Browse Source

Remove blacklist terminology in the Octavia tree

The configuration option tls_cipher_blacklist has been
deprecated and replaced by tls_cipher_prohibit_list.

Change-Id: I6152838c697e12d19b27343e3a0714e55ca52d88
changes/96/740096/1
Brian Haley 2 years ago
parent
commit
7890f0d999
  1. 2
      etc/octavia.conf
  2. 12
      octavia/api/v2/controllers/listener.py
  3. 12
      octavia/api/v2/controllers/pool.py
  4. 5
      octavia/common/config.py
  5. 16
      octavia/common/validate.py
  6. 9
      octavia/tests/unit/common/test_validations.py
  7. 9
      releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml

2
etc/octavia.conf

@ -70,7 +70,7 @@
# Colon-separated list of disallowed ciphers. Ciphers specified here will not be
# allowed on listeners, pools, or the default values for either.
# tls_cipher_blacklist =
# tls_cipher_prohibit_list =
# List of default TLS versions to be used on new TLS-terminated
# listeners. Available versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

12
octavia/api/v2/controllers/listener.py

@ -224,13 +224,13 @@ class ListenersController(base.BaseController):
"A client authentication CA reference is required to "
"specify a client authentication revocation list."))
# Check TLS cipher blacklist
# Check TLS cipher prohibit list
if 'tls_ciphers' in listener_dict and listener_dict['tls_ciphers']:
rejected_ciphers = validate.check_cipher_blacklist(
rejected_ciphers = validate.check_cipher_prohibit_list(
listener_dict['tls_ciphers'])
if rejected_ciphers:
raise exceptions.ValidationException(detail=_(
'The following ciphers have been blacklisted by an '
'The following ciphers have been prohibited by an '
'administrator: ' + ', '.join(rejected_ciphers)))
# Validate the TLS containers
@ -491,13 +491,13 @@ class ListenersController(base.BaseController):
self._validate_cidr_compatible_with_vip(
vip_address, listener.allowed_cidrs)
# Check TLS cipher blacklist
# Check TLS cipher prohibit list
if listener.tls_ciphers:
rejected_ciphers = validate.check_cipher_blacklist(
rejected_ciphers = validate.check_cipher_prohibit_list(
listener.tls_ciphers)
if rejected_ciphers:
raise exceptions.ValidationException(detail=_(
'The following ciphers have been blacklisted by an '
'The following ciphers have been prohibited by an '
'administrator: ' + ', '.join(rejected_ciphers)))
if listener.tls_versions is not wtypes.Unset:

12
octavia/api/v2/controllers/pool.py

@ -122,13 +122,13 @@ class PoolsController(base.BaseController):
pool_dict.get('ca_tls_certificate_id'),
pool_dict.get('crl_container_id', None))
# Check TLS cipher blacklist
# Check TLS cipher prohibit list
if 'tls_ciphers' in pool_dict and pool_dict['tls_ciphers']:
rejected_ciphers = validate.check_cipher_blacklist(
rejected_ciphers = validate.check_cipher_prohibit_list(
pool_dict['tls_ciphers'])
if rejected_ciphers:
raise exceptions.ValidationException(detail=_(
'The following ciphers have been blacklisted by an '
'The following ciphers have been prohibited by an '
'administrator: ' + ', '.join(rejected_ciphers)))
if pool_dict['tls_enabled']:
@ -396,13 +396,13 @@ class PoolsController(base.BaseController):
if ca_ref:
self._validate_client_ca_and_crl_refs(ca_ref, crl_ref)
# Check TLS cipher blacklist
# Check TLS cipher prohibit list
if pool.tls_ciphers:
rejected_ciphers = validate.check_cipher_blacklist(
rejected_ciphers = validate.check_cipher_prohibit_list(
pool.tls_ciphers)
if rejected_ciphers:
raise exceptions.ValidationException(detail=_(
"The following ciphers have been blacklisted by an "
"The following ciphers have been prohibited by an "
"administrator: " + ', '.join(rejected_ciphers)))
if pool.tls_versions is not wtypes.Unset:

5
octavia/common/config.py

@ -113,7 +113,8 @@ api_opts = [
default=constants.CIPHERS_OWASP_SUITE_B,
help=_("Default OpenSSL cipher string (colon-separated) for "
"new TLS-enabled pools.")),
cfg.StrOpt('tls_cipher_blacklist', default='',
cfg.StrOpt('tls_cipher_prohibit_list', default='',
deprecated_name='tls_cipher_blacklist',
help=_("Colon separated list of OpenSSL ciphers. "
"Usage of these ciphers will be blocked.")),
cfg.ListOpt('default_listener_tls_versions',
@ -857,7 +858,7 @@ def init(args, **kwargs):
**kwargs)
validate.check_default_tls_versions_min_conflict()
setup_remote_debugger()
validate.check_default_ciphers_blacklist_conflict()
validate.check_default_ciphers_prohibit_list_conflict()
def setup_logging(conf):

16
octavia/common/validate.py

@ -435,29 +435,29 @@ def is_flavor_spares_compatible(flavor):
return True
def check_cipher_blacklist(cipherstring):
def check_cipher_prohibit_list(cipherstring):
ciphers = cipherstring.split(':')
blacklist = CONF.api_settings.tls_cipher_blacklist.split(':')
prohibit_list = CONF.api_settings.tls_cipher_prohibit_list.split(':')
rejected = []
for cipher in ciphers:
if cipher in blacklist:
if cipher in prohibit_list:
rejected.append(cipher)
return rejected
def check_default_ciphers_blacklist_conflict():
listener_rejected = check_cipher_blacklist(
def check_default_ciphers_prohibit_list_conflict():
listener_rejected = check_cipher_prohibit_list(
CONF.api_settings.default_listener_ciphers)
if listener_rejected:
raise exceptions.ValidationException(
detail=_('Default listener ciphers conflict with blacklist. '
detail=_('Default listener ciphers conflict with prohibit list. '
'Conflicting ciphers: ' + ', '.join(listener_rejected)))
pool_rejected = check_cipher_blacklist(
pool_rejected = check_cipher_prohibit_list(
CONF.api_settings.default_pool_ciphers)
if pool_rejected:
raise exceptions.ValidationException(
detail=_('Default pool ciphers conflict with blacklist. '
detail=_('Default pool ciphers conflict with prohibit list. '
'Conflicting ciphers: ' + ', '.join(pool_rejected)))

9
octavia/tests/unit/common/test_validations.py

@ -461,15 +461,16 @@ class TestValidations(base.TestCase):
self.assertFalse(
validate.is_flavor_spares_compatible(not_compat_flavor))
def test_check_default_ciphers_blacklist_conflict(self):
def test_check_default_ciphers_prohibit_list_conflict(self):
self.conf.config(group='api_settings',
tls_cipher_blacklist='PSK-AES128-CBC-SHA')
tls_cipher_prohibit_list='PSK-AES128-CBC-SHA')
self.conf.config(group='api_settings',
default_listener_ciphers='ECDHE-ECDSA-AES256-SHA:'
'PSK-AES128-CBC-SHA:TLS_AES_256_GCM_SHA384')
self.assertRaises(exceptions.ValidationException,
validate.check_default_ciphers_blacklist_conflict)
self.assertRaises(
exceptions.ValidationException,
validate.check_default_ciphers_prohibit_list_conflict)
def test_check_tls_version_list(self):
# Test valid list

9
releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml

@ -0,0 +1,9 @@
---
deprecations:
- |
Terminology such as ``blacklist`` has been replaced with more
inclusive words, such as ``prohibit list`` wherever possible.
The configuration option ``tls_cipher_blacklist`` has been deprecated
and replaced with ``tls_cipher_prohibit_list``. It will be removed in a
future release.
Loading…
Cancel
Save