delta/openstack/python-glanceclient.git/tests/test_ssl.py, branch kilo-eol opendev.org: openstack/python-glanceclient.git Fix failure to create glance https connection pool 2015-12-22T16:56:26+00:00 Haikel Guemar hguemar@fedoraproject.org 2015-07-22T09:41:42+00:00 51ff5aebdf5729378ae01e9c4a06a8220fab28bc Due to a typo in an attribute named, an Attribute error is raised causing failure in connection to glance through HTTPS Urllib3 PoolManager class has a connection_pool_kw attribute but not connection_kw Change-Id: Id4d6a5bdcf971d09e80043fd2ab399e208fd931c Closes-Bug: #1479020 (cherry picked from commit c41dcc9f4366429d952cc47853496d58d47b7511) 
Due to a typo in an attribute named, an Attribute error is raised
causing failure in connection to glance through HTTPS

Urllib3 PoolManager class has a connection_pool_kw attribute
but not connection_kw

Change-Id: Id4d6a5bdcf971d09e80043fd2ab399e208fd931c
Closes-Bug: #1479020
(cherry picked from commit c41dcc9f4366429d952cc47853496d58d47b7511)
Fix client when using no ssl compression 2015-04-16T15:05:53+00:00 Stuart McLaren stuart.mclaren@hp.com 2015-04-10T14:25:28+00:00 f9a2a12f178504b7ca6b31a3e1784dd5877ee018 Since the release of the 0.16.1 client, using the 'no ssl compression' option, whether on the command line, or via the library -- Nova does this by default -- a stack trace was generated. Closes-bug: 1442664 Related-bug: 1357430 Change-Id: I2b8ddcb0a7ae3cfccdfc20d3ba476f3b4f4ec32d (cherry picked from commit c698b4e3227b4767f042e435423fcc307d7f6d5c) 
Since the release of the 0.16.1 client, using the 'no ssl compression'
option, whether on the command line, or via the library -- Nova does this by
default -- a stack trace was generated.

Closes-bug: 1442664
Related-bug: 1357430

Change-Id: I2b8ddcb0a7ae3cfccdfc20d3ba476f3b4f4ec32d
(cherry picked from commit c698b4e3227b4767f042e435423fcc307d7f6d5c)
Add SSL cert verification regression tests 2015-04-16T15:02:41+00:00 Stuart McLaren stuart.mclaren@hp.com 2014-08-20T15:58:44+00:00 e572ec1d1fa26dc9c1978dbdc332c054f307a0de A security bug (1357430) was introduced which meant that SSL certificate verification was not occurring. Add new tests which help prevent the 'requests' part of bug 115260 recurring. Note: Cherry-picking onto the stable branch -- these tests are required for proper testing of one of the SSL related fixes. Change-Id: Iaf56fd8bc34fa8f35c2fd7051f9f8424002352cf Related-bug: 1357430 (cherry picked from commit 64a1a0fdcc563579a8b01d10debfafc4cc160f81) 
A security bug (1357430) was introduced which meant that SSL certificate
verification was not occurring.

Add new tests which help prevent the 'requests' part of bug 115260
recurring.

Note: Cherry-picking onto the stable branch -- these tests are required
      for proper testing of one of the SSL related fixes.

Change-Id: Iaf56fd8bc34fa8f35c2fd7051f9f8424002352cf
Related-bug: 1357430
(cherry picked from commit 64a1a0fdcc563579a8b01d10debfafc4cc160f81)
Merge "https: Prevent leaking sockets for some operations" 2015-03-04T08:38:19+00:00 Jenkins jenkins@review.openstack.org 2015-03-04T08:38:19+00:00 5ce1de9da47d0874ee2bf920fdb421c750bc1e89 






Merge "Register our own ConnectionPool without globals"
2015-02-26T21:29:06+00:00

Jenkins
jenkins@review.openstack.org

2015-02-26T21:29:06+00:00

db0179f5c4fa02515b1706e74da545bc1eeb6b54












https: Prevent leaking sockets for some operations
2015-02-18T12:31:24+00:00

Stuart McLaren
stuart.mclaren@hp.com

2015-02-17T17:36:56+00:00

ef9fd9fca05f8da8325ccaa6632e34d1321130bf

Other OpenStack services which instantiate a 'https' glanceclient using
ssl_compression=False and insecure=False (eg Nova, Cinder) are leaking
sockets due to glanceclient not closing the connection to the Glance
server.

This could happen for a sub-set of calls, eg 'show', 'delete', 'update'.

netstat -nopd would show the sockets would hang around forever:

... 127.0.0.1:9292          ESTABLISHED 9552/python      off (0.00/0/0)

urllib's ConnectionPool relies on the garbage collector to tear down
sockets which are no longer in use. The 'verify_callback' function used to
validate SSL certs was holding a reference to the VerifiedHTTPSConnection
instance which prevented the sockets being torn down.

Change-Id: Idb3e68151c48ed623ab89d05d88ea48465429838
Closes-bug: 1423165





Other OpenStack services which instantiate a 'https' glanceclient using
ssl_compression=False and insecure=False (eg Nova, Cinder) are leaking
sockets due to glanceclient not closing the connection to the Glance
server.

This could happen for a sub-set of calls, eg 'show', 'delete', 'update'.

netstat -nopd would show the sockets would hang around forever:

... 127.0.0.1:9292          ESTABLISHED 9552/python      off (0.00/0/0)

urllib's ConnectionPool relies on the garbage collector to tear down
sockets which are no longer in use. The 'verify_callback' function used to
validate SSL certs was holding a reference to the VerifiedHTTPSConnection
instance which prevented the sockets being torn down.

Change-Id: Idb3e68151c48ed623ab89d05d88ea48465429838
Closes-bug: 1423165







Register our own ConnectionPool without globals
2015-02-06T19:49:13+00:00

Ian Cordasco
ian.cordasco@rackspace.com

2014-12-08T21:28:04+00:00

7ee96cbe390b2492f8d837c93f33a8f5bebdb388

Currently, on systems like Fedora and Debian, it is possible to import
urllib3 as well as requests.packages.urllib3. They functionally point to
the same code but sys.modules considers them to be separate items. When
downstream packagers unvendor urllib3 from requests, they also change
all the imports inside of the package. So if the code imports urllib3
from requests.packages.urllib3 and modifies globals in a submodule, that
will not be visible to requests since it has been rewritten to use
urllib3 (not requests.packages.urllib3). By handling this logic
ourselves, we can issue a release until upstream packages and requests
can fix this and cut a new release.

Change-Id: Ic77ce8a06d9d148a899b4b8695990fca8fdaefc5
Closes-bug: 1396550





Currently, on systems like Fedora and Debian, it is possible to import
urllib3 as well as requests.packages.urllib3. They functionally point to
the same code but sys.modules considers them to be separate items. When
downstream packagers unvendor urllib3 from requests, they also change
all the imports inside of the package. So if the code imports urllib3
from requests.packages.urllib3 and modifies globals in a submodule, that
will not be visible to requests since it has been rewritten to use
urllib3 (not requests.packages.urllib3). By handling this logic
ourselves, we can issue a release until upstream packages and requests
can fix this and cut a new release.

Change-Id: Ic77ce8a06d9d148a899b4b8695990fca8fdaefc5
Closes-bug: 1396550







Update HTTPS certificate handling for pep-0476
2014-12-19T13:01:32+00:00

James Page
james.page@ubuntu.com

2014-12-19T12:49:17+00:00

b96f6130265797489e684a4bc123a7a1f5118d2c

This pep (included in python 2.7.9) changes the behaviour of SSL
certificate chain handling to be more py3 like.

Include required new exception behaviour in the list of
exceptions to translate under py2.

https://github.com/python/peps/blob/master/pep-0476.txt

Closes-Bug: 1404227

Change-Id: I7da1a13d1ec861a07fd96684d0431508a214a2c8





This pep (included in python 2.7.9) changes the behaviour of SSL
certificate chain handling to be more py3 like.

Include required new exception behaviour in the list of
exceptions to translate under py2.

https://github.com/python/peps/blob/master/pep-0476.txt

Closes-Bug: 1404227

Change-Id: I7da1a13d1ec861a07fd96684d0431508a214a2c8







Don't replace the https handler in the poolmanager
2014-10-30T08:06:02+00:00

Flavio Percoco
flaper87@gmail.com

2014-07-30T08:57:46+00:00

052904ba32f6e6075b023065bff684042c640c6a

In order to keep the support for `--ssl-nocompression` it was decided to
overwrite the https HTTPAdapter in `requests` poolmanager. Although this
seemed to work correctly, it was causing some issues when using
glanceclient from other services that rely on requests and that were
also configured to use TLS.

THis patch changes implements a different strategy by using
`glance+https` as the scheme to use when `no-compression` is requested.

Closes-bug: #1350251
Closes-bug: #1347150
Closes-bug: #1362766

Change-Id: Ib25237ba821ee20a561a163b79402d1375ebed0b





In order to keep the support for `--ssl-nocompression` it was decided to
overwrite the https HTTPAdapter in `requests` poolmanager. Although this
seemed to work correctly, it was causing some issues when using
glanceclient from other services that rely on requests and that were
also configured to use TLS.

THis patch changes implements a different strategy by using
`glance+https` as the scheme to use when `no-compression` is requested.

Closes-bug: #1350251
Closes-bug: #1347150
Closes-bug: #1362766

Change-Id: Ib25237ba821ee20a561a163b79402d1375ebed0b







Replace old httpclient with requests
2014-07-10T07:52:05+00:00

AmalaBasha
amala.alungal@RACKSPACE.COM

2014-07-01T09:15:12+00:00

dbb242b776908ca50ed8557ebfe7cfcd879366c8

This review implements blueprint python-request and replaces the old
http client implementation in favor of a new one based on
python-requests.

Major changes:
* raw_request and json_request removed since everything is now being
  handled by the same method "_request"
* New methods that match HTTP's methods were added:
    - get
    - put
    - post
    - head
    - patch
    - delete
* Content-Type is now being "inferred" based on the data being sent:
    - if it is file-like object it chunks the request
    - if it is a python type not instance of basestring then it'll try
      to serialize it to json
    - Every other case will keep the incoming content-type and will send
      the data as is.
* Glanceclient's HTTPSConnection implementation will be used if
  no-compression flag is set to True.

Co-Author:  Flavio Percoco<flaper87@gmail.com>
Change-Id: I09f70eee3e2777f52ce040296015d41649c2586a





This review implements blueprint python-request and replaces the old
http client implementation in favor of a new one based on
python-requests.

Major changes:
* raw_request and json_request removed since everything is now being
  handled by the same method "_request"
* New methods that match HTTP's methods were added:
    - get
    - put
    - post
    - head
    - patch
    - delete
* Content-Type is now being "inferred" based on the data being sent:
    - if it is file-like object it chunks the request
    - if it is a python type not instance of basestring then it'll try
      to serialize it to json
    - Every other case will keep the incoming content-type and will send
      the data as is.
* Glanceclient's HTTPSConnection implementation will be used if
  no-compression flag is set to True.

Co-Author:  Flavio Percoco<flaper87@gmail.com>
Change-Id: I09f70eee3e2777f52ce040296015d41649c2586a