Merge "Add TLS context creation from config"

2020-06-22 17:30:08 +00:00 · 2020-06-22 17:30:08 +00:00 · ca4d5a2ba5
parent e5145d977c 996036acd7
commit ca4d5a2ba5
2 changed files with 100 additions and 0 deletions
--- a/oslo_cache/core.py
+++ b/oslo_cache/core.py
@ -34,6 +34,7 @@ The library has special public value for nonexistent or expired keys called
    from oslo_cache import core
    NO_VALUE = core.NO_VALUE
 """
+import ssl

 import dogpile.cache
 from dogpile.cache import api
@ -145,6 +146,27 @@ def _build_cache_config(conf):
        value = getattr(conf.cache, 'memcache_' + arg)
        conf_dict['%s.arguments.%s' % (prefix, arg)] = value

+    if conf.cache.tls_enabled:
+        _LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
+        tls_context = ssl.create_default_context(cafile=conf.cache.tls_cafile)
+
+        if conf.cache.tls_certfile is not None:
+            _LOG.debug('Oslo Cache TLS - cert: %s', conf.cache.tls_certfile)
+            _LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)
+            tls_context.load_cert_chain(
+                conf.cache.tls_certfile,
+                conf.cache.tls_keyfile,
+            )
+
+        if conf.cache.tls_allowed_ciphers is not None:
+            _LOG.debug(
+                'Oslo Cache TLS - ciphers: %s',
+                conf.cache.tls_allowed_ciphers,
+            )
+            tls_context.set_ciphers(conf.cache.tls_allowed_ciphers)
+
+        conf_dict['%s.arguments.tls_context' % prefix] = tls_context
+
    return conf_dict


--- a/oslo_cache/tests/unit/test_cache_basics.py
+++ b/oslo_cache/tests/unit/test_cache_basics.py
@ -14,6 +14,7 @@
 # under the License.

 import copy
+import ssl
 import time
 from unittest import mock

@ -274,6 +275,83 @@ class CacheRegionTest(test_cache.BaseTestCase):
            _opts._DEFAULT_BACKEND,
            config_dict['test_prefix.backend'])

+    def test_cache_dictionary_config_builder_tls_disabled(self):
+        """Validate the backend is reset to default if caching is disabled."""
+        self.config_fixture.config(group='cache',
+                                   enabled=True,
+                                   config_prefix='test_prefix',
+                                   backend='oslo_cache.dict',
+                                   tls_cafile='path_to_ca_file',
+                                   tls_keyfile='path_to_key_file',
+                                   tls_certfile='path_to_cert_file',
+                                   tls_allowed_ciphers='allowed_ciphers')
+
+        with mock.patch.object(ssl, 'create_default_context'):
+            config_dict = cache._build_cache_config(self.config_fixture.conf)
+
+            self.assertFalse(self.config_fixture.conf.cache.tls_enabled)
+            ssl.create_default_context.assert_not_called()
+            self.assertNotIn('test_prefix.arguments.tls_context', config_dict)
+
+    def test_cache_dictionary_config_builder_tls_enabled(self):
+        """Validate the backend is reset to default if caching is disabled."""
+        self.config_fixture.config(group='cache',
+                                   enabled=True,
+                                   config_prefix='test_prefix',
+                                   backend='oslo_cache.dict',
+                                   tls_enabled=True)
+
+        fake_context = mock.Mock()
+        with mock.patch.object(ssl, 'create_default_context',
+                               return_value=fake_context):
+            config_dict = cache._build_cache_config(self.config_fixture.conf)
+
+            self.assertTrue(self.config_fixture.conf.cache.tls_enabled)
+
+            ssl.create_default_context.assert_called_with(cafile=None)
+            fake_context.load_cert_chain.assert_not_called()
+            fake_context.set_ciphers.assert_not_called()
+
+            self.assertEqual(
+                fake_context,
+                config_dict['test_prefix.arguments.tls_context'],
+            )
+
+    def test_cache_dictionary_config_builder_tls_enabled_with_config(self):
+        """Validate the backend is reset to default if caching is disabled."""
+        self.config_fixture.config(group='cache',
+                                   enabled=True,
+                                   config_prefix='test_prefix',
+                                   backend='oslo_cache.dict',
+                                   tls_enabled=True,
+                                   tls_cafile='path_to_ca_file',
+                                   tls_keyfile='path_to_key_file',
+                                   tls_certfile='path_to_cert_file',
+                                   tls_allowed_ciphers='allowed_ciphers')
+
+        fake_context = mock.Mock()
+        with mock.patch.object(ssl, 'create_default_context',
+                               return_value=fake_context):
+            config_dict = cache._build_cache_config(self.config_fixture.conf)
+
+            self.assertTrue(self.config_fixture.conf.cache.tls_enabled)
+
+            ssl.create_default_context.assert_called_with(
+                cafile='path_to_ca_file',
+            )
+            fake_context.load_cert_chain.assert_called_with(
+                'path_to_cert_file',
+                'path_to_key_file',
+            )
+            fake_context.set_ciphers.assert_called_with(
+                'allowed_ciphers'
+            )
+
+            self.assertEqual(
+                fake_context,
+                config_dict['test_prefix.arguments.tls_context'],
+            )
+
    def test_cache_debug_proxy(self):
        single_value = 'Test Value'
        single_key = 'testkey'