Skip to content

Deprecate old SSL config options instead of removing them #656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 8, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
Use `ResultSummary.server.agent`, `ResultSummary.server.protocol_version`,
or call the `dbms.components` procedure instead.
- SSL configuration options have been changed:
- `trust` has been removed.
- `trust` has been deprecated and will be removed in a future release.
Use `trusted_certificates` instead which expects `None` or a `list`. See the
API documentation for more details.
- `neo4j.time` module:
Expand Down
35 changes: 35 additions & 0 deletions docs/source/api.rst
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ Additional configuration can be provided via the :class:`neo4j.Driver` construct
+ :ref:`max-connection-pool-size-ref`
+ :ref:`max-transaction-retry-time-ref`
+ :ref:`resolver-ref`
+ :ref:`trust-ref`
+ :ref:`ssl-context-ref`
+ :ref:`trusted-certificates-ref`
+ :ref:`user-agent-ref`
Expand Down Expand Up @@ -276,6 +277,36 @@ For example:
:Default: :const:`None`


.. _trust-ref:

``trust``
---------
Specify how to determine the authenticity of encryption certificates provided by the Neo4j instance on connection.

This setting does not have any effect if ``encrypted`` is set to ``False``.

:Type: ``neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES``, ``neo4j.TRUST_ALL_CERTIFICATES``

.. py:attribute:: neo4j.TRUST_ALL_CERTIFICATES

Trust any server certificate (default). This ensures that communication
is encrypted but does not verify the server certificate against a
certificate authority. This option is primarily intended for use with
the default auto-generated server certificate.

.. py:attribute:: neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES

Trust server certificates that can be verified against the system
certificate authority. This option is primarily intended for use with
full certificates.

:Default: ``neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES``.

.. deprecated:: 5.0
This configuration option is deprecated and will be removed in a future
release. Please use :ref:`trusted-certificates-ref` instead.


.. _ssl-context-ref:

``ssl_context``
Expand All @@ -287,6 +318,8 @@ If give, ``encrypted`` and ``trusted_certificates`` have no effect.
:Type: :class:`ssl.SSLContext` or :const:`None`
:Default: :const:`None`

.. versionadded:: 5.0


.. _trusted-certificates-ref:

Expand Down Expand Up @@ -317,6 +350,8 @@ custom ``ssl_context`` is configured.

:Default: :const:`None`

.. versionadded:: 5.0


.. _user-agent-ref:

Expand Down
4 changes: 4 additions & 0 deletions neo4j/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@
"SessionConfig",
"SummaryCounters",
"Transaction",
"TRUST_ALL_CERTIFICATES",
"TRUST_SYSTEM_CA_SIGNED_CERTIFICATES",
"unit_of_work",
"Version",
"WorkspaceConfig",
Expand Down Expand Up @@ -105,6 +107,8 @@
READ_ACCESS,
ServerInfo,
SYSTEM_DATABASE,
TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
Version,
WRITE_ACCESS,
)
Expand Down
59 changes: 45 additions & 14 deletions neo4j/_async/driver.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,11 @@

from .._async_compat.util import AsyncUtil
from ..addressing import Address
from ..api import READ_ACCESS
from ..api import (
READ_ACCESS,
TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
)
from ..conf import (
Config,
PoolConfig,
Expand Down Expand Up @@ -71,20 +75,47 @@ def driver(cls, uri, *, auth=None, **config):

driver_type, security_type, parsed = parse_neo4j_uri(uri)

if security_type in [SECURITY_TYPE_SELF_SIGNED_CERTIFICATE, SECURITY_TYPE_SECURE] and ("encrypted" in config.keys() or "trusted_certificates" in config.keys()):
# TODO: 6.0 remove "trust" config option
if "trust" in config.keys():
if config["trust"] not in (TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES):
from neo4j.exceptions import ConfigurationError
raise ConfigurationError(
"The config setting `trust` values are {!r}"
.format(
[
TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
]
)
)

if (security_type in [SECURITY_TYPE_SELF_SIGNED_CERTIFICATE, SECURITY_TYPE_SECURE]
and ("encrypted" in config.keys()
or "trust" in config.keys()
or "trusted_certificates" in config.keys()
or "ssl_context" in config.keys())):
from neo4j.exceptions import ConfigurationError
raise ConfigurationError("The config settings 'encrypted' and 'trust' can only be used with the URI schemes {!r}. Use the other URI schemes {!r} for setting encryption settings.".format(
[
URI_SCHEME_BOLT,
URI_SCHEME_NEO4J,
],
[
URI_SCHEME_BOLT_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_BOLT_SECURE,
URI_SCHEME_NEO4J_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_NEO4J_SECURE,
]
))

# TODO: 6.0 remove "trust" from error message
raise ConfigurationError(
'The config settings "encrypted", "trust", '
'"trusted_certificates", and "ssl_context" can only be used '
"with the URI schemes {!r}. Use the other URI schemes {!r} "
"for setting encryption settings."
.format(
[
URI_SCHEME_BOLT,
URI_SCHEME_NEO4J,
],
[
URI_SCHEME_BOLT_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_BOLT_SECURE,
URI_SCHEME_NEO4J_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_NEO4J_SECURE,
]
)
)

if security_type == SECURITY_TYPE_SECURE:
config["encrypted"] = True
Expand Down
59 changes: 45 additions & 14 deletions neo4j/_sync/driver.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,11 @@

from .._async_compat.util import Util
from ..addressing import Address
from ..api import READ_ACCESS
from ..api import (
READ_ACCESS,
TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
)
from ..conf import (
Config,
PoolConfig,
Expand Down Expand Up @@ -71,20 +75,47 @@ def driver(cls, uri, *, auth=None, **config):

driver_type, security_type, parsed = parse_neo4j_uri(uri)

if security_type in [SECURITY_TYPE_SELF_SIGNED_CERTIFICATE, SECURITY_TYPE_SECURE] and ("encrypted" in config.keys() or "trusted_certificates" in config.keys()):
# TODO: 6.0 remove "trust" config option
if "trust" in config.keys():
if config["trust"] not in (TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES):
from neo4j.exceptions import ConfigurationError
raise ConfigurationError(
"The config setting `trust` values are {!r}"
.format(
[
TRUST_ALL_CERTIFICATES,
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
]
)
)

if (security_type in [SECURITY_TYPE_SELF_SIGNED_CERTIFICATE, SECURITY_TYPE_SECURE]
and ("encrypted" in config.keys()
or "trust" in config.keys()
or "trusted_certificates" in config.keys()
or "ssl_context" in config.keys())):
from neo4j.exceptions import ConfigurationError
raise ConfigurationError("The config settings 'encrypted' and 'trust' can only be used with the URI schemes {!r}. Use the other URI schemes {!r} for setting encryption settings.".format(
[
URI_SCHEME_BOLT,
URI_SCHEME_NEO4J,
],
[
URI_SCHEME_BOLT_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_BOLT_SECURE,
URI_SCHEME_NEO4J_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_NEO4J_SECURE,
]
))

# TODO: 6.0 remove "trust" from error message
raise ConfigurationError(
'The config settings "encrypted", "trust", '
'"trusted_certificates", and "ssl_context" can only be used '
"with the URI schemes {!r}. Use the other URI schemes {!r} "
"for setting encryption settings."
.format(
[
URI_SCHEME_BOLT,
URI_SCHEME_NEO4J,
],
[
URI_SCHEME_BOLT_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_BOLT_SECURE,
URI_SCHEME_NEO4J_SELF_SIGNED_CERTIFICATE,
URI_SCHEME_NEO4J_SECURE,
]
)
)

if security_type == SECURITY_TYPE_SECURE:
config["encrypted"] = True
Expand Down
4 changes: 4 additions & 0 deletions neo4j/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@

URI_SCHEME_BOLT_ROUTING = "bolt+routing"

# TODO: 6.0 - remove TRUST constants
TRUST_SYSTEM_CA_SIGNED_CERTIFICATES = "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES" # Default
TRUST_ALL_CERTIFICATES = "TRUST_ALL_CERTIFICATES"

SYSTEM_DATABASE = "system"
DEFAULT_DATABASE = None # Must be a non string hashable value

Expand Down
Loading