From 7890f0d99929f0c2630486c7956448b1ae3d1843 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Wed, 8 Jul 2020 15:19:52 -0400 Subject: [PATCH] Remove blacklist terminology in the Octavia tree The configuration option tls_cipher_blacklist has been deprecated and replaced by tls_cipher_prohibit_list. Change-Id: I6152838c697e12d19b27343e3a0714e55ca52d88 --- etc/octavia.conf | 2 +- octavia/api/v2/controllers/listener.py | 12 ++++++------ octavia/api/v2/controllers/pool.py | 12 ++++++------ octavia/common/config.py | 5 +++-- octavia/common/validate.py | 16 ++++++++-------- octavia/tests/unit/common/test_validations.py | 9 +++++---- .../improve-terminology-8ddacb4458c74d57.yaml | 9 +++++++++ 7 files changed, 38 insertions(+), 27 deletions(-) create mode 100644 releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml diff --git a/etc/octavia.conf b/etc/octavia.conf index 10229e02a8..ed49fbd0b0 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -70,7 +70,7 @@ # Colon-separated list of disallowed ciphers. Ciphers specified here will not be # allowed on listeners, pools, or the default values for either. -# tls_cipher_blacklist = +# tls_cipher_prohibit_list = # List of default TLS versions to be used on new TLS-terminated # listeners. Available versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 diff --git a/octavia/api/v2/controllers/listener.py b/octavia/api/v2/controllers/listener.py index 66d186701b..bcfee80e79 100644 --- a/octavia/api/v2/controllers/listener.py +++ b/octavia/api/v2/controllers/listener.py @@ -224,13 +224,13 @@ class ListenersController(base.BaseController): "A client authentication CA reference is required to " "specify a client authentication revocation list.")) - # Check TLS cipher blacklist + # Check TLS cipher prohibit list if 'tls_ciphers' in listener_dict and listener_dict['tls_ciphers']: - rejected_ciphers = validate.check_cipher_blacklist( + rejected_ciphers = validate.check_cipher_prohibit_list( listener_dict['tls_ciphers']) if rejected_ciphers: raise exceptions.ValidationException(detail=_( - 'The following ciphers have been blacklisted by an ' + 'The following ciphers have been prohibited by an ' 'administrator: ' + ', '.join(rejected_ciphers))) # Validate the TLS containers @@ -491,13 +491,13 @@ class ListenersController(base.BaseController): self._validate_cidr_compatible_with_vip( vip_address, listener.allowed_cidrs) - # Check TLS cipher blacklist + # Check TLS cipher prohibit list if listener.tls_ciphers: - rejected_ciphers = validate.check_cipher_blacklist( + rejected_ciphers = validate.check_cipher_prohibit_list( listener.tls_ciphers) if rejected_ciphers: raise exceptions.ValidationException(detail=_( - 'The following ciphers have been blacklisted by an ' + 'The following ciphers have been prohibited by an ' 'administrator: ' + ', '.join(rejected_ciphers))) if listener.tls_versions is not wtypes.Unset: diff --git a/octavia/api/v2/controllers/pool.py b/octavia/api/v2/controllers/pool.py index f1544b6a97..102a0d1f0d 100644 --- a/octavia/api/v2/controllers/pool.py +++ b/octavia/api/v2/controllers/pool.py @@ -122,13 +122,13 @@ class PoolsController(base.BaseController): pool_dict.get('ca_tls_certificate_id'), pool_dict.get('crl_container_id', None)) - # Check TLS cipher blacklist + # Check TLS cipher prohibit list if 'tls_ciphers' in pool_dict and pool_dict['tls_ciphers']: - rejected_ciphers = validate.check_cipher_blacklist( + rejected_ciphers = validate.check_cipher_prohibit_list( pool_dict['tls_ciphers']) if rejected_ciphers: raise exceptions.ValidationException(detail=_( - 'The following ciphers have been blacklisted by an ' + 'The following ciphers have been prohibited by an ' 'administrator: ' + ', '.join(rejected_ciphers))) if pool_dict['tls_enabled']: @@ -396,13 +396,13 @@ class PoolsController(base.BaseController): if ca_ref: self._validate_client_ca_and_crl_refs(ca_ref, crl_ref) - # Check TLS cipher blacklist + # Check TLS cipher prohibit list if pool.tls_ciphers: - rejected_ciphers = validate.check_cipher_blacklist( + rejected_ciphers = validate.check_cipher_prohibit_list( pool.tls_ciphers) if rejected_ciphers: raise exceptions.ValidationException(detail=_( - "The following ciphers have been blacklisted by an " + "The following ciphers have been prohibited by an " "administrator: " + ', '.join(rejected_ciphers))) if pool.tls_versions is not wtypes.Unset: diff --git a/octavia/common/config.py b/octavia/common/config.py index 0f99b1ed30..7312f87e3e 100644 --- a/octavia/common/config.py +++ b/octavia/common/config.py @@ -113,7 +113,8 @@ api_opts = [ default=constants.CIPHERS_OWASP_SUITE_B, help=_("Default OpenSSL cipher string (colon-separated) for " "new TLS-enabled pools.")), - cfg.StrOpt('tls_cipher_blacklist', default='', + cfg.StrOpt('tls_cipher_prohibit_list', default='', + deprecated_name='tls_cipher_blacklist', help=_("Colon separated list of OpenSSL ciphers. " "Usage of these ciphers will be blocked.")), cfg.ListOpt('default_listener_tls_versions', @@ -857,7 +858,7 @@ def init(args, **kwargs): **kwargs) validate.check_default_tls_versions_min_conflict() setup_remote_debugger() - validate.check_default_ciphers_blacklist_conflict() + validate.check_default_ciphers_prohibit_list_conflict() def setup_logging(conf): diff --git a/octavia/common/validate.py b/octavia/common/validate.py index 75fa1f1be9..c8361f4a67 100644 --- a/octavia/common/validate.py +++ b/octavia/common/validate.py @@ -435,29 +435,29 @@ def is_flavor_spares_compatible(flavor): return True -def check_cipher_blacklist(cipherstring): +def check_cipher_prohibit_list(cipherstring): ciphers = cipherstring.split(':') - blacklist = CONF.api_settings.tls_cipher_blacklist.split(':') + prohibit_list = CONF.api_settings.tls_cipher_prohibit_list.split(':') rejected = [] for cipher in ciphers: - if cipher in blacklist: + if cipher in prohibit_list: rejected.append(cipher) return rejected -def check_default_ciphers_blacklist_conflict(): - listener_rejected = check_cipher_blacklist( +def check_default_ciphers_prohibit_list_conflict(): + listener_rejected = check_cipher_prohibit_list( CONF.api_settings.default_listener_ciphers) if listener_rejected: raise exceptions.ValidationException( - detail=_('Default listener ciphers conflict with blacklist. ' + detail=_('Default listener ciphers conflict with prohibit list. ' 'Conflicting ciphers: ' + ', '.join(listener_rejected))) - pool_rejected = check_cipher_blacklist( + pool_rejected = check_cipher_prohibit_list( CONF.api_settings.default_pool_ciphers) if pool_rejected: raise exceptions.ValidationException( - detail=_('Default pool ciphers conflict with blacklist. ' + detail=_('Default pool ciphers conflict with prohibit list. ' 'Conflicting ciphers: ' + ', '.join(pool_rejected))) diff --git a/octavia/tests/unit/common/test_validations.py b/octavia/tests/unit/common/test_validations.py index 7196b6d689..8063810622 100644 --- a/octavia/tests/unit/common/test_validations.py +++ b/octavia/tests/unit/common/test_validations.py @@ -461,15 +461,16 @@ class TestValidations(base.TestCase): self.assertFalse( validate.is_flavor_spares_compatible(not_compat_flavor)) - def test_check_default_ciphers_blacklist_conflict(self): + def test_check_default_ciphers_prohibit_list_conflict(self): self.conf.config(group='api_settings', - tls_cipher_blacklist='PSK-AES128-CBC-SHA') + tls_cipher_prohibit_list='PSK-AES128-CBC-SHA') self.conf.config(group='api_settings', default_listener_ciphers='ECDHE-ECDSA-AES256-SHA:' 'PSK-AES128-CBC-SHA:TLS_AES_256_GCM_SHA384') - self.assertRaises(exceptions.ValidationException, - validate.check_default_ciphers_blacklist_conflict) + self.assertRaises( + exceptions.ValidationException, + validate.check_default_ciphers_prohibit_list_conflict) def test_check_tls_version_list(self): # Test valid list diff --git a/releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml b/releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml new file mode 100644 index 0000000000..1a8b5e774c --- /dev/null +++ b/releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml @@ -0,0 +1,9 @@ +--- +deprecations: + - | + Terminology such as ``blacklist`` has been replaced with more + inclusive words, such as ``prohibit list`` wherever possible. + + The configuration option ``tls_cipher_blacklist`` has been deprecated + and replaced with ``tls_cipher_prohibit_list``. It will be removed in a + future release.