Remove use of sslutils

sslutils is the only oslo-incubator module we use which registers any config options, and we don't even use those config options at runtime. The problem with us using oslo-incubator config options is that they need to be exactly in sync with the oslo-incubator version of those used by every project using oslo.messaging. Avoid all this be inlining validate_ssl_version() until we have it available in a real library. Change-Id: Id3b0bb2e7ede33ede9b66025d1af113ae60cfc58 Closes-Bug: #1287542
2014-03-04 06:23:35 -08:00 · 2014-03-04 06:23:35 -08:00 · 3eeaaee788
commit 3eeaaee788
parent 693d6780e7
3 changed files with 21 additions and 101 deletions
--- a/openstack-common.conf
+++ b/openstack-common.conf
@ -7,7 +7,6 @@ module=importutils
 module=jsonutils
 module=network_utils
 module=py3kcompat
-module=sslutils
 module=timeutils

 # The base module to hold the copy of openstack.common
--- a/oslo/messaging/_drivers/impl_rabbit.py
+++ b/oslo/messaging/_drivers/impl_rabbit.py
@ -31,7 +31,6 @@ from oslo.messaging._drivers import amqp as rpc_amqp
 from oslo.messaging._drivers import amqpdriver
 from oslo.messaging._drivers import common as rpc_common
 from oslo.messaging.openstack.common import network_utils
-from oslo.messaging.openstack.common import sslutils

 # FIXME(markmc): remove this
 _ = lambda s: s
@ -474,6 +473,26 @@ class Connection(object):
        self.do_consume = None
        self.reconnect()

+    # FIXME(markmc): use oslo sslutils when it is available as a library
+    _SSL_PROTOCOLS = {
+        "tlsv1": ssl.PROTOCOL_TLSv1,
+        "sslv23": ssl.PROTOCOL_SSLv23,
+        "sslv3": ssl.PROTOCOL_SSLv3
+    }
+
+    try:
+        _SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
+    except AttributeError:
+        pass
+
+    @classmethod
+    def validate_ssl_version(cls, version):
+        key = version.lower()
+        try:
+            return cls._SSL_PROTOCOLS[key]
+        except KeyError:
+            raise RuntimeError(_("Invalid SSL version : %s") % version)
+
    def _fetch_ssl_params(self):
        """Handles fetching what ssl params should be used for the connection
        (if any).
@ -482,7 +501,7 @@ class Connection(object):

        # http://docs.python.org/library/ssl.html - ssl.wrap_socket
        if self.conf.kombu_ssl_version:
-            ssl_params['ssl_version'] = sslutils.validate_ssl_version(
+            ssl_params['ssl_version'] = self.validate_ssl_version(
                self.conf.kombu_ssl_version)
        if self.conf.kombu_ssl_keyfile:
            ssl_params['keyfile'] = self.conf.kombu_ssl_keyfile
--- a/oslo/messaging/openstack/common/sslutils.py
+++ b/oslo/messaging/openstack/common/sslutils.py
@ -1,98 +0,0 @@
-# Copyright 2013 IBM Corp.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import os
-import ssl
-
-from oslo.config import cfg
-
-from oslo.messaging.openstack.common.gettextutils import _  # noqa
-
-
-ssl_opts = [
-    cfg.StrOpt('ca_file',
-               default=None,
-               help="CA certificate file to use to verify "
-                    "connecting clients."),
-    cfg.StrOpt('cert_file',
-               default=None,
-               help="Certificate file to use when starting "
-                    "the server securely."),
-    cfg.StrOpt('key_file',
-               default=None,
-               help="Private key file to use when starting "
-                    "the server securely."),
-]
-
-
-CONF = cfg.CONF
-CONF.register_opts(ssl_opts, "ssl")
-
-
-def is_enabled():
-    cert_file = CONF.ssl.cert_file
-    key_file = CONF.ssl.key_file
-    ca_file = CONF.ssl.ca_file
-    use_ssl = cert_file or key_file
-
-    if cert_file and not os.path.exists(cert_file):
-        raise RuntimeError(_("Unable to find cert_file : %s") % cert_file)
-
-    if ca_file and not os.path.exists(ca_file):
-        raise RuntimeError(_("Unable to find ca_file : %s") % ca_file)
-
-    if key_file and not os.path.exists(key_file):
-        raise RuntimeError(_("Unable to find key_file : %s") % key_file)
-
-    if use_ssl and (not cert_file or not key_file):
-        raise RuntimeError(_("When running server in SSL mode, you must "
-                             "specify both a cert_file and key_file "
-                             "option value in your configuration file"))
-
-    return use_ssl
-
-
-def wrap(sock):
-    ssl_kwargs = {
-        'server_side': True,
-        'certfile': CONF.ssl.cert_file,
-        'keyfile': CONF.ssl.key_file,
-        'cert_reqs': ssl.CERT_NONE,
-    }
-
-    if CONF.ssl.ca_file:
-        ssl_kwargs['ca_certs'] = CONF.ssl.ca_file
-        ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED
-
-    return ssl.wrap_socket(sock, **ssl_kwargs)
-
-
-_SSL_PROTOCOLS = {
-    "tlsv1": ssl.PROTOCOL_TLSv1,
-    "sslv23": ssl.PROTOCOL_SSLv23,
-    "sslv3": ssl.PROTOCOL_SSLv3
-}
-
-try:
-    _SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
-except AttributeError:
-    pass
-
-
-def validate_ssl_version(version):
-    key = version.lower()
-    try:
-        return _SSL_PROTOCOLS[key]
-    except KeyError:
-        raise RuntimeError(_("Invalid SSL version : %s") % version)