You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2013/12/08 21:19:55 UTC
[4/8] git commit: Remove support for old and deprecated
VERIFY_SSL_STRICT variable.
Remove support for old and deprecated VERIFY_SSL_STRICT variable.
This variable was only used in an old version when we enabled cert validation
to ease the migration path. It has been deprecated since then.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/aa4e590c
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/aa4e590c
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/aa4e590c
Branch: refs/heads/trunk
Commit: aa4e590cd9f5d8bd2357676ee37a3e55646c47ac
Parents: e17bc75
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:20:27 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:20:52 2013 +0100
----------------------------------------------------------------------
libcloud/httplib_ssl.py | 36 +++++++++++++++++-----------------
libcloud/security.py | 8 +-------
libcloud/test/test_httplib_ssl.py | 30 +++++++++++-----------------
3 files changed, 30 insertions(+), 44 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/httplib_ssl.py b/libcloud/httplib_ssl.py
index 4709f27..4c3255a 100644
--- a/libcloud/httplib_ssl.py
+++ b/libcloud/httplib_ssl.py
@@ -27,7 +27,8 @@ from libcloud.utils.py3 import httplib
class LibcloudHTTPSConnection(httplib.HTTPSConnection):
- """LibcloudHTTPSConnection
+ """
+ LibcloudHTTPSConnection
Subclass of HTTPSConnection which verifies certificate names
if and only if CA certificates are available.
@@ -36,20 +37,21 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
ca_cert = None # no default CA Certificate
def __init__(self, *args, **kwargs):
- """Constructor
+ """
+ Constructor
"""
self._setup_verify()
httplib.HTTPSConnection.__init__(self, *args, **kwargs)
def _setup_verify(self):
- """Setup Verify SSL or not
+ """
+ Setup Verify SSL or not
Reads security module's VERIFY_SSL_CERT and toggles whether
the class overrides the connect() class method or runs the
inherited httplib.HTTPSConnection connect()
"""
self.verify = libcloud.security.VERIFY_SSL_CERT
- self.strict = libcloud.security.VERIFY_SSL_CERT_STRICT
if self.verify:
self._setup_ca_cert()
@@ -57,7 +59,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
warnings.warn(libcloud.security.VERIFY_SSL_DISABLED_MSG)
def _setup_ca_cert(self):
- """Setup CA Certs
+ """
+ Setup CA Certs
Search in CA_CERTS_PATH for valid candidates and
return first match. Otherwise, complain about certs
@@ -73,18 +76,12 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
# use first available certificate
self.ca_cert = ca_certs_available[0]
else:
- if self.strict:
- raise RuntimeError(
- libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG)
- else:
- # no certificates found; toggle verify to False
- warnings.warn(
- libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG)
- self.ca_cert = None
- self.verify = False
+ raise RuntimeError(
+ libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG)
def connect(self):
- """Connect
+ """
+ Connect
Checks if verification is toggled; if not, just call
httplib.HTTPSConnection's connect
@@ -111,7 +108,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
raise ssl.SSLError('Failed to verify hostname')
def _verify_hostname(self, hostname, cert):
- """Verify hostname against peer cert
+ """
+ Verify hostname against peer cert
Check both commonName and entries in subjectAltName, using a
rudimentary glob to dns regex check to find matches
@@ -133,7 +131,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
)
def _get_subject_alt_names(self, cert):
- """Get SubjectAltNames
+ """
+ Get SubjectAltNames
Retrieve 'subjectAltName' attributes from cert data structure
"""
@@ -146,7 +145,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
return values
def _get_common_name(self, cert):
- """Get Common Name
+ """
+ Get Common Name
Retrieve 'commonName' attribute from cert data structure
"""
http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/security.py
----------------------------------------------------------------------
diff --git a/libcloud/security.py b/libcloud/security.py
index 8bf1f04..8be810d 100644
--- a/libcloud/security.py
+++ b/libcloud/security.py
@@ -20,13 +20,12 @@ Usage:
libcloud.security.VERIFY_SSL_CERT = True
# Optional.
- libcloud.security.CA_CERTS_PATH.append("/path/to/cacert.txt")
+ libcloud.security.CA_CERTS_PATH.append('/path/to/cacert.txt')
"""
import os
VERIFY_SSL_CERT = True
-VERIFY_SSL_CERT_STRICT = True
# File containing one or more PEM-encoded CA certificates
# concatenated together.
@@ -63,11 +62,6 @@ if environment_cert_file is not None:
# don't want to fall-back to a potentially less restrictive bundle
CA_CERTS_PATH = [environment_cert_file]
-CA_CERTS_UNAVAILABLE_WARNING_MSG = (
- 'Warning: No CA Certificates were found in CA_CERTS_PATH. '
- 'Toggling VERIFY_SSL_CERT to False.'
-)
-
CA_CERTS_UNAVAILABLE_ERROR_MSG = (
'No CA Certificates were found in CA_CERTS_PATH. For information on '
'how to get required certificate files, please visit '
http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/test/test_httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/test/test_httplib_ssl.py b/libcloud/test/test_httplib_ssl.py
index f7ac513..9192b9e 100644
--- a/libcloud/test/test_httplib_ssl.py
+++ b/libcloud/test/test_httplib_ssl.py
@@ -192,17 +192,8 @@ class TestHttpLibSSLTests(unittest.TestCase):
def test_setup_verify(self, _):
libcloud.security.CA_CERTS_PATH = []
- # non-strict mode should just emit a warning
+ # Should throw a runtime error
libcloud.security.VERIFY_SSL_CERT = True
- libcloud.security.VERIFY_SSL_CERT_STRICT = False
- self.httplib_object._setup_verify()
-
- warnings.warn.assert_called_once_with(
- libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG)
-
- # strict mode, should throw a runtime error
- libcloud.security.VERIFY_SSL_CERT = True
- libcloud.security.VERIFY_SSL_CERT_STRICT = True
try:
self.httplib_object._setup_verify()
@@ -215,14 +206,12 @@ class TestHttpLibSSLTests(unittest.TestCase):
self.fail('Exception not thrown')
libcloud.security.VERIFY_SSL_CERT = False
- libcloud.security.VERIFY_SSL_CERT_STRICT = False
self.httplib_object._setup_verify()
@patch('warnings.warn')
def test_setup_ca_cert(self, _):
# verify = False, _setup_ca_cert should be a no-op
self.httplib_object.verify = False
- self.httplib_object.strict = False
self.httplib_object._setup_ca_cert()
self.assertEqual(self.httplib_object.ca_cert, None)
@@ -236,15 +225,18 @@ class TestHttpLibSSLTests(unittest.TestCase):
self.assertTrue(self.httplib_object.ca_cert is not None)
- # verify = True, no CA certs are available, warning should be emitted
+ # verify = True, no CA certs are available, exception should be thrown
libcloud.security.CA_CERTS_PATH = []
- self.httplib_object._setup_ca_cert()
-
- warnings.warn.assert_called_once_with(
- libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG)
- self.assertFalse(self.httplib_object.ca_cert)
- self.assertFalse(self.httplib_object.verify)
+ try:
+ self.httplib_object._setup_ca_cert()
+ except RuntimeError:
+ e = sys.exc_info()[1]
+ msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG
+ self.assertEqual(str(e), msg)
+ pass
+ else:
+ self.fail('Exception not thrown')
if __name__ == '__main__':