IGNITE-12718 pyignite: added SSL keyfile password argument. (#7480)
Co-authored-by: Nikolay Izhikov <nizhikov@apache.org>
diff --git a/pyignite/connection/__init__.py b/pyignite/connection/__init__.py
index 32decdf..1f6f0c0 100644
--- a/pyignite/connection/__init__.py
+++ b/pyignite/connection/__init__.py
@@ -77,6 +77,7 @@
'ssl_ciphers',
'ssl_cert_reqs',
'ssl_keyfile',
+ 'ssl_keyfile_password',
'ssl_certfile',
'ssl_ca_certfile',
'username',
@@ -118,6 +119,9 @@
:param ssl_keyfile: (optional) a path to SSL key file to identify
local (client) party,
+ :param ssl_keyfile_password: (optional) password for SSL key file,
+ can be provided when key file is encrypted to prevent OpenSSL
+ password prompt,
:param ssl_certfile: (optional) a path to ssl certificate file
to identify local (client) party,
:param ssl_ca_certfile: (optional) a path to a trusted certificate
diff --git a/pyignite/connection/ssl.py b/pyignite/connection/ssl.py
index 548ca7f..044b103 100644
--- a/pyignite/connection/ssl.py
+++ b/pyignite/connection/ssl.py
@@ -14,6 +14,7 @@
# limitations under the License.
import ssl
+from ssl import SSLContext
from pyignite.constants import *
@@ -21,19 +22,28 @@
def wrap(client, _socket):
""" Wrap socket in SSL wrapper. """
if client.init_kwargs.get('use_ssl', None):
- _socket = ssl.wrap_socket(
- _socket,
- ssl_version=client.init_kwargs.get(
- 'ssl_version', SSL_DEFAULT_VERSION
- ),
- ciphers=client.init_kwargs.get(
- 'ssl_ciphers', SSL_DEFAULT_CIPHERS
- ),
- cert_reqs=client.init_kwargs.get(
- 'ssl_cert_reqs', ssl.CERT_NONE
- ),
- keyfile=client.init_kwargs.get('ssl_keyfile', None),
- certfile=client.init_kwargs.get('ssl_certfile', None),
- ca_certs=client.init_kwargs.get('ssl_ca_certfile', None),
- )
+ keyfile = client.init_kwargs.get('ssl_keyfile', None)
+ certfile = client.init_kwargs.get('ssl_certfile', None)
+
+ if keyfile and not certfile:
+ raise ValueError("certfile must be specified")
+
+ password = client.init_kwargs.get('ssl_keyfile_password', None)
+ ssl_version = client.init_kwargs.get('ssl_version', SSL_DEFAULT_VERSION)
+ ciphers = client.init_kwargs.get('ssl_ciphers', SSL_DEFAULT_CIPHERS)
+ cert_reqs = client.init_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE)
+ ca_certs = client.init_kwargs.get('ssl_ca_certfile', None)
+
+ context = SSLContext(ssl_version)
+ context.verify_mode = cert_reqs
+
+ if ca_certs:
+ context.load_verify_locations(ca_certs)
+ if certfile:
+ context.load_cert_chain(certfile, keyfile, password)
+ if ciphers:
+ context.set_ciphers(ciphers)
+
+ _socket = context.wrap_socket(sock=_socket)
+
return _socket
diff --git a/tests/config/ssl.xml b/tests/config/ssl.xml
new file mode 100644
index 0000000..d9d406f
--- /dev/null
+++ b/tests/config/ssl.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+ <!--
+ Initialize property configurer so we can reference environment variables.
+ -->
+ <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+ <property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_FALLBACK"/>
+ <property name="searchSystemEnvironment" value="true"/>
+ </bean>
+
+ <bean id="test.cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
+ <property name="localHost" value="127.0.0.1"/>
+ <property name="connectorConfiguration"><null/></property>
+
+ <property name="clientConnectorConfiguration">
+ <bean class="org.apache.ignite.configuration.ClientConnectorConfiguration">
+ <property name="host" value="127.0.0.1"/>
+ <property name="portRange" value="10"/>
+ <property name="sslEnabled" value="true"/>
+ <property name="useIgniteSslContextFactory" value="false"/>
+ <property name="sslClientAuth" value="true"/>
+
+ <!-- Provide Ssl context. -->
+ <property name="sslContextFactory">
+ <bean class="org.apache.ignite.ssl.SslContextFactory">
+ <property name="keyStoreFilePath" value="${PYTHON_TEST_CONFIG_PATH}/ssl/server.jks"/>
+ <property name="keyStorePassword" value="123456"/>
+ <property name="trustStoreFilePath" value="${PYTHON_TEST_CONFIG_PATH}/ssl/trust.jks"/>
+ <property name="trustStorePassword" value="123456"/>
+ </bean>
+ </property>
+ </bean>
+ </property>
+ </bean>
+</beans>
\ No newline at end of file
diff --git a/tests/config/ssl/README.txt b/tests/config/ssl/README.txt
new file mode 100644
index 0000000..eca07ea
--- /dev/null
+++ b/tests/config/ssl/README.txt
@@ -0,0 +1,3 @@
+These files generated using script
+`$IGNITE_SRC/modules/platforms/cpp/thin-client-test/config/ssl/generate_certificates.sh`
+To update them just run script and move files to this folder.
\ No newline at end of file
diff --git a/tests/config/ssl/client_full.pem b/tests/config/ssl/client_full.pem
new file mode 100644
index 0000000..8260928
--- /dev/null
+++ b/tests/config/ssl/client_full.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCnW8A/wVcIQL7O
+T197f6YSl572HyXZbhAMXU9CIT5Er1TDUETPHE2cslvkXSvpMkaI61ftPelEfoir
+IVyuoJb4c6rnPLtnt+LfUmN8MS8C+vsZPw6gaZW6JIKGMLsUo/nmz986C9AfuSco
+auVFQC+48pHjzXUQ+sGvnAQjSaz/U5+0pKMJBMxxmcwLSn6vopz7859X08odWdV2
+5sq6irJW+w/93vuYdBXqlFthjMSVzOBhFTeTYw6db+CmNofG+EMjqP9lB5rPGLHb
+qbOJx3jv8dvTxECtoc2myAmQrUB9+xXX6/90j2HRuNu2BauPsmpfq7lNvjV/Bea/
+hnhFl+anAgMBAAECggEBAIsACYzqZ/7Sx6dTBVrtimGmzMBe3nDYmTurxEiIk884
+UI5n/L6II24iNXBWckIdH7hYv46r/TKGZby82N2xQ7LXXvrv1jcu45/YLgjYUNOI
+4UT2uo9BIrqX2FDb6IYcK1MpE56CcTnn7j4DiqkZxok17zXlT3XqzzOrwUQNzUHC
+Oo3vPRzZBYqyLknyIqNP5fZoJbVgH469ka6s6oOyOzW5fTvPdlK/lWqAdqf7GJEV
+1xwVsDOy1NvrxXwqz3knq3yykkErYFXi7Wf4AcCMH0n42kWQwWh4w3Ug+TtcRe4c
+Y7qcQFa3GVeVDIB4komCtezOhHGG4upRuwK4fko1iwECgYEA2OCIHqjvWEmOsB3G
+2c7ci78NNjOVn12NhiX671wALnJ+IqVlHUg1TUV8lu7oK8rHLDhiQPiM9aTc1012
++3pwSn9l2z5UtEt4KxeRc14lCOMST+mZe/SDf7TLQsj26oOWJksT9UfxT2AtzcvF
+Xy51uG+0Ve32s1OZiGp04lORPtMCgYEAxYxtbxkYJsg2yXjf/d97hr+eMGoyoWxv
+TIytIWyNh8SinQdyjyPlMrMjDKXhPuMvWocAkDiLtd9wHSzgTV8VkdRuajDxptjL
+Z0Kjt9pMp1SMTNzfCMflDviWq46SXEAQkm7lAag3zqZNB34rI5WpW8dPf/gIIJCc
+zegqadYXHF0CgYAOi0g1niim6A/smaKbOrcpm/9b0ivHizORenyQjr/oXX89/Y+B
+XjVM4EsRqCXjwe6HdaSJLOHvG0ZAHg7LoJNlO5PuFwkBKkp9wU/cx8R+CxRQTZ8g
+Y+5pows6iFWetoJcQQ6ulUuGgjGwKmkrD+ePHdafKJ0xu3qBXnpGL0p/RwKBgQCm
+xDZ57EhMLQa7LBSDf88K4OZM3snhJeYLTFK3fak47RGN2ISoO9g35av3+GzfJvCJ
+zp/2IBYpMfe2WXT9PAC8fAW+FZVakXecs0/8XAgL1j8ef/K0ufMvoUGokBIUWGzl
+AULIFFcQV6l9YtBOGQDAntAJKrzJqOsGlDCB6h7WbQKBgQCnF1SuakiToiv7TQHk
+KQT6kUGqBO7hSfGG3jx2alATXww46iCj2Op8dcIYcM1vPCSFlMgI4zlgX01tap2/
++LDtehygTY11jm6q8adoplqGN8LlotXeBTwgN2COdNbhh6Nj+9M+yCl749nnBfd7
+17EiuQzTB8B4oK9dfvDK07hq3w==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIEBTCCAu0CCQDvTawLdBCCFDANBgkqhkiG9w0BAQsFADCBvzELMAkGA1UEBhMC
+VVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCVdha2VmaWVsZDEa
+MBgGA1UEAwwRaWduaXRlLmFwYWNoZS5vcmcxJzAlBgNVBAoMHlRoZSBBcGFjaGUg
+U29mdHdhcmUgRm91bmRhdGlvbjEZMBcGA1UECwwQQXBhY2hlIElnbml0ZSBDQTEk
+MCIGCSqGSIb3DQEJARYVZGV2QGlnbml0ZS5hcGFjaGUub3JnMB4XDTIwMDgzMTA5
+MjgyNVoXDTMwMDgyOTA5MjgyNVowgcgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1N
+YXNzYWNodXNldHRzMRIwEAYDVQQHDAlXYWtlZmllbGQxGjAYBgNVBAMMEWlnbml0
+ZS5hcGFjaGUub3JnMScwJQYDVQQKDB5UaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5k
+YXRpb24xIjAgBgNVBAsMGUFwYWNoZSBJZ25pdGUgQ2xpZW50IFRlc3QxJDAiBgkq
+hkiG9w0BCQEWFWRldkBpZ25pdGUuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKdbwD/BVwhAvs5PX3t/phKXnvYfJdluEAxdT0IhPkSv
+VMNQRM8cTZyyW+RdK+kyRojrV+096UR+iKshXK6glvhzquc8u2e34t9SY3wxLwL6
++xk/DqBplbokgoYwuxSj+ebP3zoL0B+5Jyhq5UVAL7jykePNdRD6wa+cBCNJrP9T
+n7SkowkEzHGZzAtKfq+inPvzn1fTyh1Z1XbmyrqKslb7D/3e+5h0FeqUW2GMxJXM
+4GEVN5NjDp1v4KY2h8b4QyOo/2UHms8Ysdups4nHeO/x29PEQK2hzabICZCtQH37
+Fdfr/3SPYdG427YFq4+yal+ruU2+NX8F5r+GeEWX5qcCAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAiE2xX2uNRmsPMfVA//nbc6Djj+a/FEqJ2OvqVTaJPw5M2Jw8F+XG
+sd09qXXCKpBtihBrbnoHQIQNUTOAkuxrCkRCubQ0w7PQTomOX/cXQdMPdgWa27Oi
+Li7Pq2FwAEwhnSfOPwrj+2XU1bzwwIMdT85XD9KQFirIzGaAnGMN08pNxRROlOyV
+bOqIptP9DGuM51lKNd+rNoBY1C29pnYoitFjarRkNfOwJqBabPacDvjZLuo/CP8Z
+KmhjH3W1AtcRNGNrlaqsaS02Ny6SgvXWKNKtp5xRpwmOZ6YT8Q2pHXPfE8mjCvl0
+Cu6HiNMP8LUdxriKDtdHZbhBCAfnjzBzUw==
+-----END CERTIFICATE-----
diff --git a/tests/config/ssl/client_with_pass_full.pem b/tests/config/ssl/client_with_pass_full.pem
new file mode 100644
index 0000000..a53bc51
--- /dev/null
+++ b/tests/config/ssl/client_with_pass_full.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,42A0C0A0F7D8E31ABF5BE4EC262E2881
+
+j6XDTAvm5OI12CmE/UlK9NTTWbvwuoKcuqaYlPxPtPdO9tZ7RxdPLX0aasi4ALPm
+WF1oe1SmPAneXQrHejxb/mw1rliqwVwEblSdXUEtq4ZFSGwy+YmYXP62XNKwColM
+BppNX87MxS5hu6wsV2cuML7e/Y5wUro04Tk2kXoraVXyxLChKffY68rzih1pv5d1
+cA4lFqvMNBbIOGIUIRX60eZSlZ6XS5oZY9pc7O+KOUH7e8Pa3dFEbdXgbSX+dGLt
+DhV7bb1sciuJDBC7F9HjZem5YkKt44AkwfL3v/m7kGTaESNN2/NYemNGsth+HmF6
+nWB5ver1dQ3iGG1gLLmLbDyXcmOHSxWIcagqN0/bX08gBdBIWiTTHx7k3ke8z5QO
+8T+Yx6O6O0ccLWYZUnA3Dw4vNEV8Xn1V2+e0Z0uhTt0kf2bu4xCwkmrlREjcqtMD
+8OAzzhiyQjJGmbQQpTrVKdIT5e3Ux+PKzaUo5U1ZP8s7b76VxjsmljXrFV9I4qLC
+/NP22GH71F+p68qaawldw/ljtx9KuVYGD3cbvN5bF3VDUSf4HoI56U/WrfM1/P+/
+27yLYGEb8g4kzIp0GjC50CkFZRTAG/C5kh5mo+L8A5kQ77z8Utn75FnnUDuL22Pa
+qnJE7IWFWITA0f3KE62oiIxx//+rxy4KneYKv9HLRjqd7p0Yzv9XhyBlXtFRX9g0
+ji8M0lvJGwDxarH6BTFozLYfjFo92FG5la0GJS/uPOXaly2DFElg71pA24xGlgr0
+u6Cprge5T95VVFKOEJ6z5M0tTtfKPXnD+vb9FfIotKWr03+palUANGuXAIf3C++a
+NfUm6R7dZ3nUGk4+L+U+NsyIGEMYnBLD5jgSVGg8q3MiUb6Zwy3lV0maoNV3pizt
+QrWWlSuo6fUAkFEADyEhy305FhjWBTsJ5ZP+D75Joh5tR7gzDhl0Xg4nyTQ+QUM+
+6E/yBsEIjunITQeDOf7Il8Jg/07T0StH9RllWnz7/UTAD4SYrrPs5Fvn1heIP/aO
+s/ER7Ip2YVhr0U4aCFzzuxSuWRRJCEE7Rb0AYT7pU4/iTu2tQYQV/VAMaK+PM0O6
+j5YwnV7fVZBjs3BgZodu+qm/8bK7fSjG8qQQ50jEcQZmkqEuBbJRIi4RNvBpm1Eo
+q79CuxhAPBM69jmJao5cxKOj3zRzI3ZamT6cMcssz/HkgEKO4H9rr2ZKB4xCeR7n
+QUo9bQbnq5W4xbei23Zk5/Tg8g0lUdfhiNTa+0mQap7Vnl7SQaaH4MfKEpdzm7eW
+73eIvl4HVOtp76SIV82wMMW+IVzcikpFwQpP8EEq+XGZFk/zY1tptsRy2USadM4Y
+Hjpyx4ZOYFg0HKI0vc2TuMo2AvmgyL1/zBB4DC44OUEW8TuUoX20rYhtq3alqlpl
+ieHAyqIDeZV+//FSMSDiHR4TAWQu4LnH/3G0MIZYnp9jyqjc7fF+uXfdSiCqGFn3
+DP9nU/PyL0fYFXnNlL8Lazyhi7ETvn694ni/HdElXnqugAIBdaRcwjqfaZ0XA0ho
+QGOSiPEYkJL19x93C96EXmBxW+Y72uxlEeEYuFafSegIypOkf4swgzlfdsaVq2uo
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIEBTCCAu0CCQDvTawLdBCCFTANBgkqhkiG9w0BAQsFADCBvzELMAkGA1UEBhMC
+VVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCVdha2VmaWVsZDEa
+MBgGA1UEAwwRaWduaXRlLmFwYWNoZS5vcmcxJzAlBgNVBAoMHlRoZSBBcGFjaGUg
+U29mdHdhcmUgRm91bmRhdGlvbjEZMBcGA1UECwwQQXBhY2hlIElnbml0ZSBDQTEk
+MCIGCSqGSIb3DQEJARYVZGV2QGlnbml0ZS5hcGFjaGUub3JnMB4XDTIwMDgzMTA5
+MjgyNVoXDTMwMDgyOTA5MjgyNVowgcgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1N
+YXNzYWNodXNldHRzMRIwEAYDVQQHDAlXYWtlZmllbGQxGjAYBgNVBAMMEWlnbml0
+ZS5hcGFjaGUub3JnMScwJQYDVQQKDB5UaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5k
+YXRpb24xIjAgBgNVBAsMGUFwYWNoZSBJZ25pdGUgQ2xpZW50IFRlc3QxJDAiBgkq
+hkiG9w0BCQEWFWRldkBpZ25pdGUuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAPXi2AbcfKK/BdGWIZZvXyICOfLXXXNezAo1fiVs5LfG
+C5v0lBSmxeu1NYRF05Wf4/mEmVZnhzoVxViQWlUbL6M6A/VrrZPOF421tloiz/1J
+hBfVI91JBji2cP78HvdPAGIHg5zLlgGUxaKxgvRfm3v43hc3YvzXo8Adg6QBMNdQ
+m3co5L887lhixCHZh/FcncbaXSwRSZJtS9B1DiCUVIlfcAIkn80xL2bJ5giS5vwH
+pKZagoykaVbwrd3ObHGQtCZ/TtLM5gseDfppEWRtZv5wmJEejcHot5nSfUIrDuuY
+7MO6flSy6yshSXbk2eAQ8YCLywwSm87uA3PrOeX77PsCAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAI+2iiMcS1ks7YZZb9H/Oa1Il4wOOC+OEkFsVBLBKtUiEYkBJHykg
+BPguDjd/wXfCRb8FgG28JUfhzcvEIZB18tb1updKvEsLZUfPGXI89vUTshi51hy7
+VoOAJMyzJRWDP37MAtnTAu0uS205Q+8VE/adDrdjDQKBGF98OkXQVsxyfckzY2Za
+mmCmOWdJWTZH/5eh+2ogvsGDy9VXYyQlhNNl5oLVldPL4AjanKfIwaYIwYZXyKV9
+2+2lkkM7ikY6WxCHct41IuyBx5Nty2zu5tdLoQd1lII4u1c0t5AfrJYyWjeNMMnF
++e9wWnM1ivfHESAHFzhdzSbXuEFHlq3F1w==
+-----END CERTIFICATE-----
diff --git a/tests/config/ssl/server.jks b/tests/config/ssl/server.jks
new file mode 100644
index 0000000..e6a9c1a
--- /dev/null
+++ b/tests/config/ssl/server.jks
Binary files differ
diff --git a/tests/config/ssl/trust.jks b/tests/config/ssl/trust.jks
new file mode 100644
index 0000000..0bc7210
--- /dev/null
+++ b/tests/config/ssl/trust.jks
Binary files differ
diff --git a/tests/conftest.py b/tests/conftest.py
index be6d029..f7e2e1f 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -66,7 +66,7 @@
@pytest.fixture(scope='module')
def client(
- ignite_host, ignite_port, timeout, use_ssl, ssl_keyfile, ssl_certfile,
+ ignite_host, ignite_port, timeout, use_ssl, ssl_keyfile, ssl_keyfile_password, ssl_certfile,
ssl_ca_certfile, ssl_cert_reqs, ssl_ciphers, ssl_version,
username, password,
):
@@ -74,6 +74,7 @@
timeout=timeout,
use_ssl=use_ssl,
ssl_keyfile=ssl_keyfile,
+ ssl_keyfile_password=ssl_keyfile_password,
ssl_certfile=ssl_certfile,
ssl_ca_certfile=ssl_ca_certfile,
ssl_cert_reqs=ssl_cert_reqs,
@@ -136,6 +137,13 @@
help='a path to SSL key file to identify local party'
)
parser.addoption(
+ '--ssl-keyfile-password',
+ action='store',
+ default=None,
+ type=str,
+ help='password for SSL key file'
+ )
+ parser.addoption(
'--ssl-certfile',
action='store',
default=None,
@@ -199,6 +207,7 @@
'timeout': None,
'use_ssl': False,
'ssl_keyfile': None,
+ 'ssl_keyfile_password': None,
'ssl_certfile': None,
'ssl_ca_certfile': None,
'ssl_cert_reqs': ssl.CERT_NONE,
diff --git a/tests/test_handshake.py b/tests/test_handshake.py
index 54315f0..d655d94 100644
--- a/tests/test_handshake.py
+++ b/tests/test_handshake.py
@@ -21,13 +21,14 @@
def test_handshake(
monkeypatch,
- ignite_host, ignite_port, use_ssl, ssl_keyfile, ssl_certfile,
+ ignite_host, ignite_port, use_ssl, ssl_keyfile, ssl_keyfile_password, ssl_certfile,
ssl_ca_certfile, ssl_cert_reqs, ssl_ciphers, ssl_version,
username, password,
):
client = Client(
use_ssl=use_ssl,
ssl_keyfile=ssl_keyfile,
+ ssl_keyfile_password=ssl_keyfile_password,
ssl_certfile=ssl_certfile,
ssl_ca_certfile=ssl_ca_certfile,
ssl_cert_reqs=ssl_cert_reqs,
