x/vmware-nsxlib
Code Issues Proposed changes

Revert "Add tls_version option when creating NSXHTTPAdapter"

Browse Source 
This reverts commit 49d9ef1031d9c9373d53c9be10e00d4cc5d7bdb9.

Reason for revert: Not required change

Change-Id: Ie856ab86ac7659f21007881163f28e1e70b451c5
This commit is contained in:
Yun-Tang Hsu 2024-11-15 19:16:11 +00:00 committed by Gerrit Code Review
parent 49d9ef1031
commit 1c67001037
5 changed files with 25 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
vmware_nsxlib/tests/unit/v3/nsxlib_testcase.py
View File

@ -14,7 +14,6 @@
# limitations under the License. # limitations under the License.
# #
import copy import copy
import ssl
import unittest import unittest
from unittest import mock from unittest import mock
@ -117,8 +116,7 @@ def get_default_nsxlib_config(allow_passthrough=True):
dns_domain=DNS_DOMAIN, dns_domain=DNS_DOMAIN,
allow_passthrough=allow_passthrough, allow_passthrough=allow_passthrough,
realization_max_attempts=3, realization_max_attempts=3,
realization_wait_sec=0.2, realization_wait_sec=0.2
tls_version=ssl.TLSVersion.TLSv1_3
) )
@ -214,7 +212,7 @@ class NsxClientTestCase(NsxLibTestCase):
retries=retries or NSX_HTTP_RETRIES, retries=retries or NSX_HTTP_RETRIES,
insecure=insecure if insecure is not None else NSX_INSECURE, insecure=insecure if insecure is not None else NSX_INSECURE,
token_provider=None, token_provider=None,
ca_file=ca_file, ca_file=ca_file or NSX_CERT,
concurrent_connections=(concurrent_connections or concurrent_connections=(concurrent_connections or
NSX_CONCURENT_CONN), NSX_CONCURENT_CONN),
http_timeout=http_timeout or NSX_HTTP_TIMEOUT, http_timeout=http_timeout or NSX_HTTP_TIMEOUT,
@ -287,12 +285,10 @@ class NsxClientTestCase(NsxLibTestCase):
else: else:
self._session_responses = None self._session_responses = None
def new_connection(self, cluster_api, provider, tls_version=None): def new_connection(self, cluster_api, provider):
# wrapper the session so we can intercept and record calls # wrapper the session so we can intercept and record calls
session = super(NsxClientTestCase.MockHTTPProvider, session = super(NsxClientTestCase.MockHTTPProvider,
self).new_connection(cluster_api, self).new_connection(cluster_api, provider)
provider,
tls_version=None)
mock_adapter = mock.Mock() mock_adapter = mock.Mock()
session_send = session.send session_send = session.send
@ -428,5 +424,5 @@ class NsxClientTestCase(NsxLibTestCase):
headers = self.default_headers() headers = self.default_headers()
cluster.assert_called_once( cluster.assert_called_once(
method, method,
**{'url': url, 'verify': True, 'body': data, **{'url': url, 'verify': NSX_CERT, 'body': data,
'headers': headers, 'cert': None, 'timeout': timeout}) 'headers': headers, 'cert': None, 'timeout': timeout})

4
vmware_nsxlib/tests/unit/v3/test_client.py
View File

@ -54,7 +54,7 @@ def _headers(**kwargs):
def assert_call(verb, client_or_resource, def assert_call(verb, client_or_resource,
url, verify=True, url, verify=nsxlib_testcase.NSX_CERT,
data=None, headers=DFT_ACCEPT_HEADERS, data=None, headers=DFT_ACCEPT_HEADERS,
timeout=(nsxlib_testcase.NSX_HTTP_TIMEOUT, timeout=(nsxlib_testcase.NSX_HTTP_TIMEOUT,
nsxlib_testcase.NSX_HTTP_READ_TIMEOUT), nsxlib_testcase.NSX_HTTP_READ_TIMEOUT),
@ -84,7 +84,7 @@ def mock_calls_count(verb, client_or_resource):
def assert_json_call(verb, client_or_resource, url, def assert_json_call(verb, client_or_resource, url,
verify=True, verify=nsxlib_testcase.NSX_CERT,
data=None, data=None,
headers=JSON_DFT_ACCEPT_HEADERS, headers=JSON_DFT_ACCEPT_HEADERS,
single_call=True): single_call=True):

79
vmware_nsxlib/tests/unit/v3/test_cluster.py
View File

@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
# #
import ssl
import unittest import unittest
from unittest import mock from unittest import mock
from urllib import parse as urlparse from urllib import parse as urlparse
@ -67,7 +66,6 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
mock_api.nsxlib_config.http_timeout = 99 mock_api.nsxlib_config.http_timeout = 99
mock_api.nsxlib_config.conn_idle_timeout = 39 mock_api.nsxlib_config.conn_idle_timeout = 39
mock_api.nsxlib_config.client_cert_provider = None mock_api.nsxlib_config.client_cert_provider = None
mock_api.nsxlib_config.tls_version = ssl.TLSVersion.TLSv1_3
provider = cluster.NSXRequestsHTTPProvider() provider = cluster.NSXRequestsHTTPProvider()
with mock.patch.object( with mock.patch.object(
cluster.TimeoutSession, 'request', cluster.TimeoutSession, 'request',
@ -164,17 +162,13 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
return_value=get_sess_create_resp()): return_value=get_sess_create_resp()):
session = provider.new_connection( session = provider.new_connection(
mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6', mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6',
None, None, "ca_file"), None, None, "ca_file"))
tls_version=ssl.TLSVersion.TLSv1_3
)
self.assertEqual(True, session.verify) self.assertEqual("ca_file", session.verify)
mock_adaptor_init.assert_called_once_with( mock_adaptor_init.assert_called_once_with(
pool_connections=1, pool_maxsize=1, pool_connections=1, pool_maxsize=1,
max_retries=100, pool_block=False, max_retries=100, pool_block=False,
thumbprint=None, assert_hostname=None, nsx_cert_der=None, thumbprint=None, assert_hostname=None, nsx_cert_der=None)
tls_version=ssl.TLSVersion.TLSv1_3,
ca_file='ca_file')
@mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int") @mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
@mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__") @mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
@ -192,16 +186,13 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
return_value=get_sess_create_resp()): return_value=get_sess_create_resp()):
session = provider.new_connection( session = provider.new_connection(
mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6', mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6',
None, None, "ca_file"), None, None, "ca_file"))
tls_version=ssl.TLSVersion.TLSv1_3)
self.assertEqual(True, session.verify) self.assertEqual("ca_file", session.verify)
mock_adaptor_init.assert_called_once_with( mock_adaptor_init.assert_called_once_with(
pool_connections=1, pool_maxsize=1, pool_connections=1, pool_maxsize=1,
max_retries=100, pool_block=False, max_retries=100, pool_block=False,
thumbprint=None, assert_hostname=False, nsx_cert_der=None, thumbprint=None, assert_hostname=False, nsx_cert_der=None)
tls_version=ssl.TLSVersion.TLSv1_3,
ca_file='ca_file')
@mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int") @mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
@mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__") @mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
@ -219,16 +210,14 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
return_value=get_sess_create_resp()): return_value=get_sess_create_resp()):
session = provider.new_connection( session = provider.new_connection(
mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6', mock_api, cluster.Provider('9.8.7.6', 'https://9.8.7.6',
None, None, None, "thumbprint"), None, None, None, "thumbprint"))
tls_version=ssl.TLSVersion.TLSv1_3)
self.assertIsNone(session.verify) self.assertIsNone(session.verify)
mock_adaptor_init.assert_called_once_with( mock_adaptor_init.assert_called_once_with(
pool_connections=1, pool_maxsize=1, pool_connections=1, pool_maxsize=1,
max_retries=100, pool_block=False, max_retries=100, pool_block=False,
thumbprint="thumbprint", assert_hostname=None, thumbprint="thumbprint", assert_hostname=None,
nsx_cert_der=None, tls_version=ssl.TLSVersion.TLSv1_3, nsx_cert_der=None)
ca_file=None)
@mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int") @mock.patch("vmware_nsxlib.v3.debug_retry.RetryDebug.from_int")
@mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__") @mock.patch("vmware_nsxlib.v3.cluster.NSXHTTPAdapter.__init__")
@ -247,17 +236,14 @@ class RequestsHTTPProviderTestCase(unittest.TestCase):
session = provider.new_connection( session = provider.new_connection(
mock_api, cluster.Provider( mock_api, cluster.Provider(
'9.8.7.6', 'https://9.8.7.6', None, '9.8.7.6', 'https://9.8.7.6', None,
None, None, None, "nsx_cert_der"), None, None, None, "nsx_cert_der"))
tls_version=ssl.TLSVersion.TLSv1_3)
self.assertIsNone(session.verify) self.assertIsNone(session.verify)
mock_adaptor_init.assert_called_once_with( mock_adaptor_init.assert_called_once_with(
pool_connections=1, pool_maxsize=1, pool_connections=1, pool_maxsize=1,
max_retries=100, pool_block=False, max_retries=100, pool_block=False,
thumbprint=None, assert_hostname=None, thumbprint=None, assert_hostname=None,
nsx_cert_der="nsx_cert_der", nsx_cert_der="nsx_cert_der")
tls_version=ssl.TLSVersion.TLSv1_3,
ca_file=None)
def test_validate_connection_keep_alive(self): def test_validate_connection_keep_alive(self):
mock_conn = mocks.MockRequestSessionApi() mock_conn = mocks.MockRequestSessionApi()
@ -314,50 +300,8 @@ class NSXHTTPAdapterTestCase(nsxlib_testcase.NsxClientTestCase):
cluster.NSXHTTPAdapter(thumbprint="thumbprint") cluster.NSXHTTPAdapter(thumbprint="thumbprint")
mock_init_poolmanager.assert_called_once_with( mock_init_poolmanager.assert_called_once_with(
mock.ANY, mock.ANY, block=mock.ANY, mock.ANY, mock.ANY, block=mock.ANY,
ssl_context=mock.ANY,
assert_fingerprint="thumbprint") assert_fingerprint="thumbprint")
@mock.patch("ssl.create_default_context")
@mock.patch("ssl.SSLContext")
@mock.patch("requests.adapters.HTTPAdapter.init_poolmanager")
def test_init_poolmanager_with_tls_version(
self, mock_init_poolmanager, mock_ssl, mock_ssl_create_default):
mock_ctx = mock.Mock()
mock_ctx_default = mock.Mock()
mock_ssl.return_value = mock_ctx
mock_ssl_create_default.return_value = mock_ctx_default
cluster.NSXHTTPAdapter(thumbprint="thumbprint",
tls_version=ssl.TLSVersion.TLSv1_3,
ca_file=None)
mock_init_poolmanager.assert_called_once_with(
mock.ANY, mock.ANY, block=mock.ANY,
ssl_context=mock_ctx,
assert_fingerprint="thumbprint")
mock_ssl.assert_called_once_with(ssl.PROTOCOL_TLS_CLIENT)
mock_ssl_create_default.assert_called_once_with(cafile=None)
self.assertEqual(mock_ctx.minimum_version,
ssl.TLSVersion.TLSv1_3)
self.assertEqual(mock_ctx.check_hostname, False)
@mock.patch("ssl.create_default_context")
@mock.patch("ssl.SSLContext")
@mock.patch("requests.adapters.HTTPAdapter.init_poolmanager")
def test_init_poolmanager_with_tls_version_with_ca(
self, mock_init_poolmanager, mock_ssl, mock_ssl_create_default):
mock_ctx = mock.Mock()
mock_ctx_default = mock.Mock()
mock_ssl_create_default.return_value = mock_ctx_default
cluster.NSXHTTPAdapter(thumbprint=None,
tls_version=ssl.TLSVersion.TLSv1_3,
ca_file='test')
mock_init_poolmanager.assert_called_once_with(
mock.ANY, mock.ANY, block=mock.ANY,
ssl_context=mock_ctx_default)
mock_ssl_create_default.assert_called_once_with(cafile='test')
mock_ctx.assert_not_called()
self.assertEqual(mock_ctx_default.minimum_version,
ssl.TLSVersion.TLSv1_3)
class NsxV3ClusteredAPITestCase(nsxlib_testcase.NsxClientTestCase): class NsxV3ClusteredAPITestCase(nsxlib_testcase.NsxClientTestCase):
@ -387,8 +331,7 @@ class NsxV3ClusteredAPITestCase(nsxlib_testcase.NsxClientTestCase):
self._assert_providers( self._assert_providers(
api, [(urlparse.urlparse(p).netloc, p) for p in conf_managers]) api, [(urlparse.urlparse(p).netloc, p) for p in conf_managers])
@mock.patch("ssl.create_default_context") def test_http_retries(self):
def test_http_retries(self, mock_ssl):
api = self.mock_nsx_clustered_api(retries=9) api = self.mock_nsx_clustered_api(retries=9)
with api.endpoints['1.2.3.4'].pool.item() as session: with api.endpoints['1.2.3.4'].pool.item() as session:
self.assertEqual( self.assertEqual(

40
vmware_nsxlib/v3/cluster.py
View File

@ -24,7 +24,6 @@ import inspect
import itertools import itertools
import logging import logging
import re import re
import ssl
import time import time
from urllib import parse as urlparse from urllib import parse as urlparse
@ -206,7 +205,7 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
raise exceptions.ResourceNotFound( raise exceptions.ResourceNotFound(
manager=endpoint.provider.url, operation=msg) manager=endpoint.provider.url, operation=msg)
def new_connection(self, cluster_api, provider, tls_version=None): def new_connection(self, cluster_api, provider):
config = cluster_api.nsxlib_config config = cluster_api.nsxlib_config
session = TimeoutSession(config.http_timeout, session = TimeoutSession(config.http_timeout,
config.http_read_timeout) config.http_read_timeout)
@ -221,15 +220,13 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
session.max_redirects = 0 session.max_redirects = 0
thumbprint = None thumbprint = None
nsx_cert_der = None nsx_cert_der = None
ca_file = None
if config.insecure: if config.insecure:
# no verification on server certificate # no verification on server certificate
session.verify = False session.verify = False
elif provider.ca_file: elif provider.ca_file:
# verify using the said ca bundle path # verify using the said ca bundle path
session.verify = True session.verify = provider.ca_file
ca_file = provider.ca_file
elif provider.nsx_cert_der: elif provider.nsx_cert_der:
session.verify = None session.verify = None
nsx_cert_der = provider.nsx_cert_der nsx_cert_der = provider.nsx_cert_der
@ -247,10 +244,7 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider):
max_retries=RetryDebug.from_int(config.retries), max_retries=RetryDebug.from_int(config.retries),
pool_block=False, thumbprint=thumbprint, pool_block=False, thumbprint=thumbprint,
assert_hostname=config.ssl_assert_hostname, assert_hostname=config.ssl_assert_hostname,
nsx_cert_der=nsx_cert_der, nsx_cert_der=nsx_cert_der)
tls_version=tls_version,
ca_file=ca_file
)
session.mount('http://', adapter) session.mount('http://', adapter)
session.mount('https://', adapter) session.mount('https://', adapter)
@ -344,27 +338,9 @@ class NSXHTTPAdapter(adapters.HTTPAdapter):
self.thumbprint = kwargs.pop("thumbprint", None) self.thumbprint = kwargs.pop("thumbprint", None)
self.assert_hostname = kwargs.pop("assert_hostname", None) self.assert_hostname = kwargs.pop("assert_hostname", None)
self.nsx_cert_der = kwargs.pop("nsx_cert_der", None) self.nsx_cert_der = kwargs.pop("nsx_cert_der", None)
self.tls_version = kwargs.pop("tls_version", None)
self.ca_file = kwargs.pop("ca_file", None)
# PROTOCOL_TLS_CLIENT supports TLSv1.2 and TLSv1.3.
# check_hostname and CERT_REQUIRED is enabled by default.
try:
self.ssl_context = ssl.create_default_context(
cafile=self.ca_file)
except ssl.SSLError:
raise exceptions.CertificateError
if self.thumbprint or self.nsx_cert_der:
self.ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
# Hostname checking is bypassed with thumbprint verification
self.ssl_context.check_hostname = False
self.ssl_context.verify_mode = ssl.CERT_NONE
# Set the minimum TLS version to the target version
if self.tls_version:
self.ssl_context.minimum_version = self.tls_version
super(NSXHTTPAdapter, self).__init__(*args, **kwargs) super(NSXHTTPAdapter, self).__init__(*args, **kwargs)
def init_poolmanager(self, *args, **kwargs): def init_poolmanager(self, *args, **kwargs):
kwargs['ssl_context'] = self.ssl_context
if self.thumbprint: if self.thumbprint:
kwargs["assert_fingerprint"] = self.thumbprint kwargs["assert_fingerprint"] = self.thumbprint
if self.assert_hostname is not None: if self.assert_hostname is not None:
@ -564,8 +540,7 @@ class ClusteredAPI(object):
api_rate_limit=None, api_rate_limit=None,
api_rate_mode=None, api_rate_mode=None,
api_log_mode=None, api_log_mode=None,
enable_health_check=True, enable_health_check=True):
tls_version=None):
self._http_provider = http_provider self._http_provider = http_provider
self._keepalive_interval = keepalive_interval self._keepalive_interval = keepalive_interval
@ -573,7 +548,6 @@ class ClusteredAPI(object):
self._silent = False self._silent = False
self._api_call_collectors = [] self._api_call_collectors = []
self._enable_health_check = enable_health_check self._enable_health_check = enable_health_check
self._tls_version = tls_version
def _init_cluster(*args, **kwargs): def _init_cluster(*args, **kwargs):
self._init_endpoints(providers, min_conns_per_pool, self._init_endpoints(providers, min_conns_per_pool,
@ -598,8 +572,7 @@ class ClusteredAPI(object):
def _create_conn(p): def _create_conn(p):
def _conn(): def _conn():
return self._http_provider.new_connection( return self._http_provider.new_connection(self, p)
self, p, tls_version=self._tls_version)
return _conn return _conn
@ -965,8 +938,7 @@ class NSXClusteredAPI(ClusteredAPI):
api_rate_limit=self.nsxlib_config.api_rate_limit_per_endpoint, api_rate_limit=self.nsxlib_config.api_rate_limit_per_endpoint,
api_rate_mode=self.nsxlib_config.api_rate_mode, api_rate_mode=self.nsxlib_config.api_rate_mode,
api_log_mode=self.nsxlib_config.api_log_mode, api_log_mode=self.nsxlib_config.api_log_mode,
enable_health_check=self.nsxlib_config.enable_health_check, enable_health_check=self.nsxlib_config.enable_health_check)
tls_version=self.nsxlib_config.tls_version)
LOG.debug("Created NSX clustered API with '%s' " LOG.debug("Created NSX clustered API with '%s' "
"provider", self._http_provider.provider_id) "provider", self._http_provider.provider_id)

4
vmware_nsxlib/v3/config.py
View File

@ -216,8 +216,7 @@ class NsxLibConfig(object):
api_log_mode=None, api_log_mode=None,
enable_health_check=True, enable_health_check=True,
ssl_assert_hostname=None, ssl_assert_hostname=None,
nsx_cert_der=None, nsx_cert_der=None):
tls_version=None):
self.nsx_api_managers = nsx_api_managers self.nsx_api_managers = nsx_api_managers
self._username = username self._username = username
@ -252,7 +251,6 @@ class NsxLibConfig(object):
self.enable_health_check = enable_health_check self.enable_health_check = enable_health_check
self.ssl_assert_hostname = ssl_assert_hostname self.ssl_assert_hostname = ssl_assert_hostname
self._nsx_cert_der = nsx_cert_der self._nsx_cert_der = nsx_cert_der
self.tls_version = tls_version
if len(nsx_api_managers) == 1 and not self.cluster_unavailable_retry: if len(nsx_api_managers) == 1 and not self.cluster_unavailable_retry:
LOG.warning("When only one endpoint is provided, keepalive probes" LOG.warning("When only one endpoint is provided, keepalive probes"