1# Licensed to the Apache Software Foundation (ASF) under one or more
2# contributor license agreements.  See the NOTICE file distributed with
3# this work for additional information regarding copyright ownership.
4# The ASF licenses this file to You under the Apache License, Version 2.0
5# (the "License"); you may not use this file except in compliance with
6# the License.  You may obtain a copy of the License at
7#
8#     http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15"""
16Security (SSL) Settings
17
18Usage:
19    import libcloud.security
20    libcloud.security.VERIFY_SSL_CERT = True
21
22    # Optional.
23    libcloud.security.CA_CERTS_PATH = '/path/to/certfile'
24"""
25
26import os
27import ssl
28
29__all__ = [
30    'VERIFY_SSL_CERT',
31    'SSL_VERSION',
32    'CA_CERTS_PATH'
33]
34
35VERIFY_SSL_CERT = True
36
37SSL_VERSION = ssl.PROTOCOL_TLSv1
38
39# True to use certifi CA bundle path when certifi library is available
40USE_CERTIFI = os.environ.get('LIBCLOUD_SSL_USE_CERTIFI', True)
41USE_CERTIFI = str(USE_CERTIFI).lower() in ['true', '1']
42
43# File containing one or more PEM-encoded CA certificates
44# concatenated together.
45CA_CERTS_PATH = None
46
47# Insert certifi CA bundle path to the front of Libcloud CA bundle search
48# path if certifi is available
49try:
50    import certifi
51except ImportError:
52    has_certifi = False
53else:
54    has_certifi = True
55
56if has_certifi and USE_CERTIFI:
57    certifi_ca_bundle_path = certifi.where()
58    CA_CERTS_PATH = certifi_ca_bundle_path
59
60# Allow user to explicitly specify which CA bundle to use, using an environment
61# variable
62environment_cert_file = os.getenv('SSL_CERT_FILE', None)
63if environment_cert_file is not None:
64    # Make sure the file exists
65    if not os.path.exists(environment_cert_file):
66        raise ValueError('Certificate file %s doesn\'t exist' %
67                         (environment_cert_file))
68
69    if not os.path.isfile(environment_cert_file):
70        raise ValueError('Certificate file can\'t be a directory')
71
72    # If a provided file exists we ignore other common paths because we
73    # don't want to fall-back to a potentially less restrictive bundle
74    CA_CERTS_PATH = environment_cert_file
75
76CA_CERTS_UNAVAILABLE_ERROR_MSG = (
77    'No CA Certificates were found in CA_CERTS_PATH. For information on '
78    'how to get required certificate files, please visit '
79    'https://libcloud.readthedocs.org/en/latest/other/'
80    'ssl-certificate-validation.html'
81)
82
83VERIFY_SSL_DISABLED_MSG = (
84    'SSL certificate verification is disabled, this can pose a '
85    'security risk. For more information how to enable the SSL '
86    'certificate verification, please visit the libcloud '
87    'documentation.'
88)
89