Verify custom CA in replicator and backup_writer HTTPS clients

This patch forces `requests` sessions in replicator and HTTPS
backup_writers clients to verify the custom CA instead of the global cert
store that's being set in `REQUESTS_CA_BUNDLE` environment variable.

coriolis/providers/backup_writers.py

@@ -17,15 +17,14 @@ import eventlet
 from oslo_config import cfg
 from oslo_log import log as logging
 import paramiko
-import requests
 from six import with_metaclass
 
 from coriolis import constants
 from coriolis import data_transfer
 from coriolis import exception
+from coriolis.providers import provider_utils
 from coriolis import utils
 
-
 CONF = cfg.CONF
 opts = [
     cfg.BoolOpt('compress_transfers',
@@ -604,7 +603,7 @@ class HTTPBackupWriterImpl(BaseBackupWriterImpl):
     def _init_session(self):
         if self._session:
             self._session.close()
-        sess = requests.Session()
+        sess = provider_utils.ProviderSession()
         sess.cert = (
             self._crt,
             self._key)

coriolis/providers/provider_utils.py

@@ -1,11 +1,10 @@
 # Copyright 2018 Cloudbase Solutions Srl
 # All Rights Reserved.
-
 from oslo_log import log as logging
+import requests
 
 from coriolis import exception
 
-
 LOG = logging.getLogger(__name__)
 
 
@@ -133,3 +132,11 @@ def check_changed_storage_mappings(volumes_info, old_storage_mappings,
             old_disk_mappings_set != new_disk_mappings_set):
         raise exception.CoriolisException("Modifying storage mappings is "
                                           "not supported.")
+
+
+class ProviderSession(requests.Session):
+    def merge_environment_settings(
+            self, url, proxies, stream, verify, *args, **kwargs):
+        verify = self.verify
+        return super(ProviderSession, self).merge_environment_settings(
+            url, proxies, stream, verify, *args, **kwargs)

coriolis/providers/replicator.py

@@ -10,12 +10,11 @@ import time
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import units
-from sshtunnel import SSHTunnelForwarder
-
 import paramiko
-import requests
+from sshtunnel import SSHTunnelForwarder
 
 from coriolis import exception
+from coriolis.providers import provider_utils
 from coriolis import utils
 
 LOG = logging.getLogger(__name__)
@@ -156,7 +155,7 @@ class Client(object):
         return diskUri
 
     def _get_session(self):
-        sess = requests.Session()
+        sess = provider_utils.ProviderSession()
         sess.cert = (
             self._creds["client_cert"],
             self._creds["client_key"])

coriolis/tests/providers/test_backup_writers.py

@@ -9,6 +9,7 @@ from unittest import mock
 
 from coriolis import exception
 from coriolis.providers import backup_writers
+from coriolis.providers import provider_utils
 from coriolis.tests import test_base
 from coriolis.tests import testutils
 
@@ -797,7 +798,7 @@ class HTTPBackupWriterImplTestCase(test_base.CoriolisBaseTestCase):
             timeout=mock_conf.default_requests_timeout)
         mock_response.raise_for_status.assert_called_once()
 
-    @mock.patch('requests.Session')
+    @mock.patch.object(provider_utils, 'ProviderSession')
     def test__init_session(self, mock_session_class):
         self.writer._session = mock.Mock(return_value=None)
         self.writer._crt = self.info["client_crt"]
@@ -814,7 +815,7 @@ class HTTPBackupWriterImplTestCase(test_base.CoriolisBaseTestCase):
                          (self.writer._crt, self.writer._key))
         self.assertEqual(self.writer._session.verify, self.writer._ca)
 
-    @mock.patch('requests.Session')
+    @mock.patch.object(provider_utils, 'ProviderSession')
     def test__init_session_exists(self, mock_session_class):
         self.writer._session = mock_session_class.return_value
         self.writer._crt = self.info["client_crt"]

coriolis/tests/providers/test_replicator.py

@@ -8,6 +8,7 @@ from unittest import mock
 from oslo_utils import units
 
 from coriolis import exception
+from coriolis.providers import provider_utils
 from coriolis.providers import replicator as replicator_module
 from coriolis.tests import test_base
 from coriolis.tests import testutils
@@ -173,7 +174,7 @@ class ClientTestCase(test_base.CoriolisBaseTestCase):
 
         self.assertEqual(result, expected_uri)
 
-    @mock.patch('requests.Session')
+    @mock.patch.object(provider_utils, 'ProviderSession')
     def test__get_session(self, mock_Session):
         self.client._creds = {
             "client_cert": mock.sentinel.client_cert,