Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update TLS check to use TLS context wrapper #8230

Merged
merged 12 commits into from
Dec 29, 2020
Merged

Update TLS check to use TLS context wrapper #8230

merged 12 commits into from
Dec 29, 2020

Conversation

yzhan289
Copy link
Contributor

@yzhan289 yzhan289 commented Dec 21, 2020
edited
Loading

What does this PR do?

This PR updates the TLS check to use the new SSL context wrapper rather than creating it from scratch.

Motivation

Additional Notes

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • PR title must be written as a CHANGELOG entry (see why)
  • Files changes must correspond to the primary purpose of the PR as described in the title (small unrelated changes should have their own PR)
  • PR must have changelog/ and integration/ labels attached

@yzhan289 yzhan289 changed the title Update TLS check to use TLS context wrapper Update TLS check to use SSL context wrapper Dec 22, 2020
@yzhan289 yzhan289 marked this pull request as ready for review December 22, 2020 16:30
@yzhan289 yzhan289 requested review from a team as code owners December 22, 2020 16:30
@codecov
Copy link

codecov bot commented Dec 22, 2020
edited
Loading

Codecov Report

Merging #8230 (ea25abd) into master (12e9518) will increase coverage by 10.03%.
The diff coverage is 100.00%.

Impacted Files Coverage Δ
tls/tests/test_config.py 100.00% <ø> (ø)
tls/datadog_checks/tls/tls.py 95.18% <100.00%> (ø)
tls/tests/conftest.py 100.00% <100.00%> (ø)
mapr/tests/conftest.py
...adog_checks/powerdns_recursor/powerdns_recursor.py
fluentd/tests/conftest.py
prometheus/datadog_checks/prometheus/prometheus.py
nginx/tests/conftest.py
kafka/datadog_checks/kafka/__about__.py
disk/tests/mocks.py
... and 844 more

ruthnaebeck
ruthnaebeck previously approved these changes Dec 22, 2020
View reviewed changes
Copy link
Contributor

@ruthnaebeck ruthnaebeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 for docs

FlorianVeaux
FlorianVeaux requested changes Dec 23, 2020
View reviewed changes
Copy link
Member

@FlorianVeaux FlorianVeaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're breaking backwards compatibility, you have to use TLS_CONFIG_REMAPPER for this.

@yzhan289 yzhan289 mentioned this pull request Dec 23, 2020
Merged
4 tasks
@yzhan289 yzhan289 changed the title Update TLS check to use SSL context wrapper Update TLS check to use TLS context wrapper Dec 23, 2020
@yzhan289 yzhan289 mentioned this pull request Dec 23, 2020
Merged
4 tasks
FlorianVeaux
FlorianVeaux reviewed Dec 28, 2020
View reviewed changes
Copy link
Member

@FlorianVeaux FlorianVeaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost good ! A few extra comments

@yzhan289 yzhan289 merged commit 1b3056d into master Dec 29, 2020
@yzhan289 yzhan289 deleted the az/tls-wrapper branch December 29, 2020 16:27
yzhan289
yzhan289 commented Dec 30, 2020
View reviewed changes
tls/datadog_checks/tls/tls.py
Comment on lines -339 to -371
def tls_context(self):
if self._tls_context is None:
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext
# https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
self._tls_context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)

# Run our own validation later on if need be
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
#
# IMPORTANT: This must be set before verify_mode in Python 3.7+, see:
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
self._tls_context.check_hostname = False

# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
self._tls_context.verify_mode = ssl.CERT_REQUIRED if self._validate_cert else ssl.CERT_NONE

# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
if self._cafile or self._capath: # no cov
self._tls_context.load_verify_locations(self._cafile, self._capath, None)

# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
else:
self._tls_context.load_default_certs(ssl.Purpose.SERVER_AUTH)

# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain
if self._cert: # no cov
self._tls_context.load_cert_chain(self._cert, keyfile=self._private_key)

# https://docs.python.org/3/library/ssl.html#ssl.create_default_context
if 'SSLv3' in self._allowed_versions: # no cov
self._tls_context.options &= ~ssl.OP_NO_SSLv3

return self._tls_context
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently seeing how to ensure the logic of creating this context while also using updated SSL context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FlorianVeaux FlorianVeaux FlorianVeaux approved these changes

@ruthnaebeck ruthnaebeck Awaiting requested review from ruthnaebeck

Assignees
No one assigned
Labels
documentation integration/tls
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yzhan289 @ruthnaebeck @FlorianVeaux