Merge "Fail if tls_enabled is True but backend does not support it"

oslo_cache/core.py

@@ -169,37 +169,49 @@ def _build_cache_config(conf):
         conf_dict['%s.arguments.%s' % (prefix, arg)] = value
 
     if conf.cache.tls_enabled:
-        _LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
-        tls_context = ssl.create_default_context(cafile=conf.cache.tls_cafile)
+        if conf.cache.backend in ('dogpile.cache.bmemcache',
+                                  'dogpile.cache.pymemcache',
+                                  'oslo_cache.memcache_pool'):
+            _LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
+            tls_context = ssl.create_default_context(
+                cafile=conf.cache.tls_cafile)
 
-        if conf.cache.enforce_fips_mode:
-            if hasattr(ssl, 'FIPS_mode'):
-                _LOG.info("Enforcing the use of the OpenSSL FIPS mode")
-                ssl.FIPS_mode_set(1)
-            else:
-                raise exception.ConfigurationError(
-                    "OpenSSL FIPS mode is not supported by your Python "
-                    "version. You must either change the Python executable "
-                    "used to a version with FIPS mode support or disable "
-                    "FIPS mode by setting the '[cache] enforce_fips_mode' "
-                    "configuration option to 'False'.")
+            if conf.cache.enforce_fips_mode:
+                if hasattr(ssl, 'FIPS_mode'):
+                    _LOG.info("Enforcing the use of the OpenSSL FIPS mode")
+                    ssl.FIPS_mode_set(1)
+                else:
+                    raise exception.ConfigurationError(
+                        "OpenSSL FIPS mode is not supported by your Python "
+                        "version. You must either change the Python "
+                        "executable used to a version with FIPS mode support "
+                        "or disable FIPS mode by setting "
+                        "the '[cache] enforce_fips_mode' configuration option "
+                        "to 'False'.")
 
-        if conf.cache.tls_certfile is not None:
-            _LOG.debug('Oslo Cache TLS - cert: %s', conf.cache.tls_certfile)
-            _LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)
-            tls_context.load_cert_chain(
-                conf.cache.tls_certfile,
-                conf.cache.tls_keyfile,
+            if conf.cache.tls_certfile is not None:
+                _LOG.debug('Oslo Cache TLS - cert: %s',
+                           conf.cache.tls_certfile)
+                _LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)
+                tls_context.load_cert_chain(
+                    conf.cache.tls_certfile,
+                    conf.cache.tls_keyfile,
+                )
+
+            if conf.cache.tls_allowed_ciphers is not None:
+                _LOG.debug(
+                    'Oslo Cache TLS - ciphers: %s',
+                    conf.cache.tls_allowed_ciphers,
+                )
+                tls_context.set_ciphers(conf.cache.tls_allowed_ciphers)
+
+            conf_dict['%s.arguments.tls_context' % prefix] = tls_context
+        else:
+            msg = _(
+                "TLS setting via [cache] tls_enabled is not supported by this "
+                "backend."
             )
-
-        if conf.cache.tls_allowed_ciphers is not None:
-            _LOG.debug(
-                'Oslo Cache TLS - ciphers: %s',
-                conf.cache.tls_allowed_ciphers,
-            )
-            tls_context.set_ciphers(conf.cache.tls_allowed_ciphers)
-
-        conf_dict['%s.arguments.tls_context' % prefix] = tls_context
+            raise exception.ConfigurationError(msg)
 
     # NOTE(hberaud): Pymemcache support socket keepalive, If it is enable in
     # our config then configure it to enable this feature.

oslo_cache/tests/unit/test_cache_basics.py

@@ -324,7 +324,7 @@ class CacheRegionTest(test_cache.BaseTestCase):
         self.config_fixture.config(group='cache',
                                    enabled=True,
                                    config_prefix='test_prefix',
-                                   backend='oslo_cache.dict',
+                                   backend='dogpile.cache.pymemcache',
                                    tls_enabled=True,
                                    enforce_fips_mode=True)
 
@@ -344,7 +344,7 @@ class CacheRegionTest(test_cache.BaseTestCase):
         self.config_fixture.config(group='cache',
                                    enabled=True,
                                    config_prefix='test_prefix',
-                                   backend='oslo_cache.dict',
+                                   backend='dogpile.cache.pymemcache',
                                    tls_enabled=True,
                                    enforce_fips_mode=True)
 
@@ -355,7 +355,21 @@ class CacheRegionTest(test_cache.BaseTestCase):
             # ensure that we hard fail.
             self.assertRaises(exception.ConfigurationError,
                               cache._build_cache_config,
-                              self.config_fixture.conf,)
+                              self.config_fixture.conf)
+
+    def test_cache_dictionary_config_builder_tls_enabled_unsupported(self):
+        """Validate the tls_enabled opiton is not supported.."""
+        self.config_fixture.config(group='cache',
+                                   enabled=True,
+                                   config_prefix='test_prefix',
+                                   backend='oslo_cache.dict',
+                                   tls_enabled=True)
+
+        with mock.patch.object(ssl, 'create_default_context'):
+            self.assertRaises(exception.ConfigurationError,
+                              cache._build_cache_config,
+                              self.config_fixture.conf)
+            ssl.create_default_context.assert_not_called()
 
     def test_cache_dictionary_config_builder_tls_enabled_with_config(self):
         """Validate the backend is reset to default if caching is disabled."""