Remove support for old and deprecated VERIFY_SSL_STRICT variable. This variable was only used in an old version when we enabled cert validation to ease the migration path. It has been deprecated since then.
Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/aa4e590c Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/aa4e590c Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/aa4e590c Branch: refs/heads/trunk Commit: aa4e590cd9f5d8bd2357676ee37a3e55646c47ac Parents: e17bc75 Author: Tomaz Muraus <[email protected]> Authored: Sun Dec 8 20:20:27 2013 +0100 Committer: Tomaz Muraus <[email protected]> Committed: Sun Dec 8 20:20:52 2013 +0100 ---------------------------------------------------------------------- libcloud/httplib_ssl.py | 36 +++++++++++++++++----------------- libcloud/security.py | 8 +------- libcloud/test/test_httplib_ssl.py | 30 +++++++++++----------------- 3 files changed, 30 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/httplib_ssl.py ---------------------------------------------------------------------- diff --git a/libcloud/httplib_ssl.py b/libcloud/httplib_ssl.py index 4709f27..4c3255a 100644 --- a/libcloud/httplib_ssl.py +++ b/libcloud/httplib_ssl.py @@ -27,7 +27,8 @@ from libcloud.utils.py3 import httplib class LibcloudHTTPSConnection(httplib.HTTPSConnection): - """LibcloudHTTPSConnection + """ + LibcloudHTTPSConnection Subclass of HTTPSConnection which verifies certificate names if and only if CA certificates are available. @@ -36,20 +37,21 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection): ca_cert = None # no default CA Certificate def __init__(self, *args, **kwargs): - """Constructor + """ + Constructor """ self._setup_verify() httplib.HTTPSConnection.__init__(self, *args, **kwargs) def _setup_verify(self): - """Setup Verify SSL or not + """ + Setup Verify SSL or not Reads security module's VERIFY_SSL_CERT and toggles whether the class overrides the connect() class method or runs the inherited httplib.HTTPSConnection connect() """ self.verify = libcloud.security.VERIFY_SSL_CERT - self.strict = libcloud.security.VERIFY_SSL_CERT_STRICT if self.verify: self._setup_ca_cert() @@ -57,7 +59,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection): warnings.warn(libcloud.security.VERIFY_SSL_DISABLED_MSG) def _setup_ca_cert(self): - """Setup CA Certs + """ + Setup CA Certs Search in CA_CERTS_PATH for valid candidates and return first match. Otherwise, complain about certs @@ -73,18 +76,12 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection): # use first available certificate self.ca_cert = ca_certs_available[0] else: - if self.strict: - raise RuntimeError( - libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG) - else: - # no certificates found; toggle verify to False - warnings.warn( - libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG) - self.ca_cert = None - self.verify = False + raise RuntimeError( + libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG) def connect(self): - """Connect + """ + Connect Checks if verification is toggled; if not, just call httplib.HTTPSConnection's connect @@ -111,7 +108,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection): raise ssl.SSLError('Failed to verify hostname') def _verify_hostname(self, hostname, cert): - """Verify hostname against peer cert + """ + Verify hostname against peer cert Check both commonName and entries in subjectAltName, using a rudimentary glob to dns regex check to find matches @@ -133,7 +131,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection): ) def _get_subject_alt_names(self, cert): - """Get SubjectAltNames + """ + Get SubjectAltNames Retrieve 'subjectAltName' attributes from cert data structure """ @@ -146,7 +145,8 @@ class LibcloudHTTPSConnection(httplib.HTTPSConnection): return values def _get_common_name(self, cert): - """Get Common Name + """ + Get Common Name Retrieve 'commonName' attribute from cert data structure """ http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/security.py ---------------------------------------------------------------------- diff --git a/libcloud/security.py b/libcloud/security.py index 8bf1f04..8be810d 100644 --- a/libcloud/security.py +++ b/libcloud/security.py @@ -20,13 +20,12 @@ Usage: libcloud.security.VERIFY_SSL_CERT = True # Optional. - libcloud.security.CA_CERTS_PATH.append("/path/to/cacert.txt") + libcloud.security.CA_CERTS_PATH.append('/path/to/cacert.txt') """ import os VERIFY_SSL_CERT = True -VERIFY_SSL_CERT_STRICT = True # File containing one or more PEM-encoded CA certificates # concatenated together. @@ -63,11 +62,6 @@ if environment_cert_file is not None: # don't want to fall-back to a potentially less restrictive bundle CA_CERTS_PATH = [environment_cert_file] -CA_CERTS_UNAVAILABLE_WARNING_MSG = ( - 'Warning: No CA Certificates were found in CA_CERTS_PATH. ' - 'Toggling VERIFY_SSL_CERT to False.' -) - CA_CERTS_UNAVAILABLE_ERROR_MSG = ( 'No CA Certificates were found in CA_CERTS_PATH. For information on ' 'how to get required certificate files, please visit ' http://git-wip-us.apache.org/repos/asf/libcloud/blob/aa4e590c/libcloud/test/test_httplib_ssl.py ---------------------------------------------------------------------- diff --git a/libcloud/test/test_httplib_ssl.py b/libcloud/test/test_httplib_ssl.py index f7ac513..9192b9e 100644 --- a/libcloud/test/test_httplib_ssl.py +++ b/libcloud/test/test_httplib_ssl.py @@ -192,17 +192,8 @@ class TestHttpLibSSLTests(unittest.TestCase): def test_setup_verify(self, _): libcloud.security.CA_CERTS_PATH = [] - # non-strict mode should just emit a warning + # Should throw a runtime error libcloud.security.VERIFY_SSL_CERT = True - libcloud.security.VERIFY_SSL_CERT_STRICT = False - self.httplib_object._setup_verify() - - warnings.warn.assert_called_once_with( - libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG) - - # strict mode, should throw a runtime error - libcloud.security.VERIFY_SSL_CERT = True - libcloud.security.VERIFY_SSL_CERT_STRICT = True try: self.httplib_object._setup_verify() @@ -215,14 +206,12 @@ class TestHttpLibSSLTests(unittest.TestCase): self.fail('Exception not thrown') libcloud.security.VERIFY_SSL_CERT = False - libcloud.security.VERIFY_SSL_CERT_STRICT = False self.httplib_object._setup_verify() @patch('warnings.warn') def test_setup_ca_cert(self, _): # verify = False, _setup_ca_cert should be a no-op self.httplib_object.verify = False - self.httplib_object.strict = False self.httplib_object._setup_ca_cert() self.assertEqual(self.httplib_object.ca_cert, None) @@ -236,15 +225,18 @@ class TestHttpLibSSLTests(unittest.TestCase): self.assertTrue(self.httplib_object.ca_cert is not None) - # verify = True, no CA certs are available, warning should be emitted + # verify = True, no CA certs are available, exception should be thrown libcloud.security.CA_CERTS_PATH = [] - self.httplib_object._setup_ca_cert() - - warnings.warn.assert_called_once_with( - libcloud.security.CA_CERTS_UNAVAILABLE_WARNING_MSG) - self.assertFalse(self.httplib_object.ca_cert) - self.assertFalse(self.httplib_object.verify) + try: + self.httplib_object._setup_ca_cert() + except RuntimeError: + e = sys.exc_info()[1] + msg = libcloud.security.CA_CERTS_UNAVAILABLE_ERROR_MSG + self.assertEqual(str(e), msg) + pass + else: + self.fail('Exception not thrown') if __name__ == '__main__':
