Merge: add/fix --verify-tls for API clients

4 files changed, 27 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 54e2e51..23b9b49 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 Version 0.33+git, not yet released
 ----------------------------------
 
+* `icktool --verify-tls` now works as intended. `worker-manager` now
+  has a `--verify-tls` option. For both programs, the default is
+  "verify". Use `--no-verify-tls` to turn it off.
 
 Version 0.33, released 2018-04-01
 ----------------------------------
diff --git a/ick2/client.py b/ick2/client.py
index 5468c7f..8bcf45b 100644
--- a/ick2/client.py
+++ b/ick2/client.py
@@ -35,10 +35,14 @@ class HttpAPI:
     def __init__(self):
         self._session = requests.Session()
         self._token = None
+        self._verify = None
 
     def set_session(self, session):
         self._session = session
 
+    def set_verify_tls(self, verify):  # pragma: no cover
+        self._verify = verify
+
     def set_token(self, token):
         self._token = token
 
@@ -92,7 +96,7 @@ class HttpAPI:
             headers = {}
         headers.update(self._get_authorization_headers())
 
-        r = func(url, headers=headers, verify=False, **kwargs)
+        r = func(url, headers=headers, verify=self._verify, **kwargs)
         if not r.ok:
             raise HttpError(r.status_code)
         return r
@@ -108,6 +112,9 @@ class ControllerClient:
     def set_client_name(self, name):
         self._name = name
 
+    def set_verify_tls(self, verify):  # pragma: no cover
+        self._api.set_verify_tls(verify)
+
     def set_http_api(self, api):
         self._api = api
 
diff --git a/icktool b/icktool
index 625d9b4..a0ef14e 100755
--- a/icktool
+++ b/icktool
@@ -77,7 +77,9 @@ class Icktool(cliapp.Application):
 
         self.settings.boolean(
             ['verify-tls'],
-            'verify TLS certifcate signature? default is yes',
+            'verify API provider TLS certificate '
+            '(default is verify, use --no-verify-tls)',
+            default=True,
         )
 
         self.settings.string(
@@ -413,7 +415,7 @@ class API:
     def __init__(self):
         self._url = None
         self._token = None
-        self._verify = True
+        self._verify = None
 
     def set_url(self, url):
         self._url = url
@@ -487,7 +489,7 @@ class BlobAPI:
     def __init__(self):
         self._url = None
         self._token = None
-        self._verify = True
+        self._verify = None
 
     def set_url(self, url):
         self._url = url
diff --git a/worker_manager b/worker_manager
index 748fdd6..fa92fa9 100755
--- a/worker_manager
+++ b/worker_manager
@@ -82,6 +82,13 @@ class WorkerManager(cliapp.Application):
             default='/var/lib/ick/systree',
         )
 
+        self.settings.boolean(
+            ['verify-tls'],
+            'verify API provider TLS certificate '
+            '(default is verify, use --no-verify-tls)',
+            default=True,
+        )
+
     def process_args(self, args):
         try:
             self.main_program(args)
@@ -101,6 +108,7 @@ class WorkerManager(cliapp.Application):
         tg = TokenGenerator()
         tg.set_key(self.settings['token-key'])
         api = ControllerAPI(name, url, tg)
+        api.set_verify_tls(self.settings['verify-tls'])
         worker = Worker(name, api, workspace, systree)
 
         logging.info('Worker manager %s starts, controller is %s', name, url)
@@ -127,6 +135,9 @@ class ControllerAPI:
         self._cc.set_controller_url(url)
         self._blobs = None
 
+    def set_verify_tls(self, verify):
+        self._cc.set_verify_tls(verify)
+
     def get_token(self):
         return self._token_generator.get_token()