Remove blacklist terminology in the Octavia tree

The configuration option tls_cipher_blacklist has been
deprecated and replaced by tls_cipher_prohibit_list.

Change-Id: I6152838c697e12d19b27343e3a0714e55ca52d88

etc/octavia.conf

@@ -70,7 +70,7 @@
 
 # Colon-separated list of disallowed ciphers. Ciphers specified here will not be
 # allowed on listeners, pools, or the default values for either.
-# tls_cipher_blacklist =
+# tls_cipher_prohibit_list =
 
 # List of default TLS versions to be used on new TLS-terminated
 # listeners.  Available versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

octavia/api/v2/controllers/listener.py

@@ -224,13 +224,13 @@ class ListenersController(base.BaseController):
                 "A client authentication CA reference is required to "
                 "specify a client authentication revocation list."))
 
-        # Check TLS cipher blacklist
+        # Check TLS cipher prohibit list
         if 'tls_ciphers' in listener_dict and listener_dict['tls_ciphers']:
-            rejected_ciphers = validate.check_cipher_blacklist(
+            rejected_ciphers = validate.check_cipher_prohibit_list(
                 listener_dict['tls_ciphers'])
             if rejected_ciphers:
                 raise exceptions.ValidationException(detail=_(
-                    'The following ciphers have been blacklisted by an '
+                    'The following ciphers have been prohibited by an '
                     'administrator: ' + ', '.join(rejected_ciphers)))
 
         # Validate the TLS containers
@@ -491,13 +491,13 @@ class ListenersController(base.BaseController):
             self._validate_cidr_compatible_with_vip(
                 vip_address, listener.allowed_cidrs)
 
-        # Check TLS cipher blacklist
+        # Check TLS cipher prohibit list
         if listener.tls_ciphers:
-            rejected_ciphers = validate.check_cipher_blacklist(
+            rejected_ciphers = validate.check_cipher_prohibit_list(
                 listener.tls_ciphers)
             if rejected_ciphers:
                 raise exceptions.ValidationException(detail=_(
-                    'The following ciphers have been blacklisted by an '
+                    'The following ciphers have been prohibited by an '
                     'administrator: ' + ', '.join(rejected_ciphers)))
 
         if listener.tls_versions is not wtypes.Unset:

octavia/api/v2/controllers/pool.py

@@ -122,13 +122,13 @@ class PoolsController(base.BaseController):
                 pool_dict.get('ca_tls_certificate_id'),
                 pool_dict.get('crl_container_id', None))
 
-        # Check TLS cipher blacklist
+        # Check TLS cipher prohibit list
         if 'tls_ciphers' in pool_dict and pool_dict['tls_ciphers']:
-            rejected_ciphers = validate.check_cipher_blacklist(
+            rejected_ciphers = validate.check_cipher_prohibit_list(
                 pool_dict['tls_ciphers'])
             if rejected_ciphers:
                 raise exceptions.ValidationException(detail=_(
-                    'The following ciphers have been blacklisted by an '
+                    'The following ciphers have been prohibited by an '
                     'administrator: ' + ', '.join(rejected_ciphers)))
 
         if pool_dict['tls_enabled']:
@@ -396,13 +396,13 @@ class PoolsController(base.BaseController):
         if ca_ref:
             self._validate_client_ca_and_crl_refs(ca_ref, crl_ref)
 
-        # Check TLS cipher blacklist
+        # Check TLS cipher prohibit list
         if pool.tls_ciphers:
-            rejected_ciphers = validate.check_cipher_blacklist(
+            rejected_ciphers = validate.check_cipher_prohibit_list(
                 pool.tls_ciphers)
             if rejected_ciphers:
                 raise exceptions.ValidationException(detail=_(
-                    "The following ciphers have been blacklisted by an "
+                    "The following ciphers have been prohibited by an "
                     "administrator: " + ', '.join(rejected_ciphers)))
 
         if pool.tls_versions is not wtypes.Unset:

octavia/common/config.py

@@ -113,7 +113,8 @@ api_opts = [
                default=constants.CIPHERS_OWASP_SUITE_B,
                help=_("Default OpenSSL cipher string (colon-separated) for "
                       "new TLS-enabled pools.")),
-    cfg.StrOpt('tls_cipher_blacklist', default='',
+    cfg.StrOpt('tls_cipher_prohibit_list', default='',
+               deprecated_name='tls_cipher_blacklist',
                help=_("Colon separated list of OpenSSL ciphers. "
                       "Usage of these ciphers will be blocked.")),
     cfg.ListOpt('default_listener_tls_versions',
@@ -857,7 +858,7 @@ def init(args, **kwargs):
              **kwargs)
     validate.check_default_tls_versions_min_conflict()
     setup_remote_debugger()
-    validate.check_default_ciphers_blacklist_conflict()
+    validate.check_default_ciphers_prohibit_list_conflict()
 
 
 def setup_logging(conf):

octavia/common/validate.py

@@ -435,29 +435,29 @@ def is_flavor_spares_compatible(flavor):
     return True
 
 
-def check_cipher_blacklist(cipherstring):
+def check_cipher_prohibit_list(cipherstring):
     ciphers = cipherstring.split(':')
-    blacklist = CONF.api_settings.tls_cipher_blacklist.split(':')
+    prohibit_list = CONF.api_settings.tls_cipher_prohibit_list.split(':')
     rejected = []
     for cipher in ciphers:
-        if cipher in blacklist:
+        if cipher in prohibit_list:
             rejected.append(cipher)
     return rejected
 
 
-def check_default_ciphers_blacklist_conflict():
-    listener_rejected = check_cipher_blacklist(
+def check_default_ciphers_prohibit_list_conflict():
+    listener_rejected = check_cipher_prohibit_list(
         CONF.api_settings.default_listener_ciphers)
     if listener_rejected:
         raise exceptions.ValidationException(
-            detail=_('Default listener ciphers conflict with blacklist. '
+            detail=_('Default listener ciphers conflict with prohibit list. '
                      'Conflicting ciphers: ' + ', '.join(listener_rejected)))
 
-    pool_rejected = check_cipher_blacklist(
+    pool_rejected = check_cipher_prohibit_list(
         CONF.api_settings.default_pool_ciphers)
     if pool_rejected:
         raise exceptions.ValidationException(
-            detail=_('Default pool ciphers conflict with blacklist. '
+            detail=_('Default pool ciphers conflict with prohibit list. '
                      'Conflicting ciphers: ' + ', '.join(pool_rejected)))
 
 

octavia/tests/unit/common/test_validations.py

@@ -461,15 +461,16 @@ class TestValidations(base.TestCase):
         self.assertFalse(
             validate.is_flavor_spares_compatible(not_compat_flavor))
 
-    def test_check_default_ciphers_blacklist_conflict(self):
+    def test_check_default_ciphers_prohibit_list_conflict(self):
         self.conf.config(group='api_settings',
-                         tls_cipher_blacklist='PSK-AES128-CBC-SHA')
+                         tls_cipher_prohibit_list='PSK-AES128-CBC-SHA')
         self.conf.config(group='api_settings',
                          default_listener_ciphers='ECDHE-ECDSA-AES256-SHA:'
                          'PSK-AES128-CBC-SHA:TLS_AES_256_GCM_SHA384')
 
-        self.assertRaises(exceptions.ValidationException,
-                          validate.check_default_ciphers_blacklist_conflict)
+        self.assertRaises(
+            exceptions.ValidationException,
+            validate.check_default_ciphers_prohibit_list_conflict)
 
     def test_check_tls_version_list(self):
         # Test valid list

releasenotes/notes/improve-terminology-8ddacb4458c74d57.yaml

@@ -0,0 +1,9 @@
+---
+deprecations:
+  - |
+    Terminology such as ``blacklist`` has been replaced with more
+    inclusive words, such as ``prohibit list`` wherever possible.
+
+    The configuration option ``tls_cipher_blacklist`` has been deprecated
+    and replaced with ``tls_cipher_prohibit_list``. It will be removed in a
+    future release.