New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use non-boolean enums for TLS mode. #816
base: main
Are you sure you want to change the base?
Conversation
This allows us forward compatibility, so that once we introduce more complex TLS usage schemes, such as loading specific credentials, we won't break the API.
@@ -51,6 +51,14 @@ class ProtocolVersion(Enum): | |||
""" | |||
|
|||
|
|||
class TlsMode(Enum): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the name is confusing, it sounds like TlsMode should hold 'Disabled'/'Enabled' options, so the Auto option sounds like it choose automatically if to disable or to enable TLS. Maybe we can add 'Disabled' entry that will be set by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would this enum be used if we would want to allow the user to pass his own certificates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we'd need to have an object to handle that. The core of this change is to change the value to not be a boolean. As long as we plan on supporting auto & enabled, in TS & Python we could add more object values on top.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added "disabled" option to enum.
@@ -51,6 +51,14 @@ class ProtocolVersion(Enum): | |||
""" | |||
|
|||
|
|||
class TlsMode(Enum): | |||
""" | |||
Enabled TLS mode, with automatic loading of certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with automatic loading of certificates. = > with built-in set of CA certificates
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
built-in into what?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To what rustls is using
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to think how to create a TLS mode that can be used with passing client auth certificates / CA certificate, so we won't need to break the API again
In Python & TS adding more values / objects on top of existing values isn't an API break, so this isn't an issue for us ATM. |
So what is your suggestion? that we will have an TlsMode enum, and another object that will handle TLS certs? then we will need to handle scenarios where a user passed TlsMode=Disabled together with TLS certs. |
No, just keep using a union of values: tlsMode: "enabled" | "disabled" | {
certPaths: string[]
} class TlsCerts:
cert_paths: List[string]
[...]
tls_mode: Union[TlsMode, TlsCerts] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We talked about it yesterday - we need to think if the enum & objet union is the best way to represent TLS modes (or, for example, classes), and if we do go with the enum - we need to think of a better name for the Auto mode (as it sounds like the client chooses automatically to enable/disable tls based on the server)
@@ -115,8 +128,8 @@ def __init__( | |||
{address:sample-address-0001.use1.cache.amazonaws.com, port:6379}, | |||
{address: sample-address-0002.use2.cache.amazonaws.com, port:6379} | |||
]. | |||
use_tls (bool): True if communication with the cluster should use Transport Level Security. | |||
Should match the TLS configuration of the server/cluster, otherwise the connection attempt will fail | |||
tls_mode (TlsMode): `auto` if communication with the cluster should use Transport Level Security, with automatic loading of certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'auto' => 'TlsMode.Auto'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or 'Auto'
@@ -178,7 +195,8 @@ class RedisClientConfiguration(BaseClientConfiguration): | |||
{address:sample-address-0001.use1.cache.amazonaws.com, port:6379}, | |||
{address: sample-address-0002.use2.cache.amazonaws.com, port:6379} | |||
]. | |||
use_tls (bool): True if communication with the cluster should use Transport Level Security. | |||
tls_mode (TlsMode): `auto` if communication with the cluster should use Transport Level Security, with automatic loading of certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same -'TlsMode.Auto', or 'Auto'
@@ -197,7 +215,7 @@ class RedisClientConfiguration(BaseClientConfiguration): | |||
def __init__( | |||
self, | |||
addresses: List[NodeAddress], | |||
use_tls: bool = False, | |||
tls_mode: Optional[TlsMode] = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't be optional, but configured to TlsMode.Disabled by default
@@ -248,7 +266,8 @@ class ClusterClientConfiguration(BaseClientConfiguration): | |||
[ | |||
{address:configuration-endpoint.use1.cache.amazonaws.com, port:6379} | |||
]. | |||
use_tls (bool): True if communication with the cluster should use Transport Level Security. | |||
tls_mode (TlsMode): `auto` if communication with the cluster should use Transport Level Security, with automatic loading of certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same 'auto'
@@ -266,7 +285,7 @@ class ClusterClientConfiguration(BaseClientConfiguration): | |||
def __init__( | |||
self, | |||
addresses: List[NodeAddress], | |||
use_tls: bool = False, | |||
tls_mode: Optional[TlsMode] = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same
@@ -111,14 +112,14 @@ async def create_client( | |||
protocol: ProtocolVersion = ProtocolVersion.RESP3, | |||
) -> Union[RedisClient, RedisClusterClient]: | |||
# Create async socket client | |||
use_tls = request.config.getoption("--tls") | |||
tls_mode = TlsMode.Auto if request.config.getoption("--tls") else None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
else TlsMode.Disabled
|
||
|
||
def test_default_client_config(): | ||
config = BaseClientConfiguration([]) | ||
assert len(config.addresses) == 0 | ||
assert config.read_from.value == ProtobufReadFrom.Primary | ||
assert config.use_tls is False | ||
assert config.tls_mode is None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be TlsMode.Disabled
This allows us forward compatibility, so that once we introduce more complex TLS usage schemes, such as loading specific credentials, we won't break the API.
Issue #, if available:
#786
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.