From 16760f3b44d6466d2018ce7765556d5b69d9d806 Mon Sep 17 00:00:00 2001
From: jonnary <liu.xuefeng1@zte.com.cn>
Date: Fri, 16 Aug 2019 01:43:22 +0800
Subject: Support two-way auth for barbicanclient

This patch supports two-way auth for barbicanclient.

Change-Id: I19fb971de864e94b31bf436bc27d5180aebbce4f
blueprint:support-two-way-auth
---
 barbicanclient/barbican.py            | 13 ++++++++++--
 barbicanclient/tests/test_barbican.py | 40 +++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/barbicanclient/barbican.py b/barbicanclient/barbican.py
index a462f1d..dbaa3d3 100644
--- a/barbicanclient/barbican.py
+++ b/barbicanclient/barbican.py
@@ -151,8 +151,17 @@ class Barbican(app.App):
         method = identity.Token if auth_type == 'token' else identity.Password
 
         auth = method(**kwargs)
-
-        return session.Session(auth=auth, verify=not args.insecure)
+        cacert = args.os_cacert
+        cert = args.os_cert
+        key = args.os_key
+        insecure = args.insecure
+        if insecure:
+            verify = False
+        else:
+            verify = cacert or True
+        if cert and key:
+            cert = (cert, key)
+        return session.Session(auth=auth, verify=verify, cert=cert)
 
     def create_client(self, args):
         created_client = None
diff --git a/barbicanclient/tests/test_barbican.py b/barbicanclient/tests/test_barbican.py
index e5c178f..dab036e 100644
--- a/barbicanclient/tests/test_barbican.py
+++ b/barbicanclient/tests/test_barbican.py
@@ -219,6 +219,46 @@ class WhenTestingBarbicanCLI(test_client.BaseEntityResource):
         self.assertEqual(1, self.responses._adapter.call_count)
         self.assertEqual([], secret_list)
 
+    def test_insecure_true_kwargs_set_correctly(self):
+        auth_args = ('--no-auth --endpoint https://barbican_endpoint:9311/v1 '
+                     '--os-project-id project1')
+        endpoint_filter_args = ('--interface public '
+                                '--service-type custom-type '
+                                '--service-name Burrbican '
+                                '--region-name RegionTwo '
+                                '--barbican-api-version v1')
+        args = auth_args + ' ' + endpoint_filter_args
+        argv, remainder = self.parser.parse_known_args(args.split())
+        argv.insecure = True
+        argv.os_identity_api_version = '2.0'
+        argv.os_tenant_name = 'my_tenant_name'
+        barbican_client = self.barbican.create_client(argv)
+        httpclient = barbican_client.secrets._api
+        self.assertFalse(httpclient.session.verify)
+
+    def test_cafile_certfile_keyfile_kwargs_set_correctly(self):
+        auth_args = ('no_auth '
+                     '--os-auth-url https://keystone_endpoint:5000/v2 '
+                     '--os-auth-token f554ccb5-e157-4824-b67b-d139c87bc555 '
+                     '--os-project-id project1')
+        endpoint_filter_args = ('--interface public '
+                                '--service-type custom-type '
+                                '--service-name Burrbican '
+                                '--region-name RegionTwo '
+                                '--barbican-api-version v1')
+        args = auth_args + ' ' + endpoint_filter_args
+        argv, remainder = self.parser.parse_known_args(args.split())
+        argv.os_cacert = 'ca.pem'
+        argv.os_cert = 'cert.pem'
+        argv.os_key = 'key.pem'
+        argv.os_identity_api_version = '2.0'
+        argv.os_tenant_name = 'my_tenant_name'
+        barbican_client = self.barbican.create_client(argv)
+        httpclient = barbican_client.secrets._api
+        self.assertEqual('ca.pem', httpclient.session.verify)
+        self.assertEqual('cert.pem', httpclient.session.cert[0])
+        self.assertEqual('key.pem', httpclient.session.cert[1])
+
 
 class TestBarbicanWithKeystonePasswordAuth(
         keystone_client_fixtures.KeystoneClientFixture):
-- 
cgit v1.2.1