From 1de9eb2cfdcf2911fa2b303c307d0f185d390add Mon Sep 17 00:00:00 2001
From: r_takaishi <ryo.takaishi.0@gmail.com>
Date: Wed, 24 May 2017 10:23:12 +0900
Subject: [PATCH] support client certificate file

When AUTH_URL and each endpoints need SSL client authentication, we
have to specify cert file and private key file.
So, add optional config, cert and key.
---
 builder/openstack/access_config.go | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/builder/openstack/access_config.go b/builder/openstack/access_config.go
index 10b4fd02e..a1ab96b93 100644
--- a/builder/openstack/access_config.go
+++ b/builder/openstack/access_config.go
@@ -24,6 +24,8 @@ type AccessConfig struct {
 	Insecure         bool   `mapstructure:"insecure"`
 	Region           string `mapstructure:"region"`
 	EndpointType     string `mapstructure:"endpoint_type"`
+	ClientCertFile   string `mapstructure:"cert"`
+	ClientKeyFile    string `mapstructure:"key"`
 
 	osClient *gophercloud.ProviderClient
 }
@@ -53,6 +55,12 @@ func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
 	if c.Username == "" {
 		c.Username = os.Getenv("SDK_USERNAME")
 	}
+	if c.ClientCertFile == "" {
+		c.ClientCertFile = os.Getenv("OS_CERT")
+	}
+	if c.ClientKeyFile == "" {
+		c.ClientKeyFile = os.Getenv("OS_KEY")
+	}
 
 	// Get as much as possible from the end
 	ao, _ := openstack.AuthOptionsFromEnv()
@@ -85,14 +93,25 @@ func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
 		return []error{err}
 	}
 
+	tls_config := &tls.Config{}
+
 	// If we have insecure set, then create a custom HTTP client that
 	// ignores SSL errors.
 	if c.Insecure {
-		config := &tls.Config{InsecureSkipVerify: true}
-		transport := &http.Transport{TLSClientConfig: config}
-		client.HTTPClient.Transport = transport
+		tls_config.InsecureSkipVerify = true
 	}
 
+	if c.ClientCertFile != "" && c.ClientKeyFile != "" {
+		cert, err := tls.LoadX509KeyPair(c.ClientCertFile, c.ClientKeyFile)
+		if err != nil {
+			return []error{err}
+		}
+
+		tls_config.Certificates = []tls.Certificate{cert}
+	}
+	transport := &http.Transport{TLSClientConfig: tls_config}
+	client.HTTPClient.Transport = transport
+
 	// Auth
 	err = openstack.Authenticate(client, ao)
 	if err != nil {