You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2013/12/08 21:19:52 UTC
[1/8] git commit: Refactor libcloud.common.base.Connection to avoid
doing duplicate work and remove some additional code.
Updated Branches:
refs/heads/trunk 1dd2382cf -> b6cb0699f
Refactor libcloud.common.base.Connection to avoid doing duplicate work and
remove some additional code.
Also update affected code.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/fe72fc13
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/fe72fc13
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/fe72fc13
Branch: refs/heads/trunk
Commit: fe72fc13a131b446e1f18cd22005f9c8fd03ce79
Parents: 1dd2382
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 19:10:42 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 19:10:42 2013 +0100
----------------------------------------------------------------------
libcloud/common/base.py | 46 ++++++++++++++++++++++--------------------
libcloud/common/linode.py | 15 +++++++++-----
2 files changed, 34 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/fe72fc13/libcloud/common/base.py
----------------------------------------------------------------------
diff --git a/libcloud/common/base.py b/libcloud/common/base.py
index 34d413c..13e7baf 100644
--- a/libcloud/common/base.py
+++ b/libcloud/common/base.py
@@ -86,18 +86,27 @@ class Response(object):
:param connection: Parent connection object.
:type connection: :class:`.Connection`
"""
- self.body = self._decompress_response(response=response)
-
- if PY3:
- self.body = b(self.body).decode('utf-8')
-
- self.status = response.status
+ self.connection = connection
# http.client In Python 3 doesn't automatically lowercase the header
# names
self.headers = lowercase_keys(dict(response.getheaders()))
self.error = response.reason
- self.connection = connection
+ self.status = response.status
+
+ # This attribute is set when using LoggingConnection.
+ original_data = getattr(response, '_original_data', None)
+
+ if original_data:
+ # LoggingConnection already decompresses data so it can log it
+ # which means we don't need to decompress it here.
+ self.body = response._original_data
+ else:
+ self.body = self._decompress_response(body=response.read(),
+ headers=self.headers)
+
+ if PY3:
+ self.body = b(self.body).decode('utf-8')
if not self.success():
raise Exception(self.parse_error())
@@ -136,30 +145,23 @@ class Response(object):
:rtype: ``bool``
:return: ``True`` or ``False``
"""
- return self.status == httplib.OK or self.status == httplib.CREATED
+ return self.status in [httplib.OK, httplib.CREATED]
- def _decompress_response(self, response):
+ def _decompress_response(self, body, headers):
"""
Decompress a response body if it is using deflate or gzip encoding.
+ :param body: Response body.
+ :type body: ``str``
+
+ :param headers: Response headers.
+ :type headers: ``dict``
+
:return: Decompressed response
:rtype: ``str``
"""
- headers = lowercase_keys(dict(response.getheaders()))
encoding = headers.get('content-encoding', None)
- # This attribute is set when using LoggingConnection
- original_data = getattr(response, '_original_data', None)
-
- if original_data is not None:
- # LoggingConnection decompresses data before we get into this
- # function so it can log decompressed body.
- # If this attribute is present, this means the body has already
- # been decompressed.
- return original_data
-
- body = response.read()
-
if encoding in ['zlib', 'deflate']:
body = decompress_data('zlib', body)
elif encoding in ['gzip', 'x-gzip']:
http://git-wip-us.apache.org/repos/asf/libcloud/blob/fe72fc13/libcloud/common/linode.py
----------------------------------------------------------------------
diff --git a/libcloud/common/linode.py b/libcloud/common/linode.py
index 6947d0a..9d953f0 100644
--- a/libcloud/common/linode.py
+++ b/libcloud/common/linode.py
@@ -80,21 +80,26 @@ class LinodeResponse(JsonResponse):
:keyword response: The raw response returned by urllib
:return: parsed :class:`LinodeResponse`"""
- self.body = self._decompress_response(response=response)
- if PY3:
- self.body = b(self.body).decode('utf-8')
+ self.connection = connection
- self.status = response.status
self.headers = dict(response.getheaders())
self.error = response.reason
- self.connection = connection
+ self.status = response.status
+
+ self.body = self._decompress_response(body=response.read(),
+ headers=self.headers)
+
+ if PY3:
+ self.body = b(self.body).decode('utf-8')
+
self.invalid = LinodeException(0xFF,
"Invalid JSON received from server")
# Move parse_body() to here; we can't be sure of failure until we've
# parsed the body into JSON.
self.objects, self.errors = self.parse_body()
+
if not self.success():
# Raise the first error, as there will usually only be one
raise self.errors[0]
[8/8] git commit: Update upgrade notes.
Posted by to...@apache.org.
Update upgrade notes.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/b6cb0699
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/b6cb0699
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/b6cb0699
Branch: refs/heads/trunk
Commit: b6cb0699f5728cac475c01bf3e2862a05ce4987a
Parents: 0e02b74
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 21:08:04 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 21:08:04 2013 +0100
----------------------------------------------------------------------
docs/upgrade_notes.rst | 15 +++++++++++++++
1 file changed, 15 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/b6cb0699/docs/upgrade_notes.rst
----------------------------------------------------------------------
diff --git a/docs/upgrade_notes.rst b/docs/upgrade_notes.rst
index b4aa68b..8b0065d 100644
--- a/docs/upgrade_notes.rst
+++ b/docs/upgrade_notes.rst
@@ -15,6 +15,21 @@ single class plus ``region`` argument model.
More information on how this affects existing drivers and your code can be
found bellow.
+libcloud.security.VERIFY_SSL_CERT_STRICT variable has been removed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``libcloud.security.VERIFY_SSL_CERT_STRICT`` variable has been introduced in
+version 0.4.2 when we initially added support for SSL certificate verification.
+This variable was added to ease the migration from older versions of Libcloud
+which didn't verify SSL certificates.
+
+In version 0.6.0, this variable has been set to ``True`` by default and
+deprecated.
+
+In this release, this variable has been fully removed. For more information
+on how SSL certificate validation works in Libcloud, see the :doc:`SSL
+Certificate Validation </other/ssl-certificate-validation>` page.
+
Cache busting functionality is now only enabled in Rackspace first-gen driver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[6/8] git commit: Use unittest2 and assertRaisesRegexp instead.
Posted by to...@apache.org.
Use unittest2 and assertRaisesRegexp instead.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/2bcbefb0
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/2bcbefb0
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/2bcbefb0
Branch: refs/heads/trunk
Commit: 2bcbefb0ec95f1905545e5adce2dd88bb5bae0ed
Parents: ee80826
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:25:46 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:25:46 2013 +0100
----------------------------------------------------------------------
libcloud/test/test_httplib_ssl.py | 40 ++++++++++------------------------
1 file changed, 12 insertions(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/2bcbefb0/libcloud/test/test_httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/test/test_httplib_ssl.py b/libcloud/test/test_httplib_ssl.py
index 9192b9e..ee87552 100644
--- a/libcloud/test/test_httplib_ssl.py
+++ b/libcloud/test/test_httplib_ssl.py
@@ -15,7 +15,6 @@
import os
import sys
-import unittest
import os.path
import warnings
@@ -26,6 +25,8 @@ import libcloud.security
from libcloud.utils.py3 import reload
from libcloud.httplib_ssl import LibcloudHTTPSConnection
+from libcloud.test import unittest
+
ORIGINAL_CA_CERS_PATH = libcloud.security.CA_CERTS_PATH
@@ -52,18 +53,13 @@ class TestHttpLibSSLTests(unittest.TestCase):
file_path = os.path.dirname(os.path.abspath(__file__))
os.environ['SSL_CERT_FILE'] = file_path
- try:
- reload(libcloud.security)
- except ValueError:
- e = sys.exc_info()[1]
- msg = 'Certificate file can\'t be a directory'
- self.assertEqual(str(e), msg)
- else:
- self.fail('Exception was not thrown')
+ expected_msg = 'Certificate file can\'t be a directory'
+ self.assertRaisesRegexp(ValueError, expected_msg,
+ reload, libcloud.security)
def test_custom_ca_path_using_env_var_exist(self):
# When setting a path we don't actually check that a valid CA file is
- # provied.
+ # provided.
# This happens later in the code in httplib_ssl.connect method
file_path = os.path.abspath(__file__)
os.environ['SSL_CERT_FILE'] = file_path
@@ -195,15 +191,9 @@ class TestHttpLibSSLTests(unittest.TestCase):
# Should throw a runtime error
libcloud.security.VERIFY_SSL_CERT = True
- try:
- self.httplib_object._setup_verify()
- except RuntimeError:
- e = sys.exc_info()[1]
- msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG
- self.assertEqual(str(e), msg)
- pass
- else:
- self.fail('Exception not thrown')
+ expected_msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG
+ self.assertRaisesRegexp(RuntimeError, expected_msg,
+ self.httplib_object._setup_verify)
libcloud.security.VERIFY_SSL_CERT = False
self.httplib_object._setup_verify()
@@ -228,15 +218,9 @@ class TestHttpLibSSLTests(unittest.TestCase):
# verify = True, no CA certs are available, exception should be thrown
libcloud.security.CA_CERTS_PATH = []
- try:
- self.httplib_object._setup_ca_cert()
- except RuntimeError:
- e = sys.exc_info()[1]
- msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG
- self.assertEqual(str(e), msg)
- pass
- else:
- self.fail('Exception not thrown')
+ expected_msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG
+ self.assertRaisesRegexp(RuntimeError, expected_msg,
+ self.httplib_object._setup_ca_cert)
if __name__ == '__main__':
[5/8] git commit: Set LibcloudHTTPSConnection.verify variable to True
by default.
Posted by to...@apache.org.
Set LibcloudHTTPSConnection.verify variable to True by default.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/ee808260
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/ee808260
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/ee808260
Branch: refs/heads/trunk
Commit: ee8082604c587dd332036f1c8fc3c7b1d05e0d4f
Parents: aa4e590
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:21:44 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:21:44 2013 +0100
----------------------------------------------------------------------
libcloud/httplib_ssl.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/ee808260/libcloud/httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/httplib_ssl.py b/libcloud/httplib_ssl.py
index 4c3255a..29136ef 100644
--- a/libcloud/httplib_ssl.py
+++ b/libcloud/httplib_ssl.py
@@ -33,7 +33,7 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
Subclass of HTTPSConnection which verifies certificate names
if and only if CA certificates are available.
"""
- verify = False # does not verify
+ verify = True # verify by default
ca_cert = None # no default CA Certificate
def __init__(self, *args, **kwargs):
[4/8] git commit: Remove support for old and deprecated
VERIFY_SSL_STRICT variable.
Posted by to...@apache.org.
Remove support for old and deprecated VERIFY_SSL_STRICT variable.
This variable was only used in an old version when we enabled cert validation
to ease the migration path. It has been deprecated since then.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/aa4e590c
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/aa4e590c
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/aa4e590c
Branch: refs/heads/trunk
Commit: aa4e590cd9f5d8bd2357676ee37a3e55646c47ac
Parents: e17bc75
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:20:27 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:20:52 2013 +0100
----------------------------------------------------------------------
libcloud/httplib_ssl.py | 36 +++++++++++++++++-----------------
libcloud/security.py | 8 +-------
libcloud/test/test_httplib_ssl.py | 30 +++++++++++-----------------
3 files changed, 30 insertions(+), 44 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/httplib_ssl.py b/libcloud/httplib_ssl.py
index 4709f27..4c3255a 100644
--- a/libcloud/httplib_ssl.py
+++ b/libcloud/httplib_ssl.py
@@ -27,7 +27,8 @@ from libcloud.utils.py3 import httplib
class LibcloudHTTPSConnection(httplib.HTTPSConnection):
- """LibcloudHTTPSConnection
+ """
+ LibcloudHTTPSConnection
Subclass of HTTPSConnection which verifies certificate names
if and only if CA certificates are available.
@@ -36,20 +37,21 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
ca_cert = None # no default CA Certificate
def __init__(self, *args, **kwargs):
- """Constructor
+ """
+ Constructor
"""
self._setup_verify()
httplib.HTTPSConnection.__init__(self, *args, **kwargs)
def _setup_verify(self):
- """Setup Verify SSL or not
+ """
+ Setup Verify SSL or not
Reads security module's VERIFY_SSL_CERT and toggles whether
the class overrides the connect() class method or runs the
inherited httplib.HTTPSConnection connect()
"""
self.verify = libcloud.security.VERIFY_SSL_CERT
- self.strict = libcloud.security.VERIFY_SSL_CERT_STRICT
if self.verify:
self._setup_ca_cert()
@@ -57,7 +59,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
warnings.warn(libcloud.security.VERIFY_SSL_DISABLED_MSG)
def _setup_ca_cert(self):
- """Setup CA Certs
+ """
+ Setup CA Certs
Search in CA_CERTS_PATH for valid candidates and
return first match. Otherwise, complain about certs
@@ -73,18 +76,12 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
# use first available certificate
self.ca_cert = ca_certs_available[0]
else:
- if self.strict:
- raise RuntimeError(
- libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG)
- else:
- # no certificates found; toggle verify to False
- warnings.warn(
- libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG)
- self.ca_cert = None
- self.verify = False
+ raise RuntimeError(
+ libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG)
def connect(self):
- """Connect
+ """
+ Connect
Checks if verification is toggled; if not, just call
httplib.HTTPSConnection's connect
@@ -111,7 +108,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
raise ssl.SSLError('Failed to verify hostname')
def _verify_hostname(self, hostname, cert):
- """Verify hostname against peer cert
+ """
+ Verify hostname against peer cert
Check both commonName and entries in subjectAltName, using a
rudimentary glob to dns regex check to find matches
@@ -133,7 +131,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
)
def _get_subject_alt_names(self, cert):
- """Get SubjectAltNames
+ """
+ Get SubjectAltNames
Retrieve 'subjectAltName' attributes from cert data structure
"""
@@ -146,7 +145,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection):
return values
def _get_common_name(self, cert):
- """Get Common Name
+ """
+ Get Common Name
Retrieve 'commonName' attribute from cert data structure
"""
http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/security.py
----------------------------------------------------------------------
diff --git a/libcloud/security.py b/libcloud/security.py
index 8bf1f04..8be810d 100644
--- a/libcloud/security.py
+++ b/libcloud/security.py
@@ -20,13 +20,12 @@ Usage:
libcloud.security.VERIFY_SSL_CERT = True
# Optional.
- libcloud.security.CA_CERTS_PATH.append("/path/to/cacert.txt")
+ libcloud.security.CA_CERTS_PATH.append('/path/to/cacert.txt')
"""
import os
VERIFY_SSL_CERT = True
-VERIFY_SSL_CERT_STRICT = True
# File containing one or more PEM-encoded CA certificates
# concatenated together.
@@ -63,11 +62,6 @@ if environment_cert_file is not None:
# don't want to fall-back to a potentially less restrictive bundle
CA_CERTS_PATH = [environment_cert_file]
-CA_CERTS_UNAVAILABLE_WARNING_MSG = (
- 'Warning: No CA Certificates were found in CA_CERTS_PATH. '
- 'Toggling VERIFY_SSL_CERT to False.'
-)
-
CA_CERTS_UNAVAILABLE_ERROR_MSG = (
'No CA Certificates were found in CA_CERTS_PATH. For information on '
'how to get required certificate files, please visit '
http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/test/test_httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/test/test_httplib_ssl.py b/libcloud/test/test_httplib_ssl.py
index f7ac513..9192b9e 100644
--- a/libcloud/test/test_httplib_ssl.py
+++ b/libcloud/test/test_httplib_ssl.py
@@ -192,17 +192,8 @@ class TestHttpLibSSLTests(unittest.TestCase):
def test_setup_verify(self, _):
libcloud.security.CA_CERTS_PATH = []
- # non-strict mode should just emit a warning
+ # Should throw a runtime error
libcloud.security.VERIFY_SSL_CERT = True
- libcloud.security.VERIFY_SSL_CERT_STRICT = False
- self.httplib_object._setup_verify()
-
- warnings.warn.assert_called_once_with(
- libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG)
-
- # strict mode, should throw a runtime error
- libcloud.security.VERIFY_SSL_CERT = True
- libcloud.security.VERIFY_SSL_CERT_STRICT = True
try:
self.httplib_object._setup_verify()
@@ -215,14 +206,12 @@ class TestHttpLibSSLTests(unittest.TestCase):
self.fail('Exception not thrown')
libcloud.security.VERIFY_SSL_CERT = False
- libcloud.security.VERIFY_SSL_CERT_STRICT = False
self.httplib_object._setup_verify()
@patch('warnings.warn')
def test_setup_ca_cert(self, _):
# verify = False, _setup_ca_cert should be a no-op
self.httplib_object.verify = False
- self.httplib_object.strict = False
self.httplib_object._setup_ca_cert()
self.assertEqual(self.httplib_object.ca_cert, None)
@@ -236,15 +225,18 @@ class TestHttpLibSSLTests(unittest.TestCase):
self.assertTrue(self.httplib_object.ca_cert is not None)
- # verify = True, no CA certs are available, warning should be emitted
+ # verify = True, no CA certs are available, exception should be thrown
libcloud.security.CA_CERTS_PATH = []
- self.httplib_object._setup_ca_cert()
-
- warnings.warn.assert_called_once_with(
- libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG)
- self.assertFalse(self.httplib_object.ca_cert)
- self.assertFalse(self.httplib_object.verify)
+ try:
+ self.httplib_object._setup_ca_cert()
+ except RuntimeError:
+ e = sys.exc_info()[1]
+ msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG
+ self.assertEqual(str(e), msg)
+ pass
+ else:
+ self.fail('Exception not thrown')
if __name__ == '__main__':
[7/8] git commit: Remove unused import.
Posted by to...@apache.org.
Remove unused import.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/0e02b74d
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/0e02b74d
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/0e02b74d
Branch: refs/heads/trunk
Commit: 0e02b74d418d742211c782dfa3e1377a270225e8
Parents: 2bcbefb
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:44:44 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:44:44 2013 +0100
----------------------------------------------------------------------
libcloud/test/test_httplib_ssl.py | 1 -
1 file changed, 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/0e02b74d/libcloud/test/test_httplib_ssl.py
----------------------------------------------------------------------
diff --git a/libcloud/test/test_httplib_ssl.py b/libcloud/test/test_httplib_ssl.py
index ee87552..ddbaa14 100644
--- a/libcloud/test/test_httplib_ssl.py
+++ b/libcloud/test/test_httplib_ssl.py
@@ -16,7 +16,6 @@
import os
import sys
import os.path
-import warnings
from mock import patch
[3/8] git commit: Update a link to point to the correct page.
Posted by to...@apache.org.
Update a link to point to the correct page.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/e17bc757
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/e17bc757
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/e17bc757
Branch: refs/heads/trunk
Commit: e17bc757be2792d0be4d1f502f13bc2349f937cf
Parents: 7307ac9
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:06:49 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:06:49 2013 +0100
----------------------------------------------------------------------
libcloud/security.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/e17bc757/libcloud/security.py
----------------------------------------------------------------------
diff --git a/libcloud/security.py b/libcloud/security.py
index 30a7a5a..8bf1f04 100644
--- a/libcloud/security.py
+++ b/libcloud/security.py
@@ -69,9 +69,10 @@ CA_CERTS_UNAVAILABLE_WARNING_MSG = (
)
CA_CERTS_UNAVAILABLE_ERROR_MSG = (
- 'No CA Certificates were found in CA_CERTS_PATH. For information on'
+ 'No CA Certificates were found in CA_CERTS_PATH. For information on '
'how to get required certificate files, please visit '
- 'http://libcloud.apache.org/docs/ssl-certificate-validation.html'
+ 'https://libcloud.readthedocs.org/en/latest/other/'
+ 'ssl-certificate-validation.html'
)
VERIFY_SSL_DISABLED_MSG = (
[2/8] git commit: docs: Update "SSL Certificate Validation" section.
Posted by to...@apache.org.
docs: Update "SSL Certificate Validation" section.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/7307ac93
Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/7307ac93
Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/7307ac93
Branch: refs/heads/trunk
Commit: 7307ac9333d136faf7513b88c0b9c3afd58484ce
Parents: fe72fc1
Author: Tomaz Muraus <to...@apache.org>
Authored: Sun Dec 8 20:04:30 2013 +0100
Committer: Tomaz Muraus <to...@apache.org>
Committed: Sun Dec 8 20:04:30 2013 +0100
----------------------------------------------------------------------
docs/other/ssl-certificate-validation.rst | 65 ++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/libcloud/blob/7307ac93/docs/other/ssl-certificate-validation.rst
----------------------------------------------------------------------
diff --git a/docs/other/ssl-certificate-validation.rst b/docs/other/ssl-certificate-validation.rst
index ec02782..9df5765 100644
--- a/docs/other/ssl-certificate-validation.rst
+++ b/docs/other/ssl-certificate-validation.rst
@@ -3,15 +3,16 @@ SSL Certificate Validation
When establishing a secure connection to a cloud provider endpoint,
Libcloud verifies server SSL certificate. By default, Libcloud searches
-paths listed in ``libcloud.security.CA_CERTS_PATH`` for CA certificate files.
+paths listed in ``libcloud.security.CA_CERTS_PATH`` variable for the CA
+certificate files.
``CA_CERTS_PATH`` contains common paths to CA bundle installations on the
following platforms:
-* openssl on CentOS / Fedora
-* ca-certificates on Debian / Ubuntu / Arch / Gentoo
-* ca_root_nss on FreeBSD
-* curl-ca-bundle on Mac OS X
+* ``openssl`` package on CentOS / Fedora
+* ``ca-certificates`` package on Debian / Ubuntu / Arch / Gentoo
+* ``ca_root_nss`` port on FreeBSD
+* ``curl-ca-bundle`` port on Mac OS X
If no valid CA certificate files are found, you will see an error message
similar to the one bellow:
@@ -24,3 +25,57 @@ Acquiring CA Certificates
If the above packages are unavailable to you, and you don't wish to roll
your own, the makers of cURL provides an excellent resource, generated
from Mozilla: http://curl.haxx.se/docs/caextract.html.
+
+Adding additional CA certificate to the path
+--------------------------------------------
+
+If you want to add an additional CA certificate to the ``CA_CERTS_PATH``, you
+can do this by appending a path to your CA file to the
+``libcloud.security.CA_CERTS_PATH`` list.
+
+For example:
+
+.. sourcecode:: python
+
+ import libcloud.security
+ libcloud.security.CA_CERTS_PATH.append('/home/user/path-to-your-ca-file.crt')
+
+ # Instantiate and work with the driver here...
+
+Using a custom CA certificate
+-----------------------------
+
+If you want to use a custom CA certificate file for validating the server
+certificate, you can do that by setting ``libcloud.security.CA_CERTS_PATH``
+variable (``list``) to point to your CA file.
+
+For example:
+
+.. sourcecode:: python
+
+ import libcloud.security
+ libcloud.security.CA_CERTS_PATH = ['/home/user/path-to-your-ca-file.crt']
+
+ # Instantiate and work with the driver here...
+
+Disabling SSL certificate validation
+------------------------------------
+
+.. note::
+
+ Disabling SSL certificate validations makes you vulnerable to MITM attacks
+ so you are strongly discouraged from doing that. You should only disable it
+ if you are aware of the consequences and you know what you are doing.
+
+To disable SSL certificate validation, set
+``libcloud.security.VERIFY_SSL_CERT`` variable to ``False`` at the top of your
+script, before instantiating a driver and interacting with other Libcloud code.
+
+For example:
+
+.. sourcecode:: python
+
+ import libcloud.security
+ libcloud.security.VERIFY_SSL_CERT = True
+
+ # Instantiate and work with the driver here...