openstack/oslo.messaging
Code Issues Proposed changes

Remove use of sslutils

Browse Source 
sslutils is the only oslo-incubator module we use which registers any
config options, and we don't even use those config options at runtime.

The problem with us using oslo-incubator config options is that they
need to be exactly in sync with the oslo-incubator version of those
used by every project using oslo.messaging.

Avoid all this be inlining validate_ssl_version() until we have it
available in a real library.

Change-Id: Id3b0bb2e7ede33ede9b66025d1af113ae60cfc58
Closes-Bug: #1287542
This commit is contained in:
Mark McLoughlin 2014-03-04 06:23:35 -08:00
parent 693d6780e7
commit 3eeaaee788
3 changed files with 21 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openstack-common.conf
View File

@ -7,7 +7,6 @@ module=importutils
module=jsonutils module=jsonutils
module=network_utils module=network_utils
module=py3kcompat module=py3kcompat
module=sslutils
module=timeutils module=timeutils
# The base module to hold the copy of openstack.common # The base module to hold the copy of openstack.common

23
oslo/messaging/_drivers/impl_rabbit.py
View File

@ -31,7 +31,6 @@ from oslo.messaging._drivers import amqp as rpc_amqp
from oslo.messaging._drivers import amqpdriver from oslo.messaging._drivers import amqpdriver
from oslo.messaging._drivers import common as rpc_common from oslo.messaging._drivers import common as rpc_common
from oslo.messaging.openstack.common import network_utils from oslo.messaging.openstack.common import network_utils
from oslo.messaging.openstack.common import sslutils
# FIXME(markmc): remove this # FIXME(markmc): remove this
_ = lambda s: s _ = lambda s: s
@ -474,6 +473,26 @@ class Connection(object):
self.do_consume = None self.do_consume = None
self.reconnect() self.reconnect()
# FIXME(markmc): use oslo sslutils when it is available as a library
_SSL_PROTOCOLS = {
"tlsv1": ssl.PROTOCOL_TLSv1,
"sslv23": ssl.PROTOCOL_SSLv23,
"sslv3": ssl.PROTOCOL_SSLv3
}
try:
_SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
except AttributeError:
pass
@classmethod
def validate_ssl_version(cls, version):
key = version.lower()
try:
return cls._SSL_PROTOCOLS[key]
except KeyError:
raise RuntimeError(_("Invalid SSL version : %s") % version)
def _fetch_ssl_params(self): def _fetch_ssl_params(self):
"""Handles fetching what ssl params should be used for the connection """Handles fetching what ssl params should be used for the connection
(if any). (if any).
@ -482,7 +501,7 @@ class Connection(object):
# http://docs.python.org/library/ssl.html - ssl.wrap_socket # http://docs.python.org/library/ssl.html - ssl.wrap_socket
if self.conf.kombu_ssl_version: if self.conf.kombu_ssl_version:
ssl_params['ssl_version'] = sslutils.validate_ssl_version( ssl_params['ssl_version'] = self.validate_ssl_version(
self.conf.kombu_ssl_version) self.conf.kombu_ssl_version)
if self.conf.kombu_ssl_keyfile: if self.conf.kombu_ssl_keyfile:
ssl_params['keyfile'] = self.conf.kombu_ssl_keyfile ssl_params['keyfile'] = self.conf.kombu_ssl_keyfile

98
oslo/messaging/openstack/common/sslutils.py
View File

@ -1,98 +0,0 @@
# Copyright 2013 IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import ssl
from oslo.config import cfg
from oslo.messaging.openstack.common.gettextutils import _ # noqa
ssl_opts = [
cfg.StrOpt('ca_file',
default=None,
help="CA certificate file to use to verify "
"connecting clients."),
cfg.StrOpt('cert_file',
default=None,
help="Certificate file to use when starting "
"the server securely."),
cfg.StrOpt('key_file',
default=None,
help="Private key file to use when starting "
"the server securely."),
]
CONF = cfg.CONF
CONF.register_opts(ssl_opts, "ssl")
def is_enabled():
cert_file = CONF.ssl.cert_file
key_file = CONF.ssl.key_file
ca_file = CONF.ssl.ca_file
use_ssl = cert_file or key_file
if cert_file and not os.path.exists(cert_file):
raise RuntimeError(_("Unable to find cert_file : %s") % cert_file)
if ca_file and not os.path.exists(ca_file):
raise RuntimeError(_("Unable to find ca_file : %s") % ca_file)
if key_file and not os.path.exists(key_file):
raise RuntimeError(_("Unable to find key_file : %s") % key_file)
if use_ssl and (not cert_file or not key_file):
raise RuntimeError(_("When running server in SSL mode, you must "
"specify both a cert_file and key_file "
"option value in your configuration file"))
return use_ssl
def wrap(sock):
ssl_kwargs = {
'server_side': True,
'certfile': CONF.ssl.cert_file,
'keyfile': CONF.ssl.key_file,
'cert_reqs': ssl.CERT_NONE,
}
if CONF.ssl.ca_file:
ssl_kwargs['ca_certs'] = CONF.ssl.ca_file
ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED
return ssl.wrap_socket(sock, **ssl_kwargs)
_SSL_PROTOCOLS = {
"tlsv1": ssl.PROTOCOL_TLSv1,
"sslv23": ssl.PROTOCOL_SSLv23,
"sslv3": ssl.PROTOCOL_SSLv3
}
try:
_SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
except AttributeError:
pass
def validate_ssl_version(version):
key = version.lower()
try:
return _SSL_PROTOCOLS[key]
except KeyError:
raise RuntimeError(_("Invalid SSL version : %s") % version)