From 0f01bb76d2bb6be1ec5751a66fd6c48caebfedd5 Mon Sep 17 00:00:00 2001 From: Stavros Sachtouris <saxtouri@admin.grnet.gr> Date: Fri, 17 Oct 2014 12:46:41 +0300 Subject: [PATCH] Rename "raise_ssl_errors" to "ignore_ssl" Refs grnet/kamaki#74 The modified flag is located in HTTPSClientAuthConnection of "kamaki.clients.utils.https". The default flag value is reversed. Also, rename the method "patch_to_raise_ssl_errors" to "patsh_ignore_ssl". The boolean values passed to this method is also reversed. Update documentation accordingly. --- Changelog | 2 ++ docs/developers/showcase.rst | 4 ++-- docs/developers/ssl.rst | 7 +++---- kamaki/cli/__init__.py | 2 +- kamaki/clients/utils/https.py | 21 +++++++++------------ 5 files changed, 17 insertions(+), 19 deletions(-) diff --git a/Changelog b/Changelog index e47cfdd2..eb77236e 100644 --- a/Changelog +++ b/Changelog @@ -19,6 +19,8 @@ Bug fixes * Fix Python 2.6 compatibility concerning HTTPS arguments [grnet/kamaki#73] * Fix Python 2.6 compatibility concerning encode parameters +* Rename "raise_ssl_errors" to "ignore_ssl" in HTTPConnection class + [grnet/kamaki#74] v0.13rc4 ======== diff --git a/docs/developers/showcase.rst b/docs/developers/showcase.rst index 21a3ccca..84b8d6a3 100644 --- a/docs/developers/showcase.rst +++ b/docs/developers/showcase.rst @@ -62,7 +62,7 @@ sketched in the :ref:`clients-ssl` section. https.patch_with_certs(ca_certs) else: # Risk insecure connections - https.patch_to_raise_ssl_errors(False) + https.patch_ignore_ssl() Credentials and endpoints ------------------------- @@ -633,7 +633,7 @@ logging more. We also added some command line interaction candy. if ca_certs: https.patch_with_certs(ca_certs) else: - https.patch_to_raise_ssl_errors(False) + https.patch_ignore_ssl() # Create progress bar generator def create_pb(msg): diff --git a/docs/developers/ssl.rst b/docs/developers/ssl.rst index 78076011..428c6502 100644 --- a/docs/developers/ssl.rst +++ b/docs/developers/ssl.rst @@ -38,11 +38,10 @@ Ignore SSL Errors from kamaki.clients.utils import https - https.patch_to_raise_ssl_errors(False) + https.patch_ignore_ssl() -.. note:: Ignoring SSL errors works like this: - The https connection module attempts a secure connection. - If it fails, it falls back to an insecure connection. +.. note:: When the connection module is instructed not to use SSL, it won't + attempt to connect securely, even if a certificate is provided. System CA certificates ---------------------- diff --git a/kamaki/cli/__init__.py b/kamaki/cli/__init__.py index 14db4c88..9aa9137b 100644 --- a/kamaki/cli/__init__.py +++ b/kamaki/cli/__init__.py @@ -239,7 +239,7 @@ def _init_session(arguments, is_non_api=False): else: warn = red('WARNING: CA certifications path not set (insecure) ') kloger.warning(warn) - https.patch_to_raise_ssl_errors(not ignore_ssl) + https.patch_ignore_ssl(ignore_ssl) _check_config_version(_cnf.value) diff --git a/kamaki/clients/utils/https.py b/kamaki/clients/utils/https.py index f086a49c..a6163664 100644 --- a/kamaki/clients/utils/https.py +++ b/kamaki/clients/utils/https.py @@ -43,22 +43,21 @@ log = logging.getLogger(__name__) class HTTPSClientAuthConnection(httplib.HTTPSConnection): """HTTPS connection, with full client-based SSL Authentication support""" - ca_file, raise_ssl_error = None, True + ca_file, ignore_ssl = None, False def __init__(self, *args, **kwargs): """ Extent HTTPSConnection to support SSL authentication :param ca_file: path to CA certificates bundle (default: None) - :param raise_ssl_error: flag (default: True) + :param ignore_ssl: flag (default: False) """ self.ca_file = kwargs.pop('ca_file', self.ca_file) - self.raise_ssl_error = kwargs.pop( - 'raise_ssl_error', self.raise_ssl_error) + self.ignore_ssl = kwargs.pop('ignore_ssl', self.ignore_ssl) httplib.HTTPSConnection.__init__(self, *args, **kwargs) def connect(self): """Connect to a host on a given (SSL) port. - If ca_file is pointing somewhere, use it to check Server Certificate. + Use ca_file to check Server Certificate. Redefined/copied and extended from httplib.py:1105 (Python 2.6.x). This is needed to pass cert_reqs=ssl.CERT_REQUIRED as parameter to @@ -73,15 +72,13 @@ class HTTPSClientAuthConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - # If there's no CA File, let the flag decide if there should be a check - if self.raise_ssl_error: + if self.ignore_ssl: self.sock = ssl.wrap_socket( - sock, self.key_file, self.cert_file, - ca_certs=self.ca_file, cert_reqs=ssl.CERT_REQUIRED) + sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_NONE) else: self.sock = ssl.wrap_socket( sock, self.key_file, self.cert_file, - cert_reqs=ssl.CERT_NONE) + ca_certs=self.ca_file, cert_reqs=ssl.CERT_REQUIRED) http.HTTPConnectionPool._scheme_to_class['https'] = HTTPSClientAuthConnection @@ -92,5 +89,5 @@ def patch_with_certs(ca_file): HTTPSClientAuthConnection.ca_file = ca_file -def patch_to_raise_ssl_errors(ssl_errors=True): - HTTPSClientAuthConnection.raise_ssl_error = ssl_errors +def patch_ignore_ssl(insecure_connection=True): + HTTPSClientAuthConnection.ignore_ssl = insecure_connection -- GitLab