)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":13,"context_line":"console proxy to be configured in nova\u0027s config."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"We utilize websockify underneath our console proxies, which added"},{"line_number":16,"context_line":"support for allowed ciphers to be configurable as of version 0.9.0."},{"line_number":17,"context_line":"This change updates the lower constraint for this dependency."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"7faddb67_98adf7eb","line":16,"range":{"start_line":16,"start_character":61,"end_line":16,"end_character":66},"updated":"2019-08-30 19:42:47.000000000","message":"ack: https://github.com/novnc/websockify/commit/51ad14d16c81a68c804cf094760a3fc3f32131a5","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":15,"context_line":"We utilize websockify underneath our console proxies, which added"},{"line_number":16,"context_line":"support for allowed ciphers to be configurable as of version 0.9.0."},{"line_number":17,"context_line":"This change updates the lower constraint for this dependency."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"7faddb67_f86f4bc1","line":18,"updated":"2019-08-30 19:42:47.000000000","message":"Is there a bug associated with this?","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"ec6dc78d2411a42ee59035849449c4c7af6fcb27","unresolved":false,"context_lines":[{"line_number":15,"context_line":"We utilize websockify underneath our console proxies, which added"},{"line_number":16,"context_line":"support for allowed ciphers to be configurable as of version 0.9.0."},{"line_number":17,"context_line":"This change updates the lower constraint for this dependency."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"7faddb67_cb495432","line":18,"in_reply_to":"7faddb67_d8084f81","updated":"2019-08-30 23:55:32.000000000","message":"Done","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"67e6ee5a1ccc538079fffdb4f4d876ca340f2abd","unresolved":false,"context_lines":[{"line_number":15,"context_line":"We utilize websockify underneath our console proxies, which added"},{"line_number":16,"context_line":"support for allowed ciphers to be configurable as of version 0.9.0."},{"line_number":17,"context_line":"This change updates the lower constraint for this dependency."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"7faddb67_d8084f81","line":18,"in_reply_to":"7faddb67_f86f4bc1","updated":"2019-08-30 20:28:50.000000000","message":"Not yet.  I will file one and update the commit message to refer to it.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":18,"context_line":"configurable as of version 0.9.0.  This change updates the lower"},{"line_number":19,"context_line":"constraint for this dependency."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Closes-Bug: #1842149"},{"line_number":22,"context_line":"Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"7faddb67_a4941e45","line":21,"updated":"2019-09-04 06:58:26.000000000","message":"Note that https://bugs.launchpad.net/nova/+bug/1771773 is also related.","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":18,"context_line":"configurable as of version 0.9.0.  This change updates the lower"},{"line_number":19,"context_line":"constraint for this dependency."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Closes-Bug: #1842149"},{"line_number":22,"context_line":"Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"7faddb67_218ecad0","line":21,"in_reply_to":"7faddb67_a4941e45","updated":"2019-09-04 23:34:13.000000000","message":"Done","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"}],"doc/source/admin/remote-console-access.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"183d607976be9da8bc3e588b964c3baa34d0b755","unresolved":false,"context_lines":[{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- :oslo.config:option:`daemon`"},{"line_number":556,"context_line":"- :oslo.config:option:`ssl_only`"},{"line_number":557,"context_line":"- :oslo.config:option:`ssl_ciphers`"},{"line_number":558,"context_line":"- :oslo.config:option:`ssl_minimum_version`"},{"line_number":559,"context_line":"- :oslo.config:option:`source_is_ipv6`"},{"line_number":560,"context_line":"- :oslo.config:option:`cert`"},{"line_number":561,"context_line":"- :oslo.config:option:`key`"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_0109ef29","line":558,"range":{"start_line":557,"start_character":0,"end_line":558,"end_character":43},"updated":"2019-12-18 12:05:15.000000000","message":"I\u0027m pretty sure this is incorrect and the rest of these are incorrect also. xvpxnvproxy is its own special thing that doesn\u0027t use most of the tooling used by the websocketproxy-based consoles, and we\u0027re dropping it this cycle. Can you drop this piece?","commit_id":"7472a93df3545fd71aca411bf2dfeae019f7628f"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"fbebe00a76c797c4f558b4d448ee5a3ad2d0e4df","unresolved":false,"context_lines":[{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- :oslo.config:option:`daemon`"},{"line_number":556,"context_line":"- :oslo.config:option:`ssl_only`"},{"line_number":557,"context_line":"- :oslo.config:option:`ssl_ciphers`"},{"line_number":558,"context_line":"- :oslo.config:option:`ssl_minimum_version`"},{"line_number":559,"context_line":"- :oslo.config:option:`source_is_ipv6`"},{"line_number":560,"context_line":"- :oslo.config:option:`cert`"},{"line_number":561,"context_line":"- :oslo.config:option:`key`"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_412b67e9","line":558,"range":{"start_line":557,"start_character":0,"end_line":558,"end_character":43},"in_reply_to":"3fa7e38b_0109ef29","updated":"2019-12-18 13:01:23.000000000","message":"Done.  Thanks for the review!","commit_id":"7472a93df3545fd71aca411bf2dfeae019f7628f"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":553,"context_line":"The :program:`nova-xvpvncproxy` service accepts the following options."},{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- :oslo.config:option:`daemon`"},{"line_number":556,"context_line":"- :oslo.config:option:`ssl_only`"},{"line_number":557,"context_line":"- :oslo.config:option:`source_is_ipv6`"},{"line_number":558,"context_line":"- :oslo.config:option:`cert`"},{"line_number":559,"context_line":"- :oslo.config:option:`key`"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_6cb6938c","line":556,"updated":"2019-12-18 18:01:30.000000000","message":"OK I guess this one isn\u0027t updated because Stephen is removing it in Ussuri:\n\nhttps://review.opendev.org/#/c/687909/","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"a63046d5e70725af3ed643a5f0c9280304f951d6","unresolved":false,"context_lines":[{"line_number":553,"context_line":"The :program:`nova-xvpvncproxy` service accepts the following options."},{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- :oslo.config:option:`daemon`"},{"line_number":556,"context_line":"- :oslo.config:option:`ssl_only`"},{"line_number":557,"context_line":"- :oslo.config:option:`source_is_ipv6`"},{"line_number":558,"context_line":"- :oslo.config:option:`cert`"},{"line_number":559,"context_line":"- :oslo.config:option:`key`"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_f2f818c2","line":556,"in_reply_to":"3fa7e38b_6cb6938c","updated":"2019-12-18 18:43:30.000000000","message":"Correct.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"}],"lower-constraints.txt":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":167,"context_line":"voluptuous\u003d\u003d0.11.1"},{"line_number":168,"context_line":"warlock\u003d\u003d1.2.0"},{"line_number":169,"context_line":"WebOb\u003d\u003d1.8.2"},{"line_number":170,"context_line":"websockify\u003d\u003d0.9.0"},{"line_number":171,"context_line":"wrapt\u003d\u003d1.10.11"},{"line_number":172,"context_line":"wsgi-intercept\u003d\u003d1.7.0"},{"line_number":173,"context_line":"zVMCloudConnector\u003d\u003d1.3.0"}],"source_content_type":"text/plain","patch_set":1,"id":"7faddb67_d86a8fb3","line":170,"updated":"2019-08-30 19:42:47.000000000","message":"You should also update requirements.txt:\n\nhttps://github.com/openstack/nova/blob/master/requirements.txt#L36","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"ec6dc78d2411a42ee59035849449c4c7af6fcb27","unresolved":false,"context_lines":[{"line_number":167,"context_line":"voluptuous\u003d\u003d0.11.1"},{"line_number":168,"context_line":"warlock\u003d\u003d1.2.0"},{"line_number":169,"context_line":"WebOb\u003d\u003d1.8.2"},{"line_number":170,"context_line":"websockify\u003d\u003d0.9.0"},{"line_number":171,"context_line":"wrapt\u003d\u003d1.10.11"},{"line_number":172,"context_line":"wsgi-intercept\u003d\u003d1.7.0"},{"line_number":173,"context_line":"zVMCloudConnector\u003d\u003d1.3.0"}],"source_content_type":"text/plain","patch_set":1,"id":"7faddb67_eb469021","line":170,"in_reply_to":"7faddb67_187827f6","updated":"2019-08-30 23:55:32.000000000","message":"Done","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"67e6ee5a1ccc538079fffdb4f4d876ca340f2abd","unresolved":false,"context_lines":[{"line_number":167,"context_line":"voluptuous\u003d\u003d0.11.1"},{"line_number":168,"context_line":"warlock\u003d\u003d1.2.0"},{"line_number":169,"context_line":"WebOb\u003d\u003d1.8.2"},{"line_number":170,"context_line":"websockify\u003d\u003d0.9.0"},{"line_number":171,"context_line":"wrapt\u003d\u003d1.10.11"},{"line_number":172,"context_line":"wsgi-intercept\u003d\u003d1.7.0"},{"line_number":173,"context_line":"zVMCloudConnector\u003d\u003d1.3.0"}],"source_content_type":"text/plain","patch_set":1,"id":"7faddb67_187827f6","line":170,"in_reply_to":"7faddb67_d86a8fb3","updated":"2019-08-30 20:28:50.000000000","message":"Ack.  Will update this in the next revision.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"db22e9913a7a7a6b507940732f3e3f7c16e24469","unresolved":false,"context_lines":[{"line_number":166,"context_line":"voluptuous\u003d\u003d0.11.1"},{"line_number":167,"context_line":"warlock\u003d\u003d1.2.0"},{"line_number":168,"context_line":"WebOb\u003d\u003d1.8.2"},{"line_number":169,"context_line":"websockify\u003d\u003d0.9.0"},{"line_number":170,"context_line":"wrapt\u003d\u003d1.10.11"},{"line_number":171,"context_line":"wsgi-intercept\u003d\u003d1.7.0"},{"line_number":172,"context_line":"zVMCloudConnector\u003d\u003d1.3.0"}],"source_content_type":"text/plain","patch_set":12,"id":"3fa7e38b_ca142a9c","line":169,"updated":"2020-02-21 21:59:24.000000000","message":"You don\u0027t need this change anymore since:\n\nhttps://review.opendev.org/705654\n\nmerged earlier today (sorry). You might have to rebase because of it.","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"}],"nova/cmd/baseproxy.py":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":72,"context_line":"        cert\u003dCONF.cert,"},{"line_number":73,"context_line":"        key\u003dCONF.key,"},{"line_number":74,"context_line":"        ssl_only\u003dCONF.ssl_only,"},{"line_number":75,"context_line":"        ssl_ciphers\u003dCONF.ssl_ciphers,"},{"line_number":76,"context_line":"        daemon\u003dCONF.daemon,"},{"line_number":77,"context_line":"        record\u003dCONF.record,"},{"line_number":78,"context_line":"        traffic\u003dnot CONF.daemon,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_d8092fdc","line":75,"updated":"2019-08-30 19:42:47.000000000","message":"You don\u0027t have any test coverage for this.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"67e6ee5a1ccc538079fffdb4f4d876ca340f2abd","unresolved":false,"context_lines":[{"line_number":72,"context_line":"        cert\u003dCONF.cert,"},{"line_number":73,"context_line":"        key\u003dCONF.key,"},{"line_number":74,"context_line":"        ssl_only\u003dCONF.ssl_only,"},{"line_number":75,"context_line":"        ssl_ciphers\u003dCONF.ssl_ciphers,"},{"line_number":76,"context_line":"        daemon\u003dCONF.daemon,"},{"line_number":77,"context_line":"        record\u003dCONF.record,"},{"line_number":78,"context_line":"        traffic\u003dnot CONF.daemon,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_736e1c2d","line":75,"in_reply_to":"7faddb67_d8092fdc","updated":"2019-08-30 20:28:50.000000000","message":"I am not really familiar with the tests in this area.  Do you have any suggestions or pointers as to what you think would be appropriate to add here as a test?","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":72,"context_line":"        cert\u003dCONF.cert,"},{"line_number":73,"context_line":"        key\u003dCONF.key,"},{"line_number":74,"context_line":"        ssl_only\u003dCONF.ssl_only,"},{"line_number":75,"context_line":"        ssl_ciphers\u003dCONF.ssl_ciphers,"},{"line_number":76,"context_line":"        ssl_minimum_version\u003dCONF.ssl_minimum_version,"},{"line_number":77,"context_line":"        daemon\u003dCONF.daemon,"},{"line_number":78,"context_line":"        record\u003dCONF.record,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_ac4a4b7f","line":75,"updated":"2019-12-18 18:01:30.000000000","message":"Why not put these under the [console] group rather than [DEFAULT]?\n\nhttps://docs.openstack.org/nova/latest/configuration/config.html#console\n\nI know that ssl_only and record and other options are in DEFAULT but it really seems like we should group these elsewhere and if [console] is the place to do that, then putting the new options there so we don\u0027t have to move them later would be ideal.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":72,"context_line":"        cert\u003dCONF.cert,"},{"line_number":73,"context_line":"        key\u003dCONF.key,"},{"line_number":74,"context_line":"        ssl_only\u003dCONF.ssl_only,"},{"line_number":75,"context_line":"        ssl_ciphers\u003dCONF.ssl_ciphers,"},{"line_number":76,"context_line":"        ssl_minimum_version\u003dCONF.ssl_minimum_version,"},{"line_number":77,"context_line":"        daemon\u003dCONF.daemon,"},{"line_number":78,"context_line":"        record\u003dCONF.record,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_f6b53af1","line":75,"in_reply_to":"3fa7e38b_ac4a4b7f","updated":"2020-02-11 17:04:11.000000000","message":"This seems reasonable to me.  I\u0027ve moved the new config options into `[console]`.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"}],"nova/conf/console.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"3da6f8248609c4598c6aee370f6eb2adc546655d","unresolved":false,"context_lines":[{"line_number":42,"context_line":"* A list where each element is an allowed origin hostnames, else an empty list"},{"line_number":43,"context_line":"\"\"\"),"},{"line_number":44,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":45,"context_line":"               help\u003d\"\"\""},{"line_number":46,"context_line":"OpenSSL cipher preference string that specifies what ciphers to allow for TLS"},{"line_number":47,"context_line":"connections from clients.  For example::"},{"line_number":48,"context_line":""}],"source_content_type":"text/x-python","patch_set":12,"id":"1fa4df85_8c66a651","line":45,"range":{"start_line":45,"start_character":8,"end_line":45,"end_character":15},"updated":"2020-02-24 09:58:12.000000000","message":"nit: can you drop this?","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"3da6f8248609c4598c6aee370f6eb2adc546655d","unresolved":false,"context_lines":[{"line_number":59,"context_line":"* [DEFAULT] key"},{"line_number":60,"context_line":"\"\"\"),"},{"line_number":61,"context_line":"    cfg.StrOpt(\u0027ssl_minimum_version\u0027,"},{"line_number":62,"context_line":"               default\u003d\u0027default\u0027,"},{"line_number":63,"context_line":"               choices\u003d["},{"line_number":64,"context_line":"               # These values must align with SSL_OPTIONS in"},{"line_number":65,"context_line":"               # websockify/websocketproxy.py"}],"source_content_type":"text/x-python","patch_set":12,"id":"1fa4df85_2c5bf287","line":62,"range":{"start_line":62,"start_character":8,"end_line":62,"end_character":15},"updated":"2020-02-24 09:58:12.000000000","message":"ditto (and below)","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"}],"nova/conf/novnc.py":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027ssl_only\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_b81d5310","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":27},"updated":"2019-08-30 19:42:47.000000000","message":"There should be a release note for this new config option.\n\n\nhttps://docs.openstack.org/nova/latest/contributor/releasenotes.html","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027ssl_only\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_98c41794","line":31,"updated":"2019-08-30 19:42:47.000000000","message":"ssl_options was added to websockify at the same time, is there any need to define something for that as well?","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"d74ebfb869931d29a475af874852de5e8cc88e67","unresolved":false,"context_lines":[{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027ssl_only\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_3e506b32","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":27},"in_reply_to":"7faddb67_38508332","updated":"2019-08-30 21:51:55.000000000","message":"Adding ssl_options is not as straight-forward as ssl_ciphers.  The ssl_options are really OpenSSL constants that need to be set in code.  In websockify, they exposed a new CLI parameter --ssl-version, which has string parsing logic that translates their own config values into the appropriate constants that are used when creating the OpenSSL context:\n\n https://github.com/novnc/websockify/blob/master/websockify/websocketproxy.py#L494-L496\n\n https://github.com/novnc/websockify/blob/master/websockify/websocketproxy.py#L397-L442\n\nThis is not exposed for us to use, so I unfortunately think that we would need to have our own config parsing for this here in nova.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"571d1b625d0eb3b9ab1d60d1cd494fc5b6e54ae3","unresolved":false,"context_lines":[{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027ssl_only\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_b95b1552","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":27},"in_reply_to":"7faddb67_3e506b32","updated":"2019-08-30 23:00:35.000000000","message":"Actually, the parsing code is exposed to us from websockify.  I\u0027ll update the patch to use that to allow us to set a minimum TLS version.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"67e6ee5a1ccc538079fffdb4f4d876ca340f2abd","unresolved":false,"context_lines":[{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027ssl_only\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_38508332","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":27},"in_reply_to":"7faddb67_b81d5310","updated":"2019-08-30 20:28:50.000000000","message":"Good catch on ssl_options.  It needs to be added to control the TLS protocol versions.  I will add this.\n\nAck on adding the release note.  That will come in the next patch revision.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"ec6dc78d2411a42ee59035849449c4c7af6fcb27","unresolved":false,"context_lines":[{"line_number":28,"context_line":"    cfg.BoolOpt(\u0027ssl_only\u0027,"},{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_ab4c183f","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":27},"in_reply_to":"7faddb67_b95b1552","updated":"2019-08-30 23:55:32.000000000","message":"Done","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"},{"line_number":35,"context_line":"                help\u003d\"Set to True if source host is addressed with IPv6.\"),"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_d854cfc8","line":32,"updated":"2019-08-30 19:42:47.000000000","message":"Should this only be set if ssl_only\u003dTrue? If so, we should call that out as a related option (and vice-versa, ssl_only would call out ssl_ciphers as a related option).\n\nWhen I say related options in the help, I mean like this:\n\nhttps://docs.openstack.org/nova/latest/configuration/config.html#DEFAULT.vif_plugging_timeout","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"4d54c0e83f45361aac5beb163a96fb9a06d7a4fd","unresolved":false,"context_lines":[{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"},{"line_number":35,"context_line":"                help\u003d\"Set to True if source host is addressed with IPv6.\"),"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_b86f9390","line":32,"range":{"start_line":32,"start_character":47,"end_line":32,"end_character":51},"updated":"2019-08-30 19:42:47.000000000","message":"So, this is a comma-delimited or space delimited list? If it\u0027s an actual list, we should use ListOpt.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"ec6dc78d2411a42ee59035849449c4c7af6fcb27","unresolved":false,"context_lines":[{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"},{"line_number":35,"context_line":"                help\u003d\"Set to True if source host is addressed with IPv6.\"),"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_4b5fa4e4","line":32,"in_reply_to":"7faddb67_b33a5431","updated":"2019-08-30 23:55:32.000000000","message":"Done","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"18adfdce81c5b76c6c5f54f0f1378188e564c1c7","unresolved":false,"context_lines":[{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"},{"line_number":35,"context_line":"                help\u003d\"Set to True if source host is addressed with IPv6.\"),"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_d8560f5f","line":32,"range":{"start_line":32,"start_character":47,"end_line":32,"end_character":51},"in_reply_to":"7faddb67_b86f9390","updated":"2019-08-30 19:50:57.000000000","message":"\u003e So, this is a comma-delimited or space delimited list? If it\u0027s an\n \u003e actual list, we should use ListOpt.\n\nLooks like websockify calls this:\n\nhttps://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers\n\nWhich I eventually found my way to:\n\nhttps://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html\n\nAnd then I found the \"CIPHER LIST FORMAT\" section in there. The help text here should definitely point to some documentation on what the format of the string should be, which is maybe just linking to this:\n\nhttps://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"67e6ee5a1ccc538079fffdb4f4d876ca340f2abd","unresolved":false,"context_lines":[{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"},{"line_number":35,"context_line":"                help\u003d\"Set to True if source host is addressed with IPv6.\"),"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_1336c8b5","line":32,"range":{"start_line":32,"start_character":47,"end_line":32,"end_character":51},"in_reply_to":"7faddb67_b86f9390","updated":"2019-08-30 20:28:50.000000000","message":"I should perhaps reword this.  It is technically an \"OpenSSL cipher preference list\" as OpenSSL refers to it, which is a single string as far as python is concerned.  An example value is something like this:\n\n  \u0027kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES\u0027\n\nYou can see details here if interested:\n\n  https://www.openssl.org/docs/man1.0.2/man1/ciphers.html","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"67e6ee5a1ccc538079fffdb4f4d876ca340f2abd","unresolved":false,"context_lines":[{"line_number":29,"context_line":"                default\u003dFalse,"},{"line_number":30,"context_line":"                help\u003d\"Disallow non-encrypted connections.\"),"},{"line_number":31,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":32,"context_line":"               help\u003d\"OpenSSL cipher preference list of allowed ciphers.\"),"},{"line_number":33,"context_line":"    cfg.BoolOpt(\u0027source_is_ipv6\u0027,"},{"line_number":34,"context_line":"                default\u003dFalse,"},{"line_number":35,"context_line":"                help\u003d\"Set to True if source host is addressed with IPv6.\"),"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_b33a5431","line":32,"in_reply_to":"7faddb67_d854cfc8","updated":"2019-08-30 20:28:50.000000000","message":"My understanding of ssl_only\u003dTrue is that it rejects connections that don\u0027t use TLS.  Isn\u0027t it still possible to accept connections that are in clear-text as well as TLS without setting this option if the cert and key are provided via configuration?\n\nPerhaps this would be better mentioned as being related to the \u0027cert\u0027 option since that is the setting that enables TLS.  There are no other related options listed there now, but I can add all of the TLS options there (key, ssl_only, etc.) if you feel it would be best done in this patch.","commit_id":"4bad47f585d0dedb51120c1f3a0e97a05e5ac508"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":38,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":39,"context_line":"               help\u003d\"\"\""},{"line_number":40,"context_line":"OpenSSL cipher preference string. See the man page for the OpenSSL"},{"line_number":41,"context_line":"`ciphers` command for details on the cipher preference sting format"},{"line_number":42,"context_line":"and allowed values."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Related options:"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_846482b4","line":41,"range":{"start_line":41,"start_character":55,"end_line":41,"end_character":60},"updated":"2019-09-04 06:58:26.000000000","message":"string","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"    cfg.StrOpt(\u0027ssl_ciphers\u0027,"},{"line_number":39,"context_line":"               help\u003d\"\"\""},{"line_number":40,"context_line":"OpenSSL cipher preference string. See the man page for the OpenSSL"},{"line_number":41,"context_line":"`ciphers` command for details on the cipher preference sting format"},{"line_number":42,"context_line":"and allowed values."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Related options:"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_01c14ee4","line":41,"range":{"start_line":41,"start_character":55,"end_line":41,"end_character":60},"in_reply_to":"7faddb67_846482b4","updated":"2019-09-04 23:34:13.000000000","message":"Done","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":39,"context_line":"               help\u003d\"\"\""},{"line_number":40,"context_line":"OpenSSL cipher preference string. See the man page for the OpenSSL"},{"line_number":41,"context_line":"`ciphers` command for details on the cipher preference sting format"},{"line_number":42,"context_line":"and allowed values."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Related options:"},{"line_number":45,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_a47dfe1c","line":42,"updated":"2019-09-04 06:58:26.000000000","message":"IMHO, it would be friendly to link to the man page here and also provide an example cipher preference string.","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":39,"context_line":"               help\u003d\"\"\""},{"line_number":40,"context_line":"OpenSSL cipher preference string. See the man page for the OpenSSL"},{"line_number":41,"context_line":"`ciphers` command for details on the cipher preference sting format"},{"line_number":42,"context_line":"and allowed values."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Related options:"},{"line_number":45,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_a1b39a99","line":42,"in_reply_to":"7faddb67_a47dfe1c","updated":"2019-09-04 23:34:13.000000000","message":"Done","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":54,"context_line":"\"\"\"),"},{"line_number":55,"context_line":"    cfg.StrOpt(\u0027ssl_minimum_version\u0027,"},{"line_number":56,"context_line":"               default\u003d\u0027default\u0027,"},{"line_number":57,"context_line":"               choices\u003d["},{"line_number":58,"context_line":"                   (\u0027default\u0027, \u0027Use the underlying system OpenSSL defaults\u0027),"},{"line_number":59,"context_line":"                   (\u0027tlsv1_1\u0027,"},{"line_number":60,"context_line":"                    \u0027Require TLS v1.1 or greater for TLS connections\u0027),"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_6f5525f9","line":57,"updated":"2019-12-18 18:01:30.000000000","message":"nit: it might be worth a comment that these values must align with the SSL_OPTIONS in websockify/websocketproxy.py","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":54,"context_line":"\"\"\"),"},{"line_number":55,"context_line":"    cfg.StrOpt(\u0027ssl_minimum_version\u0027,"},{"line_number":56,"context_line":"               default\u003d\u0027default\u0027,"},{"line_number":57,"context_line":"               choices\u003d["},{"line_number":58,"context_line":"                   (\u0027default\u0027, \u0027Use the underlying system OpenSSL defaults\u0027),"},{"line_number":59,"context_line":"                   (\u0027tlsv1_1\u0027,"},{"line_number":60,"context_line":"                    \u0027Require TLS v1.1 or greater for TLS connections\u0027),"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_76706adc","line":57,"in_reply_to":"3fa7e38b_6f5525f9","updated":"2020-02-11 17:04:11.000000000","message":"Done","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"}],"nova/console/websocketproxy.py":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":320,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":321,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":322,"context_line":"                                    select_ssl_version(ssl_min_version)"},{"line_number":323,"context_line":""},{"line_number":324,"context_line":"        super(NovaWebSocketProxy, self).__init__(*args, **kwargs)"},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"    @staticmethod"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_44e0cacc","line":323,"updated":"2019-09-04 06:58:26.000000000","message":"To test this, I suggest adding a mock of select_ssl_version to the test_proxy test and mock_select_ssl_version.assert_not_called(). That will verify that we don\u0027t call select_ssl_version when ssl_min_verison\u003d\u0027default\u0027\n\nThen, in another test, init a proxy with select_ssl_version set to one of the choices and then verify mock_select_ssl_version was called with the expected value. That test can also set ssl_ciphers to a cipher preference string and then verify mock_init was called with the expected value for ssl_ciphers. That will verify that the value set by the user for ssl_ciphers gets passed to init as expected.","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":320,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":321,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":322,"context_line":"                                    select_ssl_version(ssl_min_version)"},{"line_number":323,"context_line":""},{"line_number":324,"context_line":"        super(NovaWebSocketProxy, self).__init__(*args, **kwargs)"},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"    @staticmethod"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_21a7aa52","line":323,"in_reply_to":"7faddb67_44e0cacc","updated":"2019-09-04 23:34:13.000000000","message":"Thanks for the pointers!  I have added the recommended tests in the next patch revision.","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6831fe749413614fdf1f3ba5ab8ae4b3d95ae751","unresolved":false,"context_lines":[{"line_number":315,"context_line":"        # ssl_options unset to default to the underlying system defaults."},{"line_number":316,"context_line":"        # We do this to avoid using websockify\u0027s behaviour for \u0027default\u0027"},{"line_number":317,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":318,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":319,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":320,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":321,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"}],"source_content_type":"text/x-python","patch_set":6,"id":"5faad753_f10d8690","line":318,"range":{"start_line":318,"start_character":51,"end_line":318,"end_character":56},"updated":"2019-09-09 17:02:13.000000000","message":"system*","commit_id":"e2f833072284dc05aa5341e7e8fe76c5949fc4ba"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":322,"context_line":"        # We do this to avoid using websockify\u0027s behaviour for \u0027default\u0027"},{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":328,"context_line":"                                    select_ssl_version(ssl_min_version)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_6f076519","line":325,"range":{"start_line":325,"start_character":58,"end_line":325,"end_character":64},"updated":"2019-12-18 18:01:30.000000000","message":"None is not a valid value for this option so why not default to \u0027default\u0027? I guess it\u0027s valid if the kwarg isn\u0027t specified though, like in some unit tests that don\u0027t care about this.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"a63046d5e70725af3ed643a5f0c9280304f951d6","unresolved":false,"context_lines":[{"line_number":322,"context_line":"        # We do this to avoid using websockify\u0027s behaviour for \u0027default\u0027"},{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":328,"context_line":"                                    select_ssl_version(ssl_min_version)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_d2687c89","line":325,"range":{"start_line":325,"start_character":58,"end_line":325,"end_character":64},"in_reply_to":"3fa7e38b_6f076519","updated":"2019-12-18 18:43:30.000000000","message":"This is because \u0027default\u0027 is the least secure option in websockify (ssl.OPT_ALL).  The default behavior should be hardened as much as possible, which is what I tried to explain in the above comment.  None is a valid option, which should trigger websockify\u0027s fallback behavior as seen in this else clause:\n\nhttps://github.com/novnc/websockify/blob/v0.9.0/websockify/websocketproxy.py#L432-L442\n\nNote that this will use the most secure option, which can vary depending on Python version or over time as new TLS protocol versions come into use.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"885a858862eb3bf79bc8b05f47b772cc27b34316","unresolved":false,"context_lines":[{"line_number":322,"context_line":"        # We do this to avoid using websockify\u0027s behaviour for \u0027default\u0027"},{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":328,"context_line":"                                    select_ssl_version(ssl_min_version)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_9290c4f5","line":325,"range":{"start_line":325,"start_character":58,"end_line":325,"end_character":64},"in_reply_to":"3fa7e38b_d2687c89","updated":"2019-12-18 18:51:09.000000000","message":"None is not an option for the ssl_minimum_version config option in nova - that\u0027s my point. Since in non-test runtime code NovaWebSocketProxy is always getting passed ssl_minimum_version based on the config option, and the config option choices don\u0027t allow for None, that\u0027s why this wouldn\u0027t be None in runtime, but I said it\u0027s possible if the kwarg isn\u0027t specified for example in test code.\n\nAnyway, there is nothing really to change here.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"788f492ed38186ea56a166f44109b3b5bb3da4c3","unresolved":false,"context_lines":[{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":328,"context_line":"                                    select_ssl_version(ssl_min_version)"},{"line_number":329,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_2f416d09","line":326,"updated":"2019-12-18 18:03:22.000000000","message":"There is no testing for this logic:\n\nhttps://48a12864234aa2205a2e-b0513d7a5caaf512c62df58e84959553.ssl.cf2.rackcdn.com/679502/9/check/openstack-tox-cover/062df1b/cover/nova_console_websocketproxy_py.html#n327","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":328,"context_line":"                                    select_ssl_version(ssl_min_version)"},{"line_number":329,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_99a639bf","line":326,"in_reply_to":"3fa7e38b_2f416d09","updated":"2020-02-11 17:04:11.000000000","message":"I\u0027ve added unit tests for this logic.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"3da6f8248609c4598c6aee370f6eb2adc546655d","unresolved":false,"context_lines":[{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version is not \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"},{"line_number":328,"context_line":"                                    select_ssl_version(ssl_min_version)"},{"line_number":329,"context_line":""},{"line_number":330,"context_line":"        super(NovaWebSocketProxy, self).__init__(*args, **kwargs)"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_999f044d","line":327,"range":{"start_line":327,"start_character":62,"end_line":327,"end_character":63},"updated":"2020-02-24 09:58:12.000000000","message":"you need to drop this","commit_id":"ddea95c4d5e3ab3dc64584b3901693b27627e586"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"db22e9913a7a7a6b507940732f3e3f7c16e24469","unresolved":false,"context_lines":[{"line_number":317,"context_line":"        \"\"\""},{"line_number":318,"context_line":"        self.security_proxy \u003d kwargs.pop(\u0027security_proxy\u0027, None)"},{"line_number":319,"context_line":""},{"line_number":320,"context_line":"        # If \u0027default\u0027 was specified as the ssl_minimum_version, we leave"},{"line_number":321,"context_line":"        # ssl_options unset to default to the underlying system defaults."},{"line_number":322,"context_line":"        # We do this to avoid using websockify\u0027s behaviour for \u0027default\u0027"},{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"}],"source_content_type":"text/x-python","patch_set":12,"id":"3fa7e38b_6a441677","line":320,"range":{"start_line":320,"start_character":27,"end_line":320,"end_character":36},"updated":"2020-02-21 21:59:24.000000000","message":"or was not set by the user (ssl_minimum_version defaults to \u0027default\u0027)","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"db22e9913a7a7a6b507940732f3e3f7c16e24469","unresolved":false,"context_lines":[{"line_number":321,"context_line":"        # ssl_options unset to default to the underlying system defaults."},{"line_number":322,"context_line":"        # We do this to avoid using websockify\u0027s behaviour for \u0027default\u0027"},{"line_number":323,"context_line":"        # in select_ssl_version(), which hardcodes the versions to be"},{"line_number":324,"context_line":"        # quite relaxed and prevents us from using sytem crypto policies."},{"line_number":325,"context_line":"        ssl_min_version \u003d kwargs.pop(\u0027ssl_minimum_version\u0027, None)"},{"line_number":326,"context_line":"        if ssl_min_version and ssl_min_version !\u003d \u0027default\u0027:"},{"line_number":327,"context_line":"            kwargs[\u0027ssl_options\u0027] \u003d websockify.websocketproxy. \\"}],"source_content_type":"text/x-python","patch_set":12,"id":"3fa7e38b_aa78cec1","line":324,"range":{"start_line":324,"start_character":51,"end_line":324,"end_character":56},"updated":"2020-02-21 21:59:24.000000000","message":"system","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"}],"nova/tests/unit/cmd/test_baseproxy.py":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f236e9a85b9871aeb78629da49a74398b14b383d","unresolved":false,"context_lines":[{"line_number":60,"context_line":"                       return_value\u003dNone)"},{"line_number":61,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":62,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":63,"context_line":"                       return_value\u003dNone)"},{"line_number":64,"context_line":"    def test_proxy(self, mock_select_ssl_version, mock_start, mock_init,"},{"line_number":65,"context_line":"                   mock_gmr, mock_log, mock_exists):"},{"line_number":66,"context_line":"        baseproxy.proxy(\u00270.0.0.0\u0027, \u00276080\u0027)"}],"source_content_type":"text/x-python","patch_set":6,"id":"5faad753_6e2c8399","line":63,"updated":"2019-09-06 00:45:50.000000000","message":"Just FYI, I usually put new mock decorators on top to avoid having to shuffle things around in the parameter list. Maybe the ordering won\u0027t look as nice but not a big deal IMHO.","commit_id":"e2f833072284dc05aa5341e7e8fe76c5949fc4ba"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":60,"context_line":"                       return_value\u003dNone)"},{"line_number":61,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":62,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":63,"context_line":"                       return_value\u003dNone)"},{"line_number":64,"context_line":"    def test_proxy(self, mock_select_ssl_version, mock_start, mock_init,"},{"line_number":65,"context_line":"                   mock_gmr, mock_log, mock_exists):"},{"line_number":66,"context_line":"        baseproxy.proxy(\u00270.0.0.0\u0027, \u00276080\u0027)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_cf5e9912","line":63,"range":{"start_line":63,"start_character":16,"end_line":63,"end_character":23},"updated":"2019-12-18 18:01:30.000000000","message":"fix this alignment","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":60,"context_line":"                       return_value\u003dNone)"},{"line_number":61,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":62,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":63,"context_line":"                       return_value\u003dNone)"},{"line_number":64,"context_line":"    def test_proxy(self, mock_select_ssl_version, mock_start, mock_init,"},{"line_number":65,"context_line":"                   mock_gmr, mock_log, mock_exists):"},{"line_number":66,"context_line":"        baseproxy.proxy(\u00270.0.0.0\u0027, \u00276080\u0027)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_6345fc15","line":63,"range":{"start_line":63,"start_character":16,"end_line":63,"end_character":23},"in_reply_to":"3fa7e38b_cf5e9912","updated":"2020-02-11 17:04:11.000000000","message":"Done","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":74,"context_line":"            web\u003d\u0027/usr/share/spice-html5\u0027, file_only\u003dTrue,"},{"line_number":75,"context_line":"            RequestHandlerClass\u003dwebsocketproxy.NovaProxyRequestHandler)"},{"line_number":76,"context_line":"        mock_start.assert_called_once_with()"},{"line_number":77,"context_line":"        mock_select_ssl_version.assert_not_called()"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"    @mock.patch(\u0027os.path.exists\u0027, return_value\u003dFalse)"},{"line_number":80,"context_line":"    @mock.patch(\u0027sys.exit\u0027, side_effect\u003dtest.TestingException)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_8fe42144","line":77,"updated":"2019-12-18 18:01:30.000000000","message":"This is always going to be true because NovaWebSocketProxy.__init__ is what calls it and you\u0027ve mocked that method.\n\nYou should have a test for NovaWebSocketProxy.__init__ which doesn\u0027t mock __init__ but does mock select_ssl_version to make sure it\u0027s doing what you want with the logic.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":74,"context_line":"            web\u003d\u0027/usr/share/spice-html5\u0027, file_only\u003dTrue,"},{"line_number":75,"context_line":"            RequestHandlerClass\u003dwebsocketproxy.NovaProxyRequestHandler)"},{"line_number":76,"context_line":"        mock_start.assert_called_once_with()"},{"line_number":77,"context_line":"        mock_select_ssl_version.assert_not_called()"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"    @mock.patch(\u0027os.path.exists\u0027, return_value\u003dFalse)"},{"line_number":80,"context_line":"    @mock.patch(\u0027sys.exit\u0027, side_effect\u003dtest.TestingException)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_279a905f","line":77,"in_reply_to":"3fa7e38b_8fe42144","updated":"2020-02-11 17:04:11.000000000","message":"I\u0027ve removed this assertion, and added tests for NovaWebSocketProxy.__init__()","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":91,"context_line":"                       return_value\u003dNone)"},{"line_number":92,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":93,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":94,"context_line":"                       return_value\u003dNone)"},{"line_number":95,"context_line":"    def test_proxy_ssl_settings(self, mock_select_ssl_version,"},{"line_number":96,"context_line":"                                   mock_start, mock_init, mock_exists):"},{"line_number":97,"context_line":"        self.flags(ssl_minimum_version\u003d\u0027tlsv1_3\u0027)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_2fa5ed01","line":94,"range":{"start_line":94,"start_character":36,"end_line":94,"end_character":40},"updated":"2019-12-18 18:01:30.000000000","message":"This is a lie, right? If ssl_minimum_version is not \u0027default\u0027 then select_ssl_version is going to return a value, in this case:\n\nhttps://github.com/novnc/websockify/blob/v0.9.0/websockify/websocketproxy.py#L405\n\nI mean it\u0027s fine to mock select_ssl_version and let it return a mock, but it wouldn\u0027t return None.\n\nActually, you don\u0027t even need this mock because you\u0027ve mocked NovaWebSocketProxy.__init__.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":91,"context_line":"                       return_value\u003dNone)"},{"line_number":92,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":93,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":94,"context_line":"                       return_value\u003dNone)"},{"line_number":95,"context_line":"    def test_proxy_ssl_settings(self, mock_select_ssl_version,"},{"line_number":96,"context_line":"                                   mock_start, mock_init, mock_exists):"},{"line_number":97,"context_line":"        self.flags(ssl_minimum_version\u003d\u0027tlsv1_3\u0027)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_ef591529","line":94,"range":{"start_line":94,"start_character":16,"end_line":94,"end_character":23},"updated":"2019-12-18 18:01:30.000000000","message":"same","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":91,"context_line":"                       return_value\u003dNone)"},{"line_number":92,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":93,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":94,"context_line":"                       return_value\u003dNone)"},{"line_number":95,"context_line":"    def test_proxy_ssl_settings(self, mock_select_ssl_version,"},{"line_number":96,"context_line":"                                   mock_start, mock_init, mock_exists):"},{"line_number":97,"context_line":"        self.flags(ssl_minimum_version\u003d\u0027tlsv1_3\u0027)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_67e2c8d5","line":94,"range":{"start_line":94,"start_character":36,"end_line":94,"end_character":40},"in_reply_to":"3fa7e38b_2fa5ed01","updated":"2020-02-11 17:04:11.000000000","message":"Yes, it looks like select_ssl_version will always return something.  You\u0027re right that we don\u0027t need to mock it in this test, so I\u0027ve removed this mock.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":91,"context_line":"                       return_value\u003dNone)"},{"line_number":92,"context_line":"    @mock.patch(\u0027nova.console.websocketproxy.NovaWebSocketProxy.start_server\u0027)"},{"line_number":93,"context_line":"    @mock.patch(\u0027websockify.websocketproxy.select_ssl_version\u0027,"},{"line_number":94,"context_line":"                       return_value\u003dNone)"},{"line_number":95,"context_line":"    def test_proxy_ssl_settings(self, mock_select_ssl_version,"},{"line_number":96,"context_line":"                                   mock_start, mock_init, mock_exists):"},{"line_number":97,"context_line":"        self.flags(ssl_minimum_version\u003d\u0027tlsv1_3\u0027)"}],"source_content_type":"text/x-python","patch_set":9,"id":"3fa7e38b_07cbd44a","line":94,"range":{"start_line":94,"start_character":16,"end_line":94,"end_character":23},"in_reply_to":"3fa7e38b_ef591529","updated":"2020-02-11 17:04:11.000000000","message":"Done","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"}],"releasenotes/notes/bug-1842149-5ba20d57872e9996.yaml":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"other:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration"},{"line_number":5,"context_line":"    options have been introduced for use by the ``nova-novncproxy``,"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_84e7a20f","line":2,"range":{"start_line":2,"start_character":0,"end_line":2,"end_character":5},"updated":"2019-09-04 06:58:26.000000000","message":"Ordinarily, I\u0027d think this should go in the \u0027features\u0027 section of the release notes since it\u0027s adding new config options for people to use. But earlier discussion on the review is about this being considered as a bug.","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"other:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration"},{"line_number":5,"context_line":"    options have been introduced for use by the ``nova-novncproxy``,"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_617602db","line":2,"range":{"start_line":2,"start_character":0,"end_line":2,"end_character":5},"in_reply_to":"7faddb67_84e7a20f","updated":"2019-09-04 23:34:13.000000000","message":"I left this as \u0027other\u0027 in the next patch iteration, though I am open to putting it under \u0027features\u0027 if that is the consensus.","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    This aims to address the issues reported in `bug 1842149`_, where it"},{"line_number":12,"context_line":"    describes that the proxy services can inherit insecure TLS ciphers"},{"line_number":13,"context_line":"    and protocol versions from the compiled in defaults of the OpenSSL"},{"line_number":14,"context_line":"    library on the underlying system.  The proxy services provided no way"},{"line_number":15,"context_line":"    to override such insecure defaults with current day generally accepted"},{"line_number":16,"context_line":"    secure TLS settings. "}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_44a44ab9","line":13,"range":{"start_line":13,"start_character":43,"end_line":13,"end_character":44},"updated":"2019-09-04 06:58:26.000000000","message":"hyphen?","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    This aims to address the issues reported in `bug 1842149`_, where it"},{"line_number":12,"context_line":"    describes that the proxy services can inherit insecure TLS ciphers"},{"line_number":13,"context_line":"    and protocol versions from the compiled in defaults of the OpenSSL"},{"line_number":14,"context_line":"    library on the underlying system.  The proxy services provided no way"},{"line_number":15,"context_line":"    to override such insecure defaults with current day generally accepted"},{"line_number":16,"context_line":"    secure TLS settings. "}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_01662e2a","line":13,"range":{"start_line":13,"start_character":43,"end_line":13,"end_character":44},"in_reply_to":"7faddb67_44a44ab9","updated":"2019-09-04 23:34:13.000000000","message":"Done","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e393e0d2e3e677621a3f2a5e86270c06c4f07ed6","unresolved":false,"context_lines":[{"line_number":13,"context_line":"    and protocol versions from the compiled in defaults of the OpenSSL"},{"line_number":14,"context_line":"    library on the underlying system.  The proxy services provided no way"},{"line_number":15,"context_line":"    to override such insecure defaults with current day generally accepted"},{"line_number":16,"context_line":"    secure TLS settings. "},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"    .. _bug 1842149: https://bugs.launchpad.net/nova/+bug/1842149"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_c4e11afe","line":16,"range":{"start_line":16,"start_character":24,"end_line":16,"end_character":25},"updated":"2019-09-04 06:58:26.000000000","message":"trailing whitespace","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"3c2d063ea03807c4c5bb6d151aa564220f1c18d2","unresolved":false,"context_lines":[{"line_number":13,"context_line":"    and protocol versions from the compiled in defaults of the OpenSSL"},{"line_number":14,"context_line":"    library on the underlying system.  The proxy services provided no way"},{"line_number":15,"context_line":"    to override such insecure defaults with current day generally accepted"},{"line_number":16,"context_line":"    secure TLS settings. "},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"    .. _bug 1842149: https://bugs.launchpad.net/nova/+bug/1842149"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_a1687af3","line":16,"range":{"start_line":16,"start_character":24,"end_line":16,"end_character":25},"in_reply_to":"7faddb67_c4e11afe","updated":"2019-09-04 23:34:13.000000000","message":"Done","commit_id":"5e3b8fa294321387f1d6c1525bc404b314941b01"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1cc184ca365d3da5321b82fa6c2ae42d4461f5aa","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration"},{"line_number":5,"context_line":"    options have been introduced for use by the ``nova-novncproxy``,"},{"line_number":6,"context_line":"    ``nova-serialproxy``, ``nova-spicehtml5proxy``, and ``nova-xvpvncproxy``"},{"line_number":7,"context_line":"    services.  These new options allow one to configure the allowed TLS"},{"line_number":8,"context_line":"    ciphers and minimum protocol version to enforce for incoming client"},{"line_number":9,"context_line":"    connections to the proxy services."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_4fee2922","line":6,"range":{"start_line":6,"start_character":52,"end_line":6,"end_character":76},"updated":"2019-12-18 18:01:30.000000000","message":"Hmm, so this is listed here, which is going to be removed, and the options are (intentionally?) not in the console admin guide configuration docs. Should this really be listed?","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"76985bc9b0dbd09f186d9af08b72d2d36a481e32","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration"},{"line_number":5,"context_line":"    options have been introduced for use by the ``nova-novncproxy``,"},{"line_number":6,"context_line":"    ``nova-serialproxy``, ``nova-spicehtml5proxy``, and ``nova-xvpvncproxy``"},{"line_number":7,"context_line":"    services.  These new options allow one to configure the allowed TLS"},{"line_number":8,"context_line":"    ciphers and minimum protocol version to enforce for incoming client"},{"line_number":9,"context_line":"    connections to the proxy services."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_b1b10c94","line":6,"range":{"start_line":6,"start_character":52,"end_line":6,"end_character":76},"in_reply_to":"3fa7e38b_3218f01d","updated":"2020-02-11 17:04:11.000000000","message":"Done","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":9098,"name":"Nathan Kinder","email":"nkinder@redhat.com","username":"nkinder"},"change_message_id":"a63046d5e70725af3ed643a5f0c9280304f951d6","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration"},{"line_number":5,"context_line":"    options have been introduced for use by the ``nova-novncproxy``,"},{"line_number":6,"context_line":"    ``nova-serialproxy``, ``nova-spicehtml5proxy``, and ``nova-xvpvncproxy``"},{"line_number":7,"context_line":"    services.  These new options allow one to configure the allowed TLS"},{"line_number":8,"context_line":"    ciphers and minimum protocol version to enforce for incoming client"},{"line_number":9,"context_line":"    connections to the proxy services."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_3218f01d","line":6,"range":{"start_line":6,"start_character":52,"end_line":6,"end_character":76},"in_reply_to":"3fa7e38b_4fee2922","updated":"2019-12-18 18:43:30.000000000","message":"Good catch.  I missed removing this one in my previous revision.","commit_id":"8dcc07813b9c833166c93048233772e100fd65df"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"3da6f8248609c4598c6aee370f6eb2adc546655d","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"other:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration"},{"line_number":5,"context_line":"    options have been introduced for use by the ``nova-novncproxy``,"},{"line_number":6,"context_line":"    ``nova-serialproxy``, and ``nova-spicehtml5proxy`` services.  These new"},{"line_number":7,"context_line":"    options allow one to configure the allowed TLS ciphers and minimum protocol"},{"line_number":8,"context_line":"    version to enforce for incoming client connections to the proxy services."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"1fa4df85_0cd716c2","line":5,"range":{"start_line":4,"start_character":4,"end_line":5,"end_character":32},"updated":"2020-02-24 09:58:12.000000000","message":"A new pair of configuration options, ``ssl_ciphers`` and ``ssl_minimum_version``, have been introduced...","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"}],"requirements.txt":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"db22e9913a7a7a6b507940732f3e3f7c16e24469","unresolved":false,"context_lines":[{"line_number":32,"context_line":"requests\u003e\u003d2.14.2 # Apache-2.0"},{"line_number":33,"context_line":"six\u003e\u003d1.10.0 # MIT"},{"line_number":34,"context_line":"stevedore\u003e\u003d1.20.0 # Apache-2.0"},{"line_number":35,"context_line":"websockify\u003e\u003d0.9.0 # LGPLv3"},{"line_number":36,"context_line":"oslo.cache\u003e\u003d1.26.0 # Apache-2.0"},{"line_number":37,"context_line":"oslo.concurrency\u003e\u003d3.26.0 # Apache-2.0"},{"line_number":38,"context_line":"oslo.config\u003e\u003d6.1.0 # Apache-2.0"}],"source_content_type":"text/plain","patch_set":12,"id":"3fa7e38b_2a7b7ef3","line":35,"updated":"2020-02-21 21:59:24.000000000","message":"Don\u0027t need this change anymore since:\n\nhttps://review.opendev.org/705654\n\nlanded.","commit_id":"08bdcdb5b6866c2b6bf084344cca4dd07b960133"}]}