From 79f189a59352ee5b11a584924f5066b511b482b0 Mon Sep 17 00:00:00 2001
From: John Dickinson <me@not.mn>
Date: Thu, 13 Feb 2014 23:33:01 -0800
Subject: [PATCH] Fix --insecure option on auth

Change-Id: Ibe76d98d6075b84cbdb370b48f3498ab848142ad
---
 swiftclient/client.py     | 16 +++++++++-------
 tests/test_swiftclient.py | 23 ++++++++++++++++++++---
 tests/utils.py            |  4 ++++
 3 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/swiftclient/client.py b/swiftclient/client.py
index ee807696..73baa3bf 100644
--- a/swiftclient/client.py
+++ b/swiftclient/client.py
@@ -156,7 +156,7 @@ def __init__(self, url, proxy=None, cacert=None, insecure=False,
         if self.parsed_url.scheme not in ('http', 'https'):
             raise ClientException("Unsupported scheme")
         self.requests_args['verify'] = not insecure
-        if cacert:
+        if cacert and not insecure:
             # verify requests parameter is used to pass the CA_BUNDLE file
             # see: http://docs.python-requests.org/en/latest/user/advanced/
             self.requests_args['verify'] = cacert
@@ -219,8 +219,9 @@ def http_connection(*arg, **kwarg):
     return conn.parsed_url, conn
 
 
-def get_auth_1_0(url, user, key, snet):
-    parsed, conn = http_connection(url)
+def get_auth_1_0(url, user, key, snet, **kwargs):
+    insecure = kwargs.get('insecure', False)
+    parsed, conn = http_connection(url, insecure=insecure)
     method = 'GET'
     conn.request(method, parsed.path, '',
                  {'X-Auth-User': user, 'X-Auth-Key': key})
@@ -307,11 +308,13 @@ def get_auth(auth_url, user, key, **kwargs):
     os_options = kwargs.get('os_options', {})
 
     storage_url, token = None, None
+    insecure = kwargs.get('insecure', False)
     if auth_version in ['1.0', '1', 1]:
         storage_url, token = get_auth_1_0(auth_url,
                                           user,
                                           key,
-                                          kwargs.get('snet'))
+                                          kwargs.get('snet'),
+                                          insecure=insecure)
     elif auth_version in ['2.0', '2', 2]:
         # We are allowing to specify a token/storage-url to re-use
         # without having to re-authenticate.
@@ -335,7 +338,6 @@ def get_auth(auth_url, user, key, **kwargs):
         if (not 'tenant_name' in os_options):
             raise ClientException('No tenant specified')
 
-        insecure = kwargs.get('insecure', False)
         cacert = kwargs.get('cacert', None)
         storage_url, token = get_keystoneclient_2_0(auth_url, user,
                                                     key, os_options,
@@ -1101,8 +1103,8 @@ def __init__(self, authurl=None, user=None, key=None, retries=5,
         :param os_options: The OpenStack options which can have tenant_id,
                            auth_token, service_type, endpoint_type,
                            tenant_name, object_storage_url, region_name
-        :param insecure: Allow to access insecure keystone server.
-                         The keystone's certificate will not be verified.
+        :param insecure: Allow to access servers without checking SSL certs.
+                         The server's certificate will not be verified.
         :param ssl_compression: Whether to enable compression at the SSL layer.
                                 If set to 'False' and the pyOpenSSL library is
                                 present an attempt to disable SSL compression
diff --git a/tests/test_swiftclient.py b/tests/test_swiftclient.py
index 7a9f1f00..cb7a0c05 100644
--- a/tests/test_swiftclient.py
+++ b/tests/test_swiftclient.py
@@ -117,6 +117,9 @@ def wrapper(url, proxy=None, cacert=None, insecure=False,
                 def request(method, url, *args, **kwargs):
                     if query_string:
                         self.assertTrue(url.endswith('?' + query_string))
+                    if url.endswith('invalid_cert') and not insecure:
+                        from swiftclient import client as c
+                        raise c.ClientException("invalid_certificate")
                     return
                 conn.request = request
 
@@ -223,11 +226,25 @@ def test_invalid_auth(self):
                           auth_version="foo")
 
     def test_auth_v1(self):
-        c.http_connection = self.fake_http_connection(200)
+        c.http_connection = self.fake_http_connection(200, auth_v1=True)
         url, token = c.get_auth('http://www.test.com', 'asdf', 'asdf',
                                 auth_version="1.0")
-        self.assertEqual(url, None)
-        self.assertEqual(token, None)
+        self.assertEqual(url, 'storageURL')
+        self.assertEqual(token, 'someauthtoken')
+
+    def test_auth_v1_insecure(self):
+        c.http_connection = self.fake_http_connection(200, auth_v1=True)
+        url, token = c.get_auth('http://www.test.com/invalid_cert',
+                                'asdf', 'asdf',
+                                auth_version='1.0',
+                                insecure=True)
+        self.assertEqual(url, 'storageURL')
+        self.assertEqual(token, 'someauthtoken')
+
+        self.assertRaises(c.ClientException, c.get_auth,
+                          'http://www.test.com/invalid_cert',
+                          'asdf', 'asdf',
+                          auth_version='1.0')
 
     def test_auth_v2(self):
         os_options = {'tenant_name': 'asdf'}
diff --git a/tests/utils.py b/tests/utils.py
index ff2834a2..dcaca9e3 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -100,6 +100,10 @@ def getheaders(self):
                 headers['content-length'] = '4'
             if 'headers' in kwargs:
                 headers.update(kwargs['headers'])
+            if 'auth_v1' in kwargs:
+                headers.update(
+                    {'x-storage-url': 'storageURL',
+                     'x-auth-token': 'someauthtoken'})
             return headers.items()
 
         def read(self, amt=None):