Add private key password option to ssl adapters #752
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #752 +/- ##
==========================================
+ Coverage 79.30% 79.55% +0.25%
==========================================
Files 29 29
Lines 4203 4261 +58
Branches 539 542 +3
==========================================
+ Hits 3333 3390 +57
+ Misses 728 727 -1
- Partials 142 144 +2 |
|
Fixed linter issues with second commit, but now it seems that I need to do the git squash... Anyway, it would be important for us to get this improvement into some upcoming cheroot release, which we can then reference in our pipfile so that we can take these changes into use. |
|
@webknjaz ; I understand that you are busy, but I am pinging you because you seem to be the only administrator actively working on this repository. I am hoping that we could proceed with this pull request until I forget what have I done. I assume at least the review is required, but maybe some other tasks need to be still done until this can be merged? |
|
@jatalahd thanks for the contrib! You don't have to squash commits unconditionally. Only if the commits are non-atomic. If they aren't, it's usually a good idea to combine them to keep Git history clean. One thing that's definitely missing is a change note. Read https://cheroot.cherrypy.dev/en/latest/contributing/guidelines/#adding-change-notes-with-your-prs and follow the guidelines. Do you best and if it needs editing, I'll tell you. I can't give you a timeline right now. I'm a bit unhappy about the state of the TLS adapters in general and wanted to redesign them eventually. And so I'm a bit hesitant on what changes would be acceptable in the public API. I'll need to think about it first. I'll leave a few notes in the diff but that'll be an incomplete review. |
jatalahd
force-pushed
the
add_private_key_password
branch
from
8bf36ee to
ebf6cf1
Compare
|
@webknjaz ; Thanks for reviewing the code. I fixed all problems you mentioned (as well as I could). Added also change note and had to do the git squash to clean up the git history. Due to that, I had to force push and therefore your review comments disappeared from the "files changed" -tab. However I answered all those comments in this conversation-tab. Please let me know if there is something that still needs fixing. |
jatalahd
force-pushed
the
add_private_key_password
branch
3 times, most recently
from
95bc21c to
6d4f3d2
Compare
|
With the latest two pushes, I fixed one linter issue and one test fail that was occuring on Ubuntu arm platform. To me the CI pipeline results look fine, the remaining test failures are not due to my commit. I consider this now ready for hopefully final review. |
|
@webknjaz ; I am still hoping that this improvement will be included in some upcoming cheroot release. We are currently using a workaround of creating a local wheel of cheroot with this change included and that cannot be a sustainable solution in long term. |
|
@jatalahd I've added a few comments + you need to rebase to pick up the recent |
jatalahd
force-pushed
the
add_private_key_password
branch
from
6d4f3d2 to
ae8e1bc
Compare
|
@jatalahd looks like this is amost ready. Only cosmetic changes left mostly. |
jatalahd
force-pushed
the
add_private_key_password
branch
from
88e187a to
2a16422
Compare
|
@webknjaz Provided improvements as you suggested. I hope this is OK now. |
|
@jatalahd it's probably a good idea to paste a full link to the CherryPy issue in the commit message. Only using the number makes GH link issues in this repository instead. |
jatalahd
force-pushed
the
add_private_key_password
branch
from
2a16422 to
cf27c3e
Compare
|
@webknjaz Yet another improved push provided. |
|
@jatalahd looks like the docstring adjustments is the last thing left before I can merge. |
- It is now possible to use password protected private keys in both builtin and openssl ssl-adapters - Added also positive and negative unit test cases - With reference to cherrypy/cherrypy#1583
|
@webknjaz Docstrings changed as suggested in latest push. |
jatalahd
force-pushed
the
add_private_key_password
branch
from
cf27c3e to
5072e24
Compare
|
|
||
| with expected_warn, pytest.raises( | ||
| OpenSSL.SSL.Error, | ||
| match=r'.+bad decrypt.+', |
There was a problem hiding this comment.
@jatalahd this test turned out to be flaky. See https://github.com/cherrypy/cheroot/actions/runs/19020536310/job/54314981390#step:15:272 where the error string was "[('DECODER routines', '', 'unsupported'), ('asn1 encoding routines', '', 'too long'), ('asn1 encoding routines', '', 'bad object header'), ('asn1 encoding routines', '', 'nested asn1 error'), ('PKCS12 routines', '', 'decode error'), ('SSL routines', '', 'PEM lib')]" which your regex doesn't match.
Could you send a follow-up PR fixing cheroot/test/test_ssl.py::test_openssl_adapter_with_false_key_password[too-long-password] — looks like the error is sometimes happening with passwords that are too long. Perpahs, encode the regex in parametrize() too, making the too-long-password param expect both error variations?
|
@jatalahd I've released this under v11.1.0:
Though, one test got flaky and needs a follow-up: https://github.com/cherrypy/cheroot/pull/752/files#r2485127496. Now, this allows sending a PR in the CherryPy repo per cherrypy/cherrypy#1583 (comment). |
2 participants
❓ What kind of change does this PR introduce?
📋 What is the related issue number (starting with
#)cherrypy/cherrypy#1583
❓ What is the current behavior? (You can also link to an open issue here)
With the current functionality it is only possible to use ssl adapters with private keys without password protection
❓ What is the new behavior (if this is a feature change)?
With this change, there is a new option to give the ssl adapter a "private_key_password" argument, which can be in either string or bytestring format.
📋 Other information:
Added also unit tests to test the new functionality
📋 Contribution checklist:
the changes have been approved
and description in grammatically correct, complete sentences
This change is