diff options
| -rw-r--r-- | .zuul.yaml | 2 | ||||
| -rw-r--r-- | doc/source/admin/rabbit.rst | 1 | ||||
| -rw-r--r-- | oslo_messaging/_drivers/impl_rabbit.py | 25 | ||||
| -rw-r--r-- | oslo_messaging/exceptions.py | 4 | ||||
| -rw-r--r-- | oslo_messaging/tests/drivers/test_impl_rabbit.py | 87 | ||||
| -rw-r--r-- | releasenotes/notes/enforce_fips_mode-07dd259eb8a73c2b.yaml | 10 | ||||
| -rw-r--r-- | releasenotes/source/index.rst | 1 | ||||
| -rw-r--r-- | releasenotes/source/yoga.rst | 6 | ||||
| -rw-r--r-- | setup.cfg | 4 |
9 files changed, 129 insertions, 11 deletions
@@ -108,7 +108,7 @@ - check-requirements - lib-forward-testing-python3 - openstack-cover-jobs - - openstack-python3-yoga-jobs + - openstack-python3-zed-jobs - periodic-stable-jobs - publish-openstack-docs-pti - release-notes-jobs-python3 diff --git a/doc/source/admin/rabbit.rst b/doc/source/admin/rabbit.rst index 23db352..b9433a5 100644 --- a/doc/source/admin/rabbit.rst +++ b/doc/source/admin/rabbit.rst @@ -270,3 +270,4 @@ Security Options - :oslo.config:option:`oslo_messaging_rabbit.ssl_key_file` - :oslo.config:option:`oslo_messaging_rabbit.ssl_cert_file` - :oslo.config:option:`oslo_messaging_rabbit.rabbit_login_method` +- :oslo.config:option:`oslo_messaging_rabbit.ssl_enforce_fips_mode` diff --git a/oslo_messaging/_drivers/impl_rabbit.py b/oslo_messaging/_drivers/impl_rabbit.py index 6f737c4..ed2642c 100644 --- a/oslo_messaging/_drivers/impl_rabbit.py +++ b/oslo_messaging/_drivers/impl_rabbit.py @@ -82,6 +82,15 @@ rabbit_opts = [ deprecated_name='kombu_ssl_ca_certs', help='SSL certification authority file ' '(valid only if SSL enabled).'), + cfg.BoolOpt('ssl_enforce_fips_mode', + default=False, + help='Global toggle for enforcing the OpenSSL FIPS mode. ' + 'This feature requires Python support. ' + 'This is available in Python 3.9 in all ' + 'environments and may have been backported to older ' + 'Python versions on select environments. If the Python ' + 'executable used does not support OpenSSL FIPS mode, ' + 'an exception will be raised.'), cfg.BoolOpt('heartbeat_in_pthread', default=True, help="Run the health check heartbeat thread " @@ -116,7 +125,7 @@ rabbit_opts = [ 'unavailable. Takes effect only if more than one ' 'RabbitMQ node is provided in config.'), cfg.StrOpt('rabbit_login_method', - choices=('PLAIN', 'AMQPLAIN', 'RABBIT-CR-DEMO'), + choices=('PLAIN', 'AMQPLAIN', 'EXTERNAL', 'RABBIT-CR-DEMO'), default='AMQPLAIN', deprecated_group='DEFAULT', help='The RabbitMQ login method.'), @@ -565,6 +574,7 @@ class Connection(object): self.kombu_failover_strategy = driver_conf.kombu_failover_strategy self.kombu_compression = driver_conf.kombu_compression self.heartbeat_in_pthread = driver_conf.heartbeat_in_pthread + self.ssl_enforce_fips_mode = driver_conf.ssl_enforce_fips_mode self.enable_cancel_on_failover = driver_conf.enable_cancel_on_failover if self.heartbeat_in_pthread: @@ -602,6 +612,19 @@ class Connection(object): self.ssl_cert_file = driver_conf.ssl_cert_file self.ssl_ca_file = driver_conf.ssl_ca_file + if self.ssl_enforce_fips_mode: + if hasattr(ssl, 'FIPS_mode'): + LOG.info("Enforcing the use of the OpenSSL FIPS mode") + ssl.FIPS_mode_set(1) + else: + raise exceptions.ConfigurationError( + "OpenSSL FIPS mode is not supported by your Python " + "version. You must either change the Python " + "executable used to a version with FIPS mode " + "support or disable FIPS mode by setting the " + "'[oslo_messaging_rabbit] ssl_enforce_fips_mode' " + "configuration option to 'False'.") + self._url = '' if url.hosts: if url.transport.startswith('kombu+'): diff --git a/oslo_messaging/exceptions.py b/oslo_messaging/exceptions.py index 48645b3..391fe46 100644 --- a/oslo_messaging/exceptions.py +++ b/oslo_messaging/exceptions.py @@ -47,3 +47,7 @@ class MessageUndeliverable(Exception): self.exchange = exchange self.routing_key = routing_key self.message = message + + +class ConfigurationError(Exception): + """Raised when messaging isn't configured correctly.""" diff --git a/oslo_messaging/tests/drivers/test_impl_rabbit.py b/oslo_messaging/tests/drivers/test_impl_rabbit.py index 8955661..dbbf33c 100644 --- a/oslo_messaging/tests/drivers/test_impl_rabbit.py +++ b/oslo_messaging/tests/drivers/test_impl_rabbit.py @@ -31,6 +31,7 @@ import oslo_messaging from oslo_messaging._drivers import amqpdriver from oslo_messaging._drivers import common as driver_common from oslo_messaging._drivers import impl_rabbit as rabbit_driver +from oslo_messaging.exceptions import ConfigurationError from oslo_messaging.exceptions import MessageDeliveryFailure from oslo_messaging.tests import utils as test_utils from oslo_messaging.transport import DriverLoadFailure @@ -205,6 +206,65 @@ class TestRabbitDriverLoadSSL(test_utils.BaseTestCase): ) +class TestRabbitDriverLoadSSLWithFIPS(test_utils.BaseTestCase): + scenarios = [ + ('ssl_fips_mode', dict(options=dict(ssl=True, + ssl_enforce_fips_mode=True), + expected=True)), + ] + + @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection' + '.ensure_connection') + @mock.patch('kombu.connection.Connection') + def test_driver_load_with_fips_supported(self, + connection_klass, fake_ensure): + self.config(ssl=True, ssl_enforce_fips_mode=True, + group="oslo_messaging_rabbit") + transport = oslo_messaging.get_transport(self.conf, + 'kombu+memory:////') + self.addCleanup(transport.cleanup) + + with mock.patch.object(ssl, 'FIPS_mode', + create=True, return_value=True): + with mock.patch.object(ssl, 'FIPS_mode_set', create=True): + + connection = transport._driver._get_connection() + connection_klass.assert_called_once_with( + 'memory:///', transport_options={ + 'client_properties': { + 'capabilities': { + 'connection.blocked': True, + 'consumer_cancel_notify': True, + 'authentication_failure_close': True, + }, + 'connection_name': connection.name}, + 'confirm_publish': True, + 'on_blocked': mock.ANY, + 'on_unblocked': mock.ANY}, + ssl=self.expected, login_method='AMQPLAIN', + heartbeat=60, failover_strategy='round-robin' + ) + + @mock.patch('oslo_messaging._drivers.impl_rabbit.Connection' + '.ensure_connection') + @mock.patch('oslo_messaging._drivers.impl_rabbit.ssl') + @mock.patch('kombu.connection.Connection') + def test_fips_unsupported(self, connection_klass, fake_ssl, fake_ensure): + self.config(ssl=True, ssl_enforce_fips_mode=True, + group="oslo_messaging_rabbit") + transport = oslo_messaging.get_transport(self.conf, + 'kombu+memory:////') + self.addCleanup(transport.cleanup) + + del fake_ssl.FIPS_mode + + # We do this test only if FIPS mode is not supported to + # ensure that we hard fail. + self.assertRaises( + ConfigurationError, + transport._driver._get_connection) + + class TestRabbitPublisher(test_utils.BaseTestCase): @mock.patch('kombu.messaging.Producer.publish') def test_send_with_timeout(self, fake_publish): @@ -1008,21 +1068,36 @@ class RpcKombuHATestCase(test_utils.BaseTestCase): self.assertRaises(oslo_messaging.MessageDeliveryFailure, self.connection.ensure, mock_callback, retry=4) - self.assertEqual(6, mock_callback.call_count) + # TODO(stephenfin): Remove when we drop support for kombu < 5.2.4 + expected = 5 + if kombu.VERSION < (5, 2, 4): + expected = 6 + self.assertEqual(expected, mock_callback.call_count) def test_ensure_one_retry(self): mock_callback = mock.Mock(side_effect=IOError) self.assertRaises(oslo_messaging.MessageDeliveryFailure, self.connection.ensure, mock_callback, retry=1) - self.assertEqual(3, mock_callback.call_count) + # TODO(stephenfin): Remove when we drop support for kombu < 5.2.4 + expected = 2 + if kombu.VERSION < (5, 2, 4): + expected = 3 + self.assertEqual(expected, mock_callback.call_count) def test_ensure_no_retry(self): mock_callback = mock.Mock(side_effect=IOError) - self.assertRaises(oslo_messaging.MessageDeliveryFailure, - self.connection.ensure, mock_callback, - retry=0) - self.assertEqual(2, mock_callback.call_count) + self.assertRaises( + oslo_messaging.MessageDeliveryFailure, + self.connection.ensure, + mock_callback, + retry=0, + ) + # TODO(stephenfin): Remove when we drop support for kombu < 5.2.4 + expected = 1 + if kombu.VERSION < (5, 2, 4): + expected = 2 + self.assertEqual(expected, mock_callback.call_count) class ConnectionLockTestCase(test_utils.BaseTestCase): diff --git a/releasenotes/notes/enforce_fips_mode-07dd259eb8a73c2b.yaml b/releasenotes/notes/enforce_fips_mode-07dd259eb8a73c2b.yaml new file mode 100644 index 0000000..ba6ac7f --- /dev/null +++ b/releasenotes/notes/enforce_fips_mode-07dd259eb8a73c2b.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adding a new option, ``[oslo_messaging_rabbit] ssl_enforce_fips_mode``, to + the rabbitmq driver to enforce the OpenSSL FIPS mode if supported by the + version of Python. +security: + - | + We are now able to enforce the OpenSSL FIPS mode by using + ``[oslo_messaging_rabbit] ssl_enforce_fips_mode``. diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst index b69bcf2..57b9270 100644 --- a/releasenotes/source/index.rst +++ b/releasenotes/source/index.rst @@ -6,6 +6,7 @@ :maxdepth: 1 unreleased + yoga xena wallaby victoria diff --git a/releasenotes/source/yoga.rst b/releasenotes/source/yoga.rst new file mode 100644 index 0000000..7cd5e90 --- /dev/null +++ b/releasenotes/source/yoga.rst @@ -0,0 +1,6 @@ +========================= +Yoga Series Release Notes +========================= + +.. release-notes:: + :branch: stable/yoga @@ -6,7 +6,7 @@ summary = Oslo Messaging API description_file = README.rst home_page = https://docs.openstack.org/oslo.messaging/latest/ -python_requires = >=3.6 +python_requires = >=3.8 classifier = Environment :: OpenStack Intended Audience :: Developers @@ -15,8 +15,6 @@ classifier = Operating System :: OS Independent Programming Language :: Python Programming Language :: Python :: 3 - Programming Language :: Python :: 3.6 - Programming Language :: Python :: 3.7 Programming Language :: Python :: 3.8 Programming Language :: Python :: 3.9 Programming Language :: Python :: 3 :: Only |