Use non-boolean enums for TLS mode. #816
Conversation
This allows us forward compatibility, so that once we introduce more complex TLS usage schemes, such as loading specific credentials, we won't break the API.
| @@ -51,6 +51,14 @@ class ProtocolVersion(Enum): | |||
| """ | |||
|
|
|||
|
|
|||
| class TlsMode(Enum): | |||
There was a problem hiding this comment.
I think the name is confusing, it sounds like TlsMode should hold 'Disabled'/'Enabled' options, so the Auto option sounds like it choose automatically if to disable or to enable TLS. Maybe we can add 'Disabled' entry that will be set by default.
There was a problem hiding this comment.
How would this enum be used if we would want to allow the user to pass his own certificates?
There was a problem hiding this comment.
we'd need to have an object to handle that. The core of this change is to change the value to not be a boolean. As long as we plan on supporting auto & enabled, in TS & Python we could add more object values on top.
There was a problem hiding this comment.
added "disabled" option to enum.
| @@ -51,6 +51,14 @@ class ProtocolVersion(Enum): | |||
| """ | |||
|
|
|||
|
|
|||
| class TlsMode(Enum): | |||
| """ | |||
| Enabled TLS mode, with automatic loading of certificates. | |||
There was a problem hiding this comment.
with automatic loading of certificates. = > with built-in set of CA certificates
There was a problem hiding this comment.
built-in into what?
In Python & TS adding more values / objects on top of existing values isn't an API break, so this isn't an issue for us ATM. |
So what is your suggestion? that we will have an TlsMode enum, and another object that will handle TLS certs? then we will need to handle scenarios where a user passed TlsMode=Disabled together with TLS certs. |
No, just keep using a union of values: tlsMode: "enabled" | "disabled" | {
certPaths: string[]
}class TlsCerts:
cert_paths: List[string]
[...]
tls_mode: Union[TlsMode, TlsCerts] |
There was a problem hiding this comment.
We talked about it yesterday - we need to think if the enum & objet union is the best way to represent TLS modes (or, for example, classes), and if we do go with the enum - we need to think of a better name for the Auto mode (as it sounds like the client chooses automatically to enable/disable tls based on the server)
| @@ -115,8 +128,8 @@ def __init__( | |||
| {address:sample-address-0001.use1.cache.amazonaws.com, port:6379}, | |||
| {address: sample-address-0002.use2.cache.amazonaws.com, port:6379} | |||
| ]. | |||
| use_tls (bool): True if communication with the cluster should use Transport Level Security. | |||
| Should match the TLS configuration of the server/cluster, otherwise the connection attempt will fail | |||
| tls_mode (TlsMode): `auto` if communication with the cluster should use Transport Level Security, with automatic loading of certificates. | |||
| @@ -178,7 +195,8 @@ class RedisClientConfiguration(BaseClientConfiguration): | |||
| {address:sample-address-0001.use1.cache.amazonaws.com, port:6379}, | |||
| {address: sample-address-0002.use2.cache.amazonaws.com, port:6379} | |||
| ]. | |||
| use_tls (bool): True if communication with the cluster should use Transport Level Security. | |||
| tls_mode (TlsMode): `auto` if communication with the cluster should use Transport Level Security, with automatic loading of certificates. | |||
There was a problem hiding this comment.
Same -'TlsMode.Auto', or 'Auto'
| @@ -197,7 +215,7 @@ class RedisClientConfiguration(BaseClientConfiguration): | |||
| def __init__( | |||
| self, | |||
| addresses: List[NodeAddress], | |||
| use_tls: bool = False, | |||
| tls_mode: Optional[TlsMode] = None, | |||
There was a problem hiding this comment.
Shouldn't be optional, but configured to TlsMode.Disabled by default
| @@ -248,7 +266,8 @@ class ClusterClientConfiguration(BaseClientConfiguration): | |||
| [ | |||
| {address:configuration-endpoint.use1.cache.amazonaws.com, port:6379} | |||
| ]. | |||
| use_tls (bool): True if communication with the cluster should use Transport Level Security. | |||
| tls_mode (TlsMode): `auto` if communication with the cluster should use Transport Level Security, with automatic loading of certificates. | |||
| @@ -266,7 +285,7 @@ class ClusterClientConfiguration(BaseClientConfiguration): | |||
| def __init__( | |||
| self, | |||
| addresses: List[NodeAddress], | |||
| use_tls: bool = False, | |||
| tls_mode: Optional[TlsMode] = None, | |||
| @@ -111,14 +112,14 @@ async def create_client( | |||
| protocol: ProtocolVersion = ProtocolVersion.RESP3, | |||
| ) -> Union[RedisClient, RedisClusterClient]: | |||
| # Create async socket client | |||
| use_tls = request.config.getoption("--tls") | |||
| tls_mode = TlsMode.Auto if request.config.getoption("--tls") else None | |||
|
|
||
|
|
||
| def test_default_client_config(): | ||
| config = BaseClientConfiguration([]) | ||
| assert len(config.addresses) == 0 | ||
| assert config.read_from.value == ProtobufReadFrom.Primary | ||
| assert config.use_tls is False | ||
| assert config.tls_mode is None |
There was a problem hiding this comment.
should be TlsMode.Disabled
This allows us forward compatibility, so that once we introduce more complex TLS usage schemes, such as loading specific credentials, we won't break the API.
Issue #, if available:
#786
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.