Python 3.12: do not use ssl.wrap_socket

The ssl.wrap_socket method has been removed in 3.12. SSLContext.wrap_socket should now be used. Change-Id: I6119e054289eac263ff5448d7d118209f98678d9
2024-06-28 01:37:09 +02:00 · 2024-06-28 01:37:09 +02:00 · 64086c3091
commit 64086c3091
parent 37169aa6ac
2 changed files with 25 additions and 17 deletions
--- a/swift/common/wsgi.py
+++ b/swift/common/wsgi.py
@ -198,9 +198,14 @@ def get_socket(conf):
            sock = listen(bind_addr, backlog=int(conf.get('backlog', 4096)),
                          family=address_family)
            if 'cert_file' in conf:
+                if six.PY2:
+                    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+                else:
+                    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+                context.verify_mode = ssl.CERT_NONE
+                context.load_cert_chain(conf['cert_file'], conf['key_file'])
                warn_ssl = True
-                sock = ssl.wrap_socket(sock, certfile=conf['cert_file'],
-                                       keyfile=conf['key_file'])
+                sock = context.wrap_socket(sock, server_side=True)
        except socket.error as err:
            if err.args[0] != errno.EADDRINUSE:
                raise
--- a/test/unit/common/test_wsgi.py
+++ b/test/unit/common/test_wsgi.py
@ -463,8 +463,8 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
        conf = {'bind_port': 54321}
        ssl_conf = conf.copy()
        ssl_conf.update({
-            'cert_file': '',
-            'key_file': '',
+            'cert_file': 'cert.pem',
+            'key_file': 'private.key',
        })

        # mocks
@ -478,20 +478,25 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
        def mock_listen(*args, **kwargs):
            return MockSocket()

-        class MockSsl(object):
-            def __init__(self):
-                self.wrap_socket_called = []
+        class MockSslContext(object):
+            _instance = None

-            def wrap_socket(self, sock, **kwargs):
-                self.wrap_socket_called.append(kwargs)
+            def __init__(self, *args, **kwargs):
+                MockSslContext._instance = self
+                self.load_cert_chain_args = []
+
+            def wrap_socket(self, sock, *args, **kwargs):
                return sock

+            def load_cert_chain(self, *args, **kwargs):
+                self.load_cert_chain_args.extend(args)
+
        # patch
        old_listen = wsgi.listen
-        old_ssl = wsgi.ssl
+        old_ssl_context = wsgi.ssl.SSLContext
        try:
            wsgi.listen = mock_listen
-            wsgi.ssl = MockSsl()
+            wsgi.ssl.SSLContext = MockSslContext
            # test
            sock = wsgi.get_socket(conf)
            # assert
@ -510,11 +515,9 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
            self.assertEqual(sock.opts, expected_socket_opts)
            # test ssl
            sock = wsgi.get_socket(ssl_conf)
-            expected_kwargs = {
-                'certfile': '',
-                'keyfile': '',
-            }
-            self.assertEqual(wsgi.ssl.wrap_socket_called, [expected_kwargs])
+            expected_args = ['cert.pem', 'private.key']
+            self.assertEqual(MockSslContext._instance.load_cert_chain_args,
+                             expected_args)

            # test keep_idle value
            keepIdle_value = 700
@ -550,7 +553,7 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):

        finally:
            wsgi.listen = old_listen
-            wsgi.ssl = old_ssl
+            wsgi.ssl.SSLContext = old_ssl_context

    def test_address_in_use(self):
        # stubs