Fixes SSL params

Signed-off-by: Elena Kolevska <elena@kolevska.com>

Author: elena-kolevska

.env.example

@@ -6,10 +6,17 @@ REDIS_DB=0
 REDIS_CLUSTER=false
 REDIS_CLUSTER_NODES=
 REDIS_SSL=false
+REDIS_SSL_KEYFILE=
+REDIS_SSL_CERTFILE=
 REDIS_SSL_CERT_REQS=required
 REDIS_SSL_CA_CERTS=
-REDIS_SSL_CERTFILE=
-REDIS_SSL_KEYFILE=
+REDIS_SSL_CA_PATH=
+REDIS_SSL_CA_DATA=
+REDIS_SSL_CHECK_HOSTNAME=true
+REDIS_SSL_PASSWORD=
+REDIS_SSL_VALIDATE_OCSP=false
+REDIS_SSL_VALIDATE_OCSP_STAPLED=false
+REDIS_SSL_CIPHERS=
 REDIS_RELAXED_TIMEOUT=
 REDIS_SOCKET_TIMEOUT=5.0
 REDIS_SOCKET_CONNECT_TIMEOUT=5.0

cli.py

@@ -119,10 +119,17 @@ def describe_profile(profile_name):
 @click.option('--cluster', is_flag=True, default=lambda: get_env_or_default('REDIS_CLUSTER', False, bool), help='Use Redis Cluster mode')
 @click.option('--cluster-nodes', default=lambda: get_env_or_default('REDIS_CLUSTER_NODES', None), help='Comma-separated list of cluster nodes (host:port)')
 @click.option('--ssl', is_flag=True, default=lambda: get_env_or_default('REDIS_SSL', False, bool), help='Use SSL/TLS connection')
+@click.option('--ssl-keyfile', default=lambda: get_env_or_default('REDIS_SSL_KEYFILE', None), help='Path to client private key file')
+@click.option('--ssl-certfile', default=lambda: get_env_or_default('REDIS_SSL_CERTFILE', None), help='Path to client certificate file')
 @click.option('--ssl-cert-reqs', default=lambda: get_env_or_default('REDIS_SSL_CERT_REQS', 'required'), type=click.Choice(['none', 'optional', 'required']), help='SSL certificate requirements')
 @click.option('--ssl-ca-certs', default=lambda: get_env_or_default('REDIS_SSL_CA_CERTS', None), help='Path to CA certificates file')
-@click.option('--ssl-certfile', default=lambda: get_env_or_default('REDIS_SSL_CERTFILE', None), help='Path to client certificate file')
-@click.option('--ssl-keyfile', default=lambda: get_env_or_default('REDIS_SSL_KEYFILE', None), help='Path to client private key file')
+@click.option('--ssl-ca-path', default=lambda: get_env_or_default('REDIS_SSL_CA_PATH', None), help='Path to directory containing CA certificates')
+@click.option('--ssl-ca-data', default=lambda: get_env_or_default('REDIS_SSL_CA_DATA', None), help='CA certificate data as string')
+@click.option('--ssl-check-hostname', is_flag=True, default=lambda: get_env_or_default('REDIS_SSL_CHECK_HOSTNAME', True, bool), help='Check SSL hostname')
+@click.option('--ssl-password', default=lambda: get_env_or_default('REDIS_SSL_PASSWORD', None), help='Password for SSL private key')
+@click.option('--ssl-validate-ocsp', is_flag=True, default=lambda: get_env_or_default('REDIS_SSL_VALIDATE_OCSP', False, bool), help='Validate OCSP')
+@click.option('--ssl-validate-ocsp-stapled', is_flag=True, default=lambda: get_env_or_default('REDIS_SSL_VALIDATE_OCSP_STAPLED', False, bool), help='Validate OCSP stapled')
+@click.option('--ssl-ciphers', default=lambda: get_env_or_default('REDIS_SSL_CIPHERS', None), help='SSL cipher suite')
 @click.option('--socket-timeout', type=float, default=lambda: get_env_or_default('REDIS_SOCKET_TIMEOUT', None), help='Socket timeout in seconds')
 @click.option('--socket-connect-timeout', type=float, default=lambda: get_env_or_default('REDIS_SOCKET_CONNECT_TIMEOUT', None), help='Socket connect timeout in seconds')
 @click.option('--max-connections', type=int, default=lambda: get_env_or_default('REDIS_MAX_CONNECTIONS', 50, int), help='Maximum connections per client')
@@ -286,10 +293,17 @@ def _build_config_from_args(kwargs) -> RunnerConfig:
         cluster_mode=kwargs['cluster'],
         cluster_nodes=cluster_nodes,
         ssl=kwargs['ssl'],
+        ssl_keyfile=kwargs['ssl_keyfile'],
+        ssl_certfile=kwargs['ssl_certfile'],
         ssl_cert_reqs=kwargs['ssl_cert_reqs'],
         ssl_ca_certs=kwargs['ssl_ca_certs'],
-        ssl_certfile=kwargs['ssl_certfile'],
-        ssl_keyfile=kwargs['ssl_keyfile'],
+        ssl_ca_path=kwargs['ssl_ca_path'],
+        ssl_ca_data=kwargs['ssl_ca_data'],
+        ssl_check_hostname=kwargs['ssl_check_hostname'],
+        ssl_password=kwargs['ssl_password'],
+        ssl_validate_ocsp=kwargs['ssl_validate_ocsp'],
+        ssl_validate_ocsp_stapled=kwargs['ssl_validate_ocsp_stapled'],
+        ssl_ciphers=kwargs['ssl_ciphers'],
         socket_timeout=kwargs['socket_timeout'],
         socket_connect_timeout=kwargs['socket_connect_timeout'],
         max_connections=kwargs['max_connections'],

config.py

@@ -2,7 +2,7 @@
 Configuration management for Redis test application.
 """
 from dataclasses import dataclass, field
-from typing import Dict, List, Optional, Any
+from typing import Dict, List, Optional, Any, Union
 import yaml
 import json
 import importlib.metadata
@@ -90,10 +90,20 @@ class RedisConnectionConfig:
 
     # TLS configuration
     ssl: bool = False
-    ssl_cert_reqs: str = "required"
-    ssl_ca_certs: Optional[str] = None
-    ssl_certfile: Optional[str] = None
     ssl_keyfile: Optional[str] = None
+    ssl_certfile: Optional[str] = None
+    ssl_cert_reqs: Union[str, int] = "required"  # Can be "required", "optional", "none" or ssl.VerifyMode
+    ssl_ca_certs: Optional[str] = None
+    ssl_ca_path: Optional[str] = None
+    ssl_ca_data: Optional[str] = None
+    ssl_check_hostname: bool = True
+    ssl_password: Optional[str] = None
+    ssl_validate_ocsp: bool = False
+    ssl_validate_ocsp_stapled: bool = False
+    ssl_ocsp_context: Optional[Any] = None  # OpenSSL.SSL.Context
+    ssl_ocsp_expected_cert: Optional[str] = None
+    ssl_min_version: Optional[Any] = None  # ssl.TLSVersion
+    ssl_ciphers: Optional[str] = None
 
     # Connection settings
     socket_timeout: Optional[float] = None

redis_client.py

@@ -11,7 +11,7 @@
 from redis.exceptions import (
     ConnectionError, TimeoutError, ClusterDownError
 )
-import ssl
+
 
 from config import RedisConnectionConfig
 from logger import get_logger
@@ -58,26 +58,39 @@ def _build_pool_kwargs(self) -> Dict[str, Any]:
 
         # Add SSL configuration if enabled
         if self.config.ssl:
-            ssl_context = ssl.create_default_context()
-            
-            if self.config.ssl_cert_reqs == "none":
-                ssl_context.check_hostname = False
-                ssl_context.verify_mode = ssl.CERT_NONE
-            elif self.config.ssl_cert_reqs == "optional":
-                ssl_context.verify_mode = ssl.CERT_OPTIONAL
-            else:
-                ssl_context.verify_mode = ssl.CERT_REQUIRED
-            
-            if self.config.ssl_ca_certs:
-                ssl_context.load_verify_locations(self.config.ssl_ca_certs)
-            
-            if self.config.ssl_certfile and self.config.ssl_keyfile:
-                ssl_context.load_cert_chain(self.config.ssl_certfile, self.config.ssl_keyfile)
-            
-            kwargs.update({
-                'ssl': True,
-                'ssl_context': ssl_context
-            })
+            ssl_kwargs = {'ssl': True}
+
+            # Add SSL parameters directly as redis-py expects them
+            if self.config.ssl_keyfile is not None:
+                ssl_kwargs['ssl_keyfile'] = self.config.ssl_keyfile
+            if self.config.ssl_certfile is not None:
+                ssl_kwargs['ssl_certfile'] = self.config.ssl_certfile
+            if self.config.ssl_cert_reqs is not None:
+                ssl_kwargs['ssl_cert_reqs'] = self.config.ssl_cert_reqs
+            if self.config.ssl_ca_certs is not None:
+                ssl_kwargs['ssl_ca_certs'] = self.config.ssl_ca_certs
+            if self.config.ssl_ca_path is not None:
+                ssl_kwargs['ssl_ca_path'] = self.config.ssl_ca_path
+            if self.config.ssl_ca_data is not None:
+                ssl_kwargs['ssl_ca_data'] = self.config.ssl_ca_data
+            if self.config.ssl_check_hostname is not None:
+                ssl_kwargs['ssl_check_hostname'] = self.config.ssl_check_hostname
+            if self.config.ssl_password is not None:
+                ssl_kwargs['ssl_password'] = self.config.ssl_password
+            if self.config.ssl_validate_ocsp is not None:
+                ssl_kwargs['ssl_validate_ocsp'] = self.config.ssl_validate_ocsp
+            if self.config.ssl_validate_ocsp_stapled is not None:
+                ssl_kwargs['ssl_validate_ocsp_stapled'] = self.config.ssl_validate_ocsp_stapled
+            if self.config.ssl_ocsp_context is not None:
+                ssl_kwargs['ssl_ocsp_context'] = self.config.ssl_ocsp_context
+            if self.config.ssl_ocsp_expected_cert is not None:
+                ssl_kwargs['ssl_ocsp_expected_cert'] = self.config.ssl_ocsp_expected_cert
+            if self.config.ssl_min_version is not None:
+                ssl_kwargs['ssl_min_version'] = self.config.ssl_min_version
+            if self.config.ssl_ciphers is not None:
+                ssl_kwargs['ssl_ciphers'] = self.config.ssl_ciphers
+
+            kwargs.update(ssl_kwargs)
 
         return kwargs
 
@@ -110,6 +123,8 @@ def _connect_standalone(self):
         """Connect to standalone Redis instance."""
         start_time = time.time()
 
+        print("\n\n\n ------- Pool kwargs:", {**self._pool_kwargs})
+
         if self.config.maintenance_notifications_enabled:
             # Build maintenance events config, only passing relaxed_timeouts if not None
             maintenance_config_kwargs = {"enabled": self.config.maintenance_notifications_enabled}
@@ -126,7 +141,6 @@ def _connect_standalone(self):
                 **self._pool_kwargs
             )
         else:
-            print("\n\n\n self._pool_kwargs", self._pool_kwargs)
             self._client = redis.Redis(
                 host=self.config.host,
                 port=self.config.port,