
+        type: string
+        display_label: Certificate PEM content for the vCenter.
+        description: The PEM encoded certificate for the vCenter.
 
 data_types:
 
@@ -107,6 +111,10 @@ data_types:
           It is not supported to set this while allow_insecure is set to 'true'.
         type: string
         required: false
+      certificate_data:
+        type: string
+        description: The PEM encoded certificate for the vCenter.
+        required: false
 
   cloudify.datatypes.vsphere.ServerProperties:
     properties:

v2_plugin.yaml

@@ -10,7 +10,7 @@ plugins:
   vsphere:
     executor: central_deployment_agent
     package_name: cloudify-vsphere-plugin
-    package_version: '2.20.8'
+    package_version: '2.20.9'
 
 data_types:
 
@@ -43,6 +43,9 @@ data_types:
       certificate_path:
         type: string
         required: false
+      certificate_data:
+        type: string
+        required: false
 
   cloudify.datatypes.vsphere.ServerProperties:
     properties:

vsphere_plugin_common/clients/__init__.py

@@ -216,38 +216,42 @@ def connect(self, cfg):
         port = cfg['port']
 
         certificate_path = cfg.get('certificate_path')
+        certificate_data = cfg.get('certificate_data')
         # Until the next major release this will have limited effect, but is
         # in place to allow a clear path to the next release for users
         allow_insecure = cfg.get('allow_insecure', False)
         ssl_context = None
 
-        if certificate_path and allow_insecure:
+        if (certificate_path or certificate_data) and allow_insecure:
             raise NonRecoverableError(
                 'Cannot connect when certificate_path and allow_insecure '
                 'are both set. Unable to determine whether connection should '
                 'be secure or insecure.'
             )
-        elif certificate_path:
+        elif certificate_path or certificate_data:
             if not hasattr(ssl, '_create_default_https_context'):
                 raise NonRecoverableError(
                     'Cannot create secure connection with this version of '
                     'python. This functionality requires at least python '
                     '2.7.9 and has been confirmed to work on at least 2.7.12.'
                 )
 
-            if not os.path.exists(certificate_path):
+            if certificate_path and not os.path.exists(certificate_path):
                 raise NonRecoverableError(
                     'Certificate was not found in {path}.'.format(
                         path=certificate_path,
                     )
                 )
-            elif not os.path.isfile(certificate_path):
+            elif certificate_path and not os.path.isfile(certificate_path):
                 raise NonRecoverableError(
                     'Found directory at {path}, but the certificate_path '
                     'must be a file.'.format(
                         path=certificate_path,
                     )
                 )
+            if certificate_data and not certificate_data.startswith(
+                    '-----BEGIN CERTIFICATE-----'):
+                raise NonRecoverableError('certificate_data is not valid')
             try:
                 # We want to load the cert into the existing default context
                 # in case any other python modules have already defined their
@@ -260,7 +264,12 @@ def connect(self, cfg):
                         'modules are disabling verification on the default '
                         'SSL context.'
                     )
-                ssl_context.load_verify_locations(certificate_path)
+                # we will give priority to certificate_data if passed
+                if certificate_data:
+                    ssl_context.load_verify_locations(
+                        ca_data=certificate_data)
+                else:
+                    ssl_context.load_verify_locations(certificate_path)
             except ssl.SSLError as err:
                 if 'unknown error' in text_type(err).lower() or \
                         'no certificate or crl found' in \