Set LDAP certificate trust options for LDAPS and TLS

We currently only set the LDAP library certificate trust options
when TLS is being used (via startTLS).  If regular LDAPS is being
used, the certificate trust options that are defined in Keystone's
configuration file are never actually set.

This patch sets the certificate trust options for both LDAPS and
TLS cases.

Conflicts:
        keystone/common/ldap/core.py
        keystone/tests/unit/common/test_ldap.py

Closes-bug: #1209343
Change-Id: Ieb94b732f623695920feb34995bb863175ddf27a
(cherry picked from commit ca50b6315909faf92db9eaf2981782bcd80cfab8)

2 files changed, 80 insertions, 2 deletions

diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index 9cf9e893c..3ad1e3a5a 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -731,7 +731,8 @@ class LdapWrapper(object):
         if use_tls and using_ldaps:
             raise AssertionError(_('Invalid TLS / LDAPS combination'))
 
-        if use_tls:
+        # The certificate trust options apply for both LDAPS and TLS.
+        if use_tls or using_ldaps:
             if not ldap.TLS_AVAIL:
                 raise ValueError(_('Invalid LDAP TLS_AVAIL option: %s. TLS '
                                    'not available') % ldap.TLS_AVAIL)
diff --git a/keystone/tests/unit/common/test_ldap.py b/keystone/tests/unit/common/test_ldap.py
index 220bf1a5e..cf1a82e42 100644
--- a/keystone/tests/unit/common/test_ldap.py
+++ b/keystone/tests/unit/common/test_ldap.py
@@ -10,11 +10,19 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import ldap.dn
+import ldap
+import mock
+
+import os
+import shutil
+import tempfile
 
 from keystone.common import ldap as ks_ldap
+from keystone import config
 from keystone import tests
 
+CONF = config.CONF
+
 
 class DnCompareTest(tests.BaseTestCase):
     """Tests for the DN comparison functions in keystone.common.ldap.core."""
@@ -167,3 +175,72 @@ class DnCompareTest(tests.BaseTestCase):
         descendant = ldap.dn.str2dn('cn=Babs Jansen,ou=OpenStack')
         dn = ldap.dn.str2dn('ou=OpenStack')
         self.assertTrue(ks_ldap.dn_startswith(descendant, dn))
+
+
+class SslTlsTest(tests.TestCase):
+    """Tests for the SSL/TLS functionality in keystone.common.ldap.core."""
+
+    @mock.patch.object(ks_ldap.core.LdapWrapper, 'simple_bind_s')
+    @mock.patch.object(ldap.ldapobject.LDAPObject, 'start_tls_s')
+    def _init_ldap_connection(self, config, mock_ldap_one, mock_ldap_two):
+        # Attempt to connect to initialize python-ldap.
+        base_ldap = ks_ldap.BaseLdap(config)
+        base_ldap.get_connection()
+
+    def test_certfile_trust_tls(self):
+        # We need this to actually exist, so we create a tempfile.
+        (handle, certfile) = tempfile.mkstemp()
+        self.addCleanup(os.unlink, certfile)
+        self.addCleanup(os.close, handle)
+        self.config_fixture.config(group='ldap',
+                                   url='ldap://localhost',
+                                   use_tls=True,
+                                   tls_cacertfile=certfile)
+
+        self._init_ldap_connection(CONF)
+
+        # Ensure the cert trust option is set.
+        self.assertEqual(certfile, ldap.get_option(ldap.OPT_X_TLS_CACERTFILE))
+
+    def test_certdir_trust_tls(self):
+        # We need this to actually exist, so we create a tempdir.
+        certdir = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, certdir)
+        self.config_fixture.config(group='ldap',
+                                   url='ldap://localhost',
+                                   use_tls=True,
+                                   tls_cacertdir=certdir)
+
+        self._init_ldap_connection(CONF)
+
+        # Ensure the cert trust option is set.
+        self.assertEqual(certdir, ldap.get_option(ldap.OPT_X_TLS_CACERTDIR))
+
+    def test_certfile_trust_ldaps(self):
+        # We need this to actually exist, so we create a tempfile.
+        (handle, certfile) = tempfile.mkstemp()
+        self.addCleanup(os.unlink, certfile)
+        self.addCleanup(os.close, handle)
+        self.config_fixture.config(group='ldap',
+                                   url='ldaps://localhost',
+                                   use_tls=False,
+                                   tls_cacertfile=certfile)
+
+        self._init_ldap_connection(CONF)
+
+        # Ensure the cert trust option is set.
+        self.assertEqual(certfile, ldap.get_option(ldap.OPT_X_TLS_CACERTFILE))
+
+    def test_certdir_trust_ldaps(self):
+        # We need this to actually exist, so we create a tempdir.
+        certdir = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, certdir)
+        self.config_fixture.config(group='ldap',
+                                   url='ldaps://localhost',
+                                   use_tls=False,
+                                   tls_cacertdir=certdir)
+
+        self._init_ldap_connection(CONF)
+
+        # Ensure the cert trust option is set.
+        self.assertEqual(certdir, ldap.get_option(ldap.OPT_X_TLS_CACERTDIR))