Support SSL encrypted connection to Tarantool EE

DifferentialOrange · DifferentialOrange · commit 2dbe12c596ac · 2022-08-22T10:44:34.000+03:00
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+**New features:**
+* Support SSL encrypted connection to Tarantool EE (closes [#22](https://github.com/igorcoding/asynctnt/issues/22))
+
 ## v2.0.1
 * Fixed an issue with encoding datetimes less than 01-01-1970 (fixes [#29](https://github.com/igorcoding/asynctnt/issues/29))
 * Fixed "Edit on Github" links in docs (fixes [#26](https://github.com/igorcoding/asynctnt/issues/26))
diff --git a/asynctnt/__init__.py b/asynctnt/__init__.py
@@ -1,3 +1,4 @@
+from .const import Transport
 from .connection import Connection, connect
 from .iproto.protocol import (
     Iterator, Response, TarantoolTuple, PushIterator,
diff --git a/asynctnt/connection.py b/asynctnt/connection.py
@@ -1,12 +1,14 @@
 import asyncio
 import enum
 import functools
+import ssl
 import os
 from typing import Optional, Union
 
 from .api import Api
+from .const import Transport
 from .exceptions import TarantoolDatabaseError, \
-    ErrorCode, TarantoolError
+    ErrorCode, TarantoolError, SSLError
 from .iproto import protocol
 from .log import logger
 from .stream import Stream
@@ -27,11 +29,13 @@ class ConnectionState(enum.IntEnum):
 
 class Connection(Api):
     __slots__ = (
-        '_host', '_port', '_username', '_password',
-        '_fetch_schema', '_auto_refetch_schema', '_initial_read_buffer_size',
-        '_encoding', '_connect_timeout', '_reconnect_timeout',
-        '_request_timeout', '_ping_timeout', '_loop', '_state', '_state_prev',
-        '_transport', '_protocol',
+        '_host', '_port', '_parameter_transport', '_ssl_key_file',
+        '_ssl_cert_file', '_ssl_ca_file', '_ssl_ciphers',
+        '_username', '_password', '_fetch_schema',
+        '_auto_refetch_schema', '_initial_read_buffer_size',
+        '_encoding', '_connect_timeout', '_ssl_handshake_timeout',
+        '_reconnect_timeout', '_request_timeout', '_ping_timeout',
+        '_loop', '_state', '_state_prev', '_transport', '_protocol',
         '_disconnect_waiter', '_reconnect_task',
         '_connect_lock', '_disconnect_lock',
         '_ping_task', '__create_task'
@@ -40,11 +44,17 @@ class Connection(Api):
     def __init__(self, *,
                  host: str = '127.0.0.1',
                  port: Union[int, str] = 3301,
+                 transport: Optional[Transport] = Transport.DEFAULT,
+                 ssl_key_file: Optional[str] = None,
+                 ssl_cert_file: Optional[str] = None,
+                 ssl_ca_file: Optional[str] = None,
+                 ssl_ciphers: Optional[str] = None,
                  username: Optional[str] = None,
                  password: Optional[str] = None,
                  fetch_schema: bool = True,
                  auto_refetch_schema: bool = True,
                  connect_timeout: float = 3.,
+                 ssl_handshake_timeout: float = 3.,
                  request_timeout: float = -1.,
                  reconnect_timeout: float = 1. / 3.,
                  ping_timeout: float = 5.,
@@ -78,6 +88,22 @@ def __init__(self, *,
             :param port:
                     Tarantool port
                     (pass ``/path/to/sockfile`` to connect ot unix socket)
+            :param transport:
+                    This parameter can be used to configure traffic encryption.
+                    Pass ``asynctnt.Transport.SSL`` value to enable SSL
+                    encryption (by default there is no encryption)
+            :param ssl_key_file:
+                    A path to a private SSL key file.
+                    Optional, mandatory if server uses CA file
+            :param ssl_cert_file:
+                    A path to an SSL certificate file.
+                    Optional, mandatory if server uses CA file
+            :param ssl_ca_file:
+                    A path to a trusted certificate authorities (CA) file.
+                    Optional
+            :param ssl_ciphers:
+                    A colon-separated (:) list of SSL cipher suites
+                    the connection can use. Optional
             :param username:
                     Username to use for auth
                     (if ``None`` you are connected as a guest)
@@ -93,6 +119,10 @@ def __init__(self, *,
                     be checked by Tarantool, so no errors will occur
             :param connect_timeout:
                     Time in seconds how long to wait for connecting to socket
+            :param ssl_handshake_timeout:
+                    Time in seconds to wait for the TLS handshake to complete
+                    before aborting the connection (used only for a TLS
+                    connection)
             :param request_timeout:
                     Request timeout (in seconds) for all requests
                     (by default there is no timeout)
@@ -116,6 +146,13 @@ def __init__(self, *,
         super().__init__()
         self._host = host
         self._port = port
+
+        self._parameter_transport = transport
+        self._ssl_key_file = ssl_key_file
+        self._ssl_cert_file = ssl_cert_file
+        self._ssl_ca_file = ssl_ca_file
+        self._ssl_ciphers = ssl_ciphers
+
         self._username = username
         self._password = password
         self._fetch_schema = False if fetch_schema is None else fetch_schema
@@ -131,6 +168,7 @@ def __init__(self, *,
         self._encoding = encoding or 'utf-8'
 
         self._connect_timeout = connect_timeout
+        self._ssl_handshake_timeout = ssl_handshake_timeout
         self._reconnect_timeout = reconnect_timeout or 0
         self._request_timeout = request_timeout
         self._ping_timeout = ping_timeout or 0
@@ -220,6 +258,54 @@ def protocol_factory(self,
                    on_connection_lost=self.connection_lost,
                    loop=self._loop)
 
+    def _create_ssl_context(self):
+        try:
+            if hasattr(ssl, 'TLSVersion'):
+                # Since python 3.7
+                context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+                # Reset to default OpenSSL values.
+                context.check_hostname = False
+                context.verify_mode = ssl.CERT_NONE
+                # Require TLSv1.2, because other protocol versions don't seem
+                # to support the GOST cipher.
+                context.minimum_version = ssl.TLSVersion.TLSv1_2
+                context.maximum_version = ssl.TLSVersion.TLSv1_2
+            else:
+                # Deprecated, but it works for python < 3.7
+                context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+
+            if self._ssl_cert_file:
+                # If the password argument is not specified and a password is
+                # required, OpenSSL’s built-in password prompting mechanism
+                # will be used to interactively prompt the user for a password.
+                #
+                # We should disable this behaviour, because a python
+                # application that uses the connector unlikely assumes
+                # interaction with a human + a Tarantool implementation does
+                # not support this at least for now.
+                def password_raise_error():
+                    raise SSLError("a password for decrypting the private " +
+                                   "key is unsupported")
+                context.load_cert_chain(certfile=self._ssl_cert_file,
+                                        keyfile=self._ssl_key_file,
+                                        password=password_raise_error)
+
+            if self._ssl_ca_file:
+                context.load_verify_locations(cafile=self._ssl_ca_file)
+                context.verify_mode = ssl.CERT_REQUIRED
+                # A Tarantool implementation does not check hostname. We don't
+                # do that too. As a result we don't set here:
+                # context.check_hostname = True
+
+            if self._ssl_ciphers:
+                context.set_ciphers(self._ssl_ciphers)
+
+            return context
+        except SSLError as e:
+            raise
+        except Exception as e:
+            raise SSLError(e)
+
     async def _connect(self, return_exceptions: bool = True):
         if self._loop is None:
             self._loop = get_running_loop()
@@ -246,6 +332,12 @@ async def full_connect():
                         while True:
                             connected_fut = _create_future(self._loop)
 
+                            ssl_context = None
+                            ssl_handshake_timeout = None
+                            if self._parameter_transport == Transport.SSL:
+                                ssl_context = self._create_ssl_context()
+                                ssl_handshake_timeout = self._ssl_handshake_timeout
+
                             if self._host.startswith('unix/'):
                                 unix_path = self._port
                                 assert isinstance(unix_path, str), \
@@ -260,13 +352,16 @@ async def full_connect():
                                 conn = self._loop.create_unix_connection(
                                     functools.partial(self.protocol_factory,
                                                       connected_fut),
-                                    unix_path
-                                )
+                                    unix_path,
+                                    ssl=ssl_context,
+                                    ssl_handshake_timeout=ssl_handshake_timeout)
                             else:
                                 conn = self._loop.create_connection(
                                     functools.partial(self.protocol_factory,
                                                       connected_fut),
-                                    self._host, self._port)
+                                    self._host, self._port,
+                                    ssl=ssl_context,
+                                    ssl_handshake_timeout=ssl_handshake_timeout)
 
                             tr, pr = await conn
 
@@ -337,6 +432,8 @@ async def full_connect():
 
                     if return_exceptions:
                         self._reconnect_task = None
+                        if isinstance(e, ssl.SSLError):
+                            e = SSLError(e)
                         raise e
 
                     logger.exception(e)
diff --git a/asynctnt/const.py b/asynctnt/const.py
@@ -0,0 +1,5 @@
+import enum
+
+class Transport(enum.IntEnum):
+    DEFAULT = 1
+    SSL = 2
diff --git a/asynctnt/exceptions.py b/asynctnt/exceptions.py
@@ -42,6 +42,12 @@ class TarantoolNotConnectedError(TarantoolNetworkError):
     """
     pass
 
+class SSLError(TarantoolError):
+    """
+        Raised when something is wrong with encrypted connection
+    """
+    pass
+
 
 class ErrorCode(enum.IntEnum):
     """
diff --git a/docs/examples.md b/docs/examples.md
@@ -65,3 +65,32 @@ async def main():
 
 asyncio.run(main())
 ```
+
+## Connect with SSL encryption
+```python
+import asyncio
+import asynctnt
+
+
+async def main():
+    conn = asynctnt.Connection(host='127.0.0.1',
+                               port=3301,
+                               transport=asynctnt.Transport.SSL,
+                               ssl_key_file='./ssl/host.key',
+                               ssl_cert_file='./ssl/host.crt',
+                               ssl_ca_file='./ssl/ca.crt',
+                               ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')
+    await conn.connect()
+
+    resp = await conn.ping()
+    print(resp)
+
+    await conn.disconnect()
+
+asyncio.run(main())
+```
+
+Stdout:
+```
+<Response sync=4 rowcount=0 data=None>
+```

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+from .const import Transport`
`1`	`2`	`from .connection import Connection, connect`
`2`	`3`	`from .iproto.protocol import (`
`3`	`4`	`Iterator, Response, TarantoolTuple, PushIterator,`