libcloud/security.py - libcloud - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 """
 Security (SSL) Settings

 Usage:
     import libcloud.security
     libcloud.security.VERIFY_SSL_CERT = True

     # Optional.
     libcloud.security.CA_CERTS_PATH = '/path/to/certfile'
 """

 import os
 import ssl

 __all__ = ["VERIFY_SSL_CERT", "SSL_VERSION", "CA_CERTS_PATH"]

 VERIFY_SSL_CERT = True

 SSL_VERSION = ssl.PROTOCOL_TLSv1

 # True to use certifi CA bundle path when certifi library is available
 USE_CERTIFI = os.environ.get("LIBCLOUD_SSL_USE_CERTIFI", True)
 USE_CERTIFI = str(USE_CERTIFI).lower() in ["true", "1"]

 # File containing one or more PEM-encoded CA certificates
 # concatenated together.
 CA_CERTS_PATH = None

 # Insert certifi CA bundle path to the front of Libcloud CA bundle search
 # path if certifi is available
 try:
     import certifi
 except ImportError:
     has_certifi = False
 else:
     has_certifi = True

 if has_certifi and USE_CERTIFI:
     certifi_ca_bundle_path = certifi.where()
     CA_CERTS_PATH = certifi_ca_bundle_path

 # Allow user to explicitly specify which CA bundle to use, using an environment
 # variable
 environment_cert_file = os.getenv("SSL_CERT_FILE", None)
 if environment_cert_file is not None:
     # Make sure the file exists
     if not os.path.exists(environment_cert_file):
         raise ValueError("Certificate file %s doesn't exist" % (environment_cert_file))

     if not os.path.isfile(environment_cert_file):
         raise ValueError("Certificate file can't be a directory")

     # If a provided file exists we ignore other common paths because we
     # don't want to fall-back to a potentially less restrictive bundle
     CA_CERTS_PATH = environment_cert_file

 CA_CERTS_UNAVAILABLE_ERROR_MSG = (
     "No CA Certificates were found in CA_CERTS_PATH. For information on "
     "how to get required certificate files, please visit "
     "https://libcloud.readthedocs.org/en/latest/other/"
     "ssl-certificate-validation.html"
 )

 VERIFY_SSL_DISABLED_MSG = (
     "SSL certificate verification is disabled, this can pose a "
     "security risk. For more information how to enable the SSL "
     "certificate verification, please visit the libcloud "
     "documentation."
 )
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	"""
	Security (SSL) Settings

	Usage:
	import libcloud.security
	libcloud.security.VERIFY_SSL_CERT = True

	# Optional.
	libcloud.security.CA_CERTS_PATH = '/path/to/certfile'
	"""

	import os
	import ssl

	__all__ = ["VERIFY_SSL_CERT", "SSL_VERSION", "CA_CERTS_PATH"]

	VERIFY_SSL_CERT = True

	SSL_VERSION = ssl.PROTOCOL_TLSv1

	# True to use certifi CA bundle path when certifi library is available
	USE_CERTIFI = os.environ.get("LIBCLOUD_SSL_USE_CERTIFI", True)
	USE_CERTIFI = str(USE_CERTIFI).lower() in ["true", "1"]

	# File containing one or more PEM-encoded CA certificates
	# concatenated together.
	CA_CERTS_PATH = None

	# Insert certifi CA bundle path to the front of Libcloud CA bundle search
	# path if certifi is available
	try:
	import certifi
	except ImportError:
	has_certifi = False
	else:
	has_certifi = True

	if has_certifi and USE_CERTIFI:
	certifi_ca_bundle_path = certifi.where()
	CA_CERTS_PATH = certifi_ca_bundle_path

	# Allow user to explicitly specify which CA bundle to use, using an environment
	# variable
	environment_cert_file = os.getenv("SSL_CERT_FILE", None)
	if environment_cert_file is not None:
	# Make sure the file exists
	if not os.path.exists(environment_cert_file):
	raise ValueError("Certificate file %s doesn't exist" % (environment_cert_file))

	if not os.path.isfile(environment_cert_file):
	raise ValueError("Certificate file can't be a directory")

	# If a provided file exists we ignore other common paths because we
	# don't want to fall-back to a potentially less restrictive bundle
	CA_CERTS_PATH = environment_cert_file

	CA_CERTS_UNAVAILABLE_ERROR_MSG = (
	"No CA Certificates were found in CA_CERTS_PATH. For information on "
	"how to get required certificate files, please visit "
	"https://libcloud.readthedocs.org/en/latest/other/"
	"ssl-certificate-validation.html"
	)

	VERIFY_SSL_DISABLED_MSG = (
	"SSL certificate verification is disabled, this can pose a "
	"security risk. For more information how to enable the SSL "
	"certificate verification, please visit the libcloud "
	"documentation."
	)