Skip to content

Commit

Permalink
mongo: rename connection kwargs from ssl* to tls*
Browse files Browse the repository at this point in the history
  • Loading branch information
@cognifloyd
cognifloyd committed Sep 19, 2024
1 parent 77b9455 commit 5ff1261
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 45 deletions.
12 changes: 8 additions & 4 deletions st2common/st2common/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,8 +206,12 @@ def register_opts(ignore_errors=False):
help="Backoff multiplier (seconds).",
),
cfg.BoolOpt(
"ssl", default=False, help="Create the connection to mongodb using SSL"
"ssl", # TODO: replace with "tls"
default=False,
help="Create the connection to mongodb using SSL",
),
# TODO: replace ssl_keyfile and ssl_certfile with tlsCertificateFile
# (see comment in st2common.models.db._get_ssl_kwargs)
cfg.StrOpt(
"ssl_keyfile",
default=None,
Expand All @@ -219,20 +223,20 @@ def register_opts(ignore_errors=False):
help="Certificate file used to identify the localconnection",
),
cfg.StrOpt(
"ssl_cert_reqs",
"ssl_cert_reqs", # TODO: replace with BoolOpt "tlsAllowInvalidCertificates"
default=None,
choices=["none", "optional", "required"],
help="Specifies whether a certificate is required from the other side of the "
"connection, and whether it will be validated if provided",
),
cfg.StrOpt(
"ssl_ca_certs",
"ssl_ca_certs", # TODO: replace with "tlsCAFile"
default=None,
help="ca_certs file contains a set of concatenated CA certificates, which are "
"used to validate certificates passed from MongoDB.",
),
cfg.BoolOpt(
"ssl_match_hostname",
"ssl_match_hostname", # TODO: replace with "tlsAllowInvalidHostnames"
default=True,
help="If True and `ssl_cert_reqs` is not None, enables hostname verification",
),
Expand Down
40 changes: 21 additions & 19 deletions st2common/st2common/models/db/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@
import copy
import importlib
import traceback
import ssl as ssl_lib

import six
from oslo_config import cfg
Expand Down Expand Up @@ -459,34 +458,37 @@ def _get_ssl_kwargs(
):
# NOTE: In pymongo 3.9.0 some of the ssl related arguments have been renamed -
# https://api.mongodb.com/python/current/changelog.html#changes-in-version-3-9-0
# Old names still work, but we should eventually update to new argument names.
# Old names stop working in pymongo 4, so we need to migrate now:
# https://pymongo.readthedocs.io/en/stable/migrate-to-pymongo4.html#renamed-uri-options
ssl_kwargs = {
"ssl": ssl,
"tls": ssl,
}
# TODO: replace ssl_keyfile and ssl_certfile with tlsCertificateFile per pymongo:
# > Instead of using ssl_certfile and ssl_keyfile to specify the certificate
# > and private key files respectively, use tlsCertificateKeyFile to pass a
# > single file containing both the client certificate and the private key.
# The tlsCertificateFile switch will be user-facing as files must be combined.
if ssl_keyfile:
ssl_kwargs["ssl"] = True
ssl_kwargs["tls"] = True
ssl_kwargs["ssl_keyfile"] = ssl_keyfile
if ssl_certfile:
ssl_kwargs["ssl"] = True
ssl_kwargs["tls"] = True
ssl_kwargs["ssl_certfile"] = ssl_certfile
if ssl_cert_reqs:
if ssl_cert_reqs == "none":
ssl_cert_reqs = ssl_lib.CERT_NONE
elif ssl_cert_reqs == "optional":
ssl_cert_reqs = ssl_lib.CERT_OPTIONAL
elif ssl_cert_reqs == "required":
ssl_cert_reqs = ssl_lib.CERT_REQUIRED
ssl_kwargs["ssl_cert_reqs"] = ssl_cert_reqs
# possible values: none, optional, required
# ssl lib docs say 'optional' is the same as 'required' for clients:
# https://docs.python.org/3/library/ssl.html#ssl.CERT_OPTIONAL
ssl_kwargs["tlsAllowInvalidCertificates"] = ssl_cert_reqs == "none"
if ssl_ca_certs:
ssl_kwargs["ssl"] = True
ssl_kwargs["ssl_ca_certs"] = ssl_ca_certs
ssl_kwargs["tls"] = True
ssl_kwargs["tlsCAFile"] = ssl_ca_certs
if authentication_mechanism:
ssl_kwargs["ssl"] = True
ssl_kwargs["tls"] = True
ssl_kwargs["authentication_mechanism"] = authentication_mechanism
if ssl_kwargs.get("ssl", False):
# pass in ssl_match_hostname only if ssl is True. The right default value
# for ssl_match_hostname in almost all cases is True.
ssl_kwargs["ssl_match_hostname"] = ssl_match_hostname
if ssl_kwargs.get("tls", False):
# pass in tlsAllowInvalidHostname only if ssl is True. The right default value
# for tlsAllowInvalidHostname in almost all cases is False.
ssl_kwargs["tlsAllowInvalidHostname"] = not ssl_match_hostname
return ssl_kwargs


Expand Down
43 changes: 21 additions & 22 deletions st2common/tests/unit/test_db.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@

monkey_patch()

import ssl
import time

import jsonschema
Expand Down Expand Up @@ -229,19 +228,19 @@ def test_network_level_compression(self):
def test_get_ssl_kwargs(self):
# 1. No SSL kwargs provided
ssl_kwargs = _get_ssl_kwargs()
self.assertEqual(ssl_kwargs, {"ssl": False})
self.assertEqual(ssl_kwargs, {"tls": False})

# 2. ssl kwarg provided
ssl_kwargs = _get_ssl_kwargs(ssl=True)
self.assertEqual(ssl_kwargs, {"ssl": True, "ssl_match_hostname": True})
self.assertEqual(ssl_kwargs, {"tls": True, "tlsAllowInvalidHostname": False})

# 2. authentication_mechanism kwarg provided
ssl_kwargs = _get_ssl_kwargs(authentication_mechanism="MONGODB-X509")
self.assertEqual(
ssl_kwargs,
{
"ssl": True,
"ssl_match_hostname": True,
"tls": True,
"tlsAllowInvalidHostname": False,
"authentication_mechanism": "MONGODB-X509",
},
)
Expand All @@ -250,32 +249,32 @@ def test_get_ssl_kwargs(self):
ssl_kwargs = _get_ssl_kwargs(ssl_keyfile="/tmp/keyfile")
self.assertEqual(
ssl_kwargs,
{"ssl": True, "ssl_keyfile": "/tmp/keyfile", "ssl_match_hostname": True},
{"tls": True, "ssl_keyfile": "/tmp/keyfile", "tlsAllowInvalidHostname": False},
)

# 4. ssl_certfile provided
ssl_kwargs = _get_ssl_kwargs(ssl_certfile="/tmp/certfile")
self.assertEqual(
ssl_kwargs,
{"ssl": True, "ssl_certfile": "/tmp/certfile", "ssl_match_hostname": True},
{"tls": True, "ssl_certfile": "/tmp/certfile", "tlsAllowInvalidHostname": False},
)

# 5. ssl_ca_certs provided
ssl_kwargs = _get_ssl_kwargs(ssl_ca_certs="/tmp/ca_certs")
self.assertEqual(
ssl_kwargs,
{"ssl": True, "ssl_ca_certs": "/tmp/ca_certs", "ssl_match_hostname": True},
{"tls": True, "tlsCAFile": "/tmp/ca_certs", "tlsAllowInvalidHostname": False},
)

# 6. ssl_ca_certs and ssl_cert_reqs combinations
ssl_kwargs = _get_ssl_kwargs(ssl_ca_certs="/tmp/ca_certs", ssl_cert_reqs="none")
self.assertEqual(
ssl_kwargs,
{
"ssl": True,
"ssl_ca_certs": "/tmp/ca_certs",
"ssl_cert_reqs": ssl.CERT_NONE,
"ssl_match_hostname": True,
"tls": True,
"tlsCAFile": "/tmp/ca_certs",
"tlsAllowInvalidCertificates": True,
"tlsAllowInvalidHostname": False,
},
)

Expand All @@ -285,10 +284,10 @@ def test_get_ssl_kwargs(self):
self.assertEqual(
ssl_kwargs,
{
"ssl": True,
"ssl_ca_certs": "/tmp/ca_certs",
"ssl_cert_reqs": ssl.CERT_OPTIONAL,
"ssl_match_hostname": True,
"tls": True,
"tlsCAFile": "/tmp/ca_certs",
"tlsAllowInvalidCertificates": True,
"tlsAllowInvalidHostname": False,
},
)

Expand All @@ -298,10 +297,10 @@ def test_get_ssl_kwargs(self):
self.assertEqual(
ssl_kwargs,
{
"ssl": True,
"ssl_ca_certs": "/tmp/ca_certs",
"ssl_cert_reqs": ssl.CERT_REQUIRED,
"ssl_match_hostname": True,
"tls": True,
"tlsCAFile": "/tmp/ca_certs",
"tlsAllowInvalidCertificates": True,
"tlsAllowInvalidHostname": False,
},
)

Expand Down Expand Up @@ -330,8 +329,8 @@ def test_db_setup(self, mock_mongoengine):
"password": "password",
"tz_aware": True,
"authentication_mechanism": "MONGODB-X509",
"ssl": True,
"ssl_match_hostname": True,
"tls": True,
"tlsAllowInvalidHostname": False,
"connectTimeoutMS": 3000,
"serverSelectionTimeoutMS": 3000,
"uuidRepresentation": "pythonLegacy",
Expand Down

0 comments on commit 5ff1261

Please sign in to comment.