fix: interpret the ssl_check_hostname as a boolean (#2229)

* fix: interpret the ssl_check_hostname as a boolean * fix: interpret the ssl_check_hostname as a boolean, add an unittest * fix: interpret the ssl_check_hostname as a boolean, add an unittest, add a pre-commit pass. * ci: add an integration test, as required * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * ci: remove unused imported packages --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Asif Saif Uddin <auvipy@gmail.com>
celery · Feb 12, 2025 · 5d95b64 · 5d95b64
1 parent def208a
commit 5d95b64
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/kombu/utils/url.py b/kombu/utils/url.py
@@ -39,7 +39,9 @@ def parse_url(url):
     if query:
         keys = [key for key in query.keys() if key.startswith('ssl_')]
         for key in keys:
-            if key == 'ssl_cert_reqs':
+            if key == "ssl_check_hostname":
+                query[key] = query[key].lower() != 'false'
+            elif key == 'ssl_cert_reqs':
                 query[key] = parse_ssl_cert_reqs(query[key])
                 if query[key] is None:
                     logger.warning('Defaulting to insecure SSL behaviour.')

diff --git a/t/integration/test_redis.py b/t/integration/test_redis.py
@@ -222,3 +222,24 @@ def connect_timeout(self):
         # note the host/port here is irrelevant because
         # connect will raise a socket.timeout
         kombu.Connection('redis://localhost:12345').connect()
+
+
+@pytest.mark.env('redis')
+def test_RedisConnection_check_hostname(monkeypatch):
+    # simulate a connection timeout for a new connection
+    def connect_check_certificate(self):
+        if self.check_hostname:
+            raise OSError("check_hostname=True")
+        raise socket.timeout("check_hostname=False")
+    monkeypatch.setattr(
+        redis.connection.SSLConnection, "_connect", connect_check_certificate)
+
+    # ensure the timeout raises a TimeoutError
+    with pytest.raises(redis.exceptions.TimeoutError):
+        # note the host/port here is irrelevant because
+        # connect will raise a socket.timeout, not a CertificateError
+        kombu.Connection('rediss://localhost:12345?ssl_check_hostname=false').connect()
+    with pytest.raises(redis.exceptions.ConnectionError):
+        # note the host/port here is irrelevant because
+        # connect will raise a CertificateError due to hostname mismatch
+        kombu.Connection('rediss://localhost:12345?ssl_check_hostname=true').connect()
diff --git a/t/unit/utils/test_url.py b/t/unit/utils/test_url.py
@@ -50,18 +50,27 @@ def test_maybe_sanitize_url(url, expected):
 
 def test_ssl_parameters():
     url = 'rediss://user:password@host:6379/0?'
+    querystring = urlencode({
+        "ssl_check_hostname": "on",
+    })
+    kwargs = parse_url(url + querystring)
+    assert kwargs['transport'] == 'rediss'
+    assert kwargs['ssl']['ssl_check_hostname'] is True
+
     querystring = urlencode({
         'ssl_cert_reqs': 'required',
         'ssl_ca_certs': '/var/ssl/myca.pem',
         'ssl_certfile': '/var/ssl/server-cert.pem',
         'ssl_keyfile': '/var/ssl/priv/worker-key.pem',
+        "ssl_check_hostname": "false",
     })
     kwargs = parse_url(url + querystring)
     assert kwargs['transport'] == 'rediss'
     assert kwargs['ssl']['ssl_cert_reqs'] == ssl.CERT_REQUIRED
     assert kwargs['ssl']['ssl_ca_certs'] == '/var/ssl/myca.pem'
     assert kwargs['ssl']['ssl_certfile'] == '/var/ssl/server-cert.pem'
     assert kwargs['ssl']['ssl_keyfile'] == '/var/ssl/priv/worker-key.pem'
+    assert kwargs['ssl']['ssl_check_hostname'] is False
 
     kombu.utils.url.ssl_available = False