)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a318963a_ad30ae6f","updated":"2021-10-20 09:58:16.000000000","message":"One of the unit tests is still playing with global state. Also, I have some doc nits. Let me know if anything isn\u0027t clear.","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9c5654dfdeb66bef28c93ca1da985223d927cd71","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"58d2c01a_bdc31131","updated":"2021-10-21 15:03:08.000000000","message":"Got a suggestion for tweaking the tests slightly more since I still think they\u0027re a bit confusing. Let me know what you think!","commit_id":"8db17406310e072ed8882dbb2094f4ff20de7522"},{"author":{"_account_id":28522,"name":"Hervé Beraud","email":"herveberaud.pro@gmail.com","username":"hberaud"},"change_message_id":"861a279c32d69845fa1b9232dc791a1cab6571db","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"b866376d_933cdc10","in_reply_to":"58d2c01a_bdc31131","updated":"2021-10-26 14:25:35.000000000","message":"You are right. The latest patch set implement your suggestions.","commit_id":"8db17406310e072ed8882dbb2094f4ff20de7522"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"29216ef35dfbb89ae92b9c0ebcb19940ea75b1dc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"e58fd19f_c95088b7","updated":"2024-01-23 11:58:43.000000000","message":"LGTM. We should probably update the documentation and remove the if-else check once minimum version is bumped to 3.9 .","commit_id":"f438770767ff5760dcbac011e9aaa0f50fed367c"}],"oslo_cache/_opts.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":true,"context_lines":[{"line_number":149,"context_line":"        cfg.BoolOpt(\u0027enforce_fips_mode\u0027,"},{"line_number":150,"context_line":"                    default\u003dFalse,"},{"line_number":151,"context_line":"                    help\u003d\u0027Global toggle for enforcing the OpenSSL FIPS mode\u0027"},{"line_number":152,"context_line":"                    \u0027 if supported by the python version.\u0027),"},{"line_number":153,"context_line":"    ],"},{"line_number":154,"context_line":"}"},{"line_number":155,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"008e9e3c_c8c284a7","line":152,"range":{"start_line":152,"start_character":21,"end_line":152,"end_character":57},"updated":"2021-10-20 09:58:16.000000000","message":"This isn\u0027t true. It\u0027ll attempt to enforce OpenSSL FIPS mode regardless of Python support, but it will fail if the Python version doesn\u0027t support it. Hence, this should read like:\n\n  This feature requires Python support. This is available in Python 3.9 in all\n  environments and may have been backported to older Python versions on select\n  environments. If the Python executable used does not support OpenSSL FIPS mode,\n  an exception will be raised.","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"}],"oslo_cache/core.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"696698306cf8f0b5c648b906fd3e9d77347dab96","unresolved":true,"context_lines":[{"line_number":176,"context_line":"                getattr(ssl, \u0027FIPS_mode\u0027)"},{"line_number":177,"context_line":"            except AttributeError:"},{"line_number":178,"context_line":"                _LOG.warning("},{"line_number":179,"context_line":"                    \"OpenSSL FIPS mode is not supported by your python \""},{"line_number":180,"context_line":"                    \"version. If you see this message that mean \""},{"line_number":181,"context_line":"                    \"your tried to enforce the FIPS mode without success \""},{"line_number":182,"context_line":"                    \"If you want to use it you should consider to patch \""}],"source_content_type":"text/x-python","patch_set":1,"id":"9122bd77_2cc4de5e","line":179,"range":{"start_line":179,"start_character":64,"end_line":179,"end_character":70},"updated":"2021-10-05 10:39:37.000000000","message":"Python","commit_id":"2cdf8c1492cca8dc0e2a7dfb3f203994eaf5aec1"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"696698306cf8f0b5c648b906fd3e9d77347dab96","unresolved":true,"context_lines":[{"line_number":177,"context_line":"            except AttributeError:"},{"line_number":178,"context_line":"                _LOG.warning("},{"line_number":179,"context_line":"                    \"OpenSSL FIPS mode is not supported by your python \""},{"line_number":180,"context_line":"                    \"version. If you see this message that mean \""},{"line_number":181,"context_line":"                    \"your tried to enforce the FIPS mode without success \""},{"line_number":182,"context_line":"                    \"If you want to use it you should consider to patch \""},{"line_number":183,"context_line":"                    \"and compile your python version. That will enabled \""}],"source_content_type":"text/x-python","patch_set":1,"id":"fdcd2a6d_56c2b400","line":180,"range":{"start_line":180,"start_character":30,"end_line":180,"end_character":63},"updated":"2021-10-05 10:39:37.000000000","message":"This is redundant. If they\u0027re seeing this message, they\u0027ve obviously seeing this message 😄","commit_id":"2cdf8c1492cca8dc0e2a7dfb3f203994eaf5aec1"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"696698306cf8f0b5c648b906fd3e9d77347dab96","unresolved":true,"context_lines":[{"line_number":184,"context_line":"                    \"the support. For now The execution will continue \""},{"line_number":185,"context_line":"                    \"without enforcing this mode, however, if you try to \""},{"line_number":186,"context_line":"                    \"use a hash that is not FIPS-compliant Python will \""},{"line_number":187,"context_line":"                    \"crash\")"},{"line_number":188,"context_line":"            else:"},{"line_number":189,"context_line":"                _LOG.info(\"Enforcing the use of the OpenSSL FIPS mode\")"},{"line_number":190,"context_line":"                ssl.FIPS_mode_set(1)"}],"source_content_type":"text/x-python","patch_set":1,"id":"33883832_b894e81e","line":187,"updated":"2021-10-05 10:39:37.000000000","message":"How about:\n\n  OpenSSL FIPS mode is not supported by your Python version.\n  You must either change the Python executable used to a version with\n  FIPS mode support or disable FIPS mode by setting the\n  \u0027[cache] enforce_fips_mode\u0027 configuration option to \u0027False\u0027.\n\nAlso, why _wouldn\u0027t_ we hard fail here? The user has explicitly request FIPS mode and we can\u0027t provide it. We should crash and burn. If there\u0027s a reason we don\u0027t want to do this then we should rename the configuration option to e.g. \u0027attempt_fips_mode\u0027 to be obvious about what we\u0027re actually doing (note: I wouldn\u0027t recommend this)","commit_id":"2cdf8c1492cca8dc0e2a7dfb3f203994eaf5aec1"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":false,"context_lines":[{"line_number":174,"context_line":"        if conf.cache.enforce_fips_mode:"},{"line_number":175,"context_line":"            try:"},{"line_number":176,"context_line":"                getattr(ssl, \u0027FIPS_mode\u0027)"},{"line_number":177,"context_line":"            except AttributeError:"},{"line_number":178,"context_line":"                raise exception.ConfigurationError("},{"line_number":179,"context_line":"                    \"OpenSSL FIPS mode is not supported by your Python \""},{"line_number":180,"context_line":"                    \"version. You must either change the Python executable \""}],"source_content_type":"text/x-python","patch_set":3,"id":"e090ea7d_67df936f","line":177,"updated":"2021-10-20 09:58:16.000000000","message":"nit: bit weird that we don\u0027t use \u0027hasattr\u0027 here, but what you have does work","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"}],"oslo_cache/tests/unit/test_cache_basics.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"07eb9b47f089808ba521cfe776d934bb9a2b0274","unresolved":true,"context_lines":[{"line_number":321,"context_line":""},{"line_number":322,"context_line":"    @testtools.skipIf("},{"line_number":323,"context_line":"        getattr(ssl, \u0027FIPS_mode\u0027, False) is False,"},{"line_number":324,"context_line":"        \"FIPS mode is not supported\")"},{"line_number":325,"context_line":"    @mock.patch(\u0027oslo_cache.core._LOG\u0027)"},{"line_number":326,"context_line":"    def test_cache_dictionary_config_builder_fips_mode_supported(self, log):"},{"line_number":327,"context_line":"        \"\"\"Validate the FIPS mode is supported.\"\"\""}],"source_content_type":"text/x-python","patch_set":1,"id":"db958a4a_6a962897","line":324,"updated":"2021-10-05 10:41:44.000000000","message":"Rather than doing this, can we mock the attribute and test that we\u0027re setting it? As this is designed, we\u0027ll actually enable FIPS mode, right (I assume that \u0027ssl.FIPS_mode_set\u0027 is a singleton)","commit_id":"2cdf8c1492cca8dc0e2a7dfb3f203994eaf5aec1"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":true,"context_lines":[{"line_number":343,"context_line":"        # supported. If it exist we need to delete it to emulate an"},{"line_number":344,"context_line":"        # environment where FIPS isn\u0027t supported."},{"line_number":345,"context_line":"        if getattr(ssl, \u0027FIPS_mode\u0027, False):"},{"line_number":346,"context_line":"            delattr(ssl, \u0027FIPS_mode\u0027)"},{"line_number":347,"context_line":"        self.config_fixture.config(group\u003d\u0027cache\u0027,"},{"line_number":348,"context_line":"                                   enabled\u003dTrue,"},{"line_number":349,"context_line":"                                   config_prefix\u003d\u0027test_prefix\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"8725e383_7ecc7d7f","line":346,"updated":"2021-10-20 09:58:16.000000000","message":"As above, let\u0027s not modify global state. Use mock instead.","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9c5654dfdeb66bef28c93ca1da985223d927cd71","unresolved":true,"context_lines":[{"line_number":342,"context_line":"        # Mocking the ssl module without attributes and methods and so without"},{"line_number":343,"context_line":"        # the FIPS_mode to emulate that it\u0027s not supported. If FIPS_mode is"},{"line_number":344,"context_line":"        # really unsupported we will fail to delete the attribute of the mock,"},{"line_number":345,"context_line":"        # so mocking an empty module will work no matter the python version."},{"line_number":346,"context_line":"        ssl \u003d mock.MagicMock(spec\u003d[])  # NOQA (mocking ssl)"},{"line_number":347,"context_line":"        self.config_fixture.config(group\u003d\u0027cache\u0027,"},{"line_number":348,"context_line":"                                   enabled\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":4,"id":"1107e926_1509ba3a","line":345,"updated":"2021-10-21 15:03:08.000000000","message":"Ahh, good point. I was wondering why you\u0027d do it this way. What you\u0027ve proposed works. However, I think we could do it slightly easier. How about simply:\n\n  with mock.patch.object(cache, \u0027ssl\u0027) as ssl_:\n      del ssl_.FIPS_mode\n\n      ...\n\nThis works because \u0027autospec\u0027 is disabled so the returned object (\u0027ssl_\u0027) returns a mock for all object. By calling \u0027del\u0027, we change this.\n\n  \u003e\u003e\u003e import mock\n  \u003e\u003e\u003e x \u003d mock.Mock()\n  \u003e\u003e\u003e x.foo\n  \u003cMock name\u003d\u0027mock.foo\u0027 id\u003d\u0027139929429536928\u0027\u003e\n  \u003e\u003e\u003e del x.foo\n  \u003e\u003e\u003e x.foo\n  Traceback (most recent call last):\n    File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n    File \"/usr/lib/python3.9/site-packages/mock/mock.py\", line 704, in __getattr__\n      raise AttributeError(name)\n  AttributeError: foo\n\nThoughts?","commit_id":"2c3141a3258b2d091557fa3727b140b40cee6a12"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9c5654dfdeb66bef28c93ca1da985223d927cd71","unresolved":false,"context_lines":[{"line_number":349,"context_line":"                                   config_prefix\u003d\u0027test_prefix\u0027,"},{"line_number":350,"context_line":"                                   backend\u003d\u0027oslo_cache.dict\u0027,"},{"line_number":351,"context_line":"                                   tls_enabled\u003dTrue,"},{"line_number":352,"context_line":"                                   enforce_fips_mode\u003dTrue)"},{"line_number":353,"context_line":""},{"line_number":354,"context_line":"        # We do this test only if FIPS mode is not supported to"},{"line_number":355,"context_line":"        # ensure that we hard fail."}],"source_content_type":"text/x-python","patch_set":4,"id":"a952a4d8_ab004f24","line":352,"updated":"2021-10-21 15:03:08.000000000","message":"nit: This should probably go at the top of the test since it\u0027s not _entirely_ related. Ditto for the other test","commit_id":"2c3141a3258b2d091557fa3727b140b40cee6a12"}],"releasenotes/notes/enforce_fips_mode-c3296a0cc1fb7ad9.yaml":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adding a new option (``enforce_fips_mode``) to the rabbitmq driver to"},{"line_number":5,"context_line":"    to enforce the OpenSSL FIPS mode if supported by the version of python."},{"line_number":6,"context_line":"security:"},{"line_number":7,"context_line":"  - |"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"658376d9_73a42096","line":4,"range":{"start_line":4,"start_character":23,"end_line":4,"end_character":47},"updated":"2021-10-20 09:58:16.000000000","message":"this is in a group, so:\n\n  Added a new config option, ``[cache] enforce_fips_mode``, to","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":true,"context_lines":[{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adding a new option (``enforce_fips_mode``) to the rabbitmq driver to"},{"line_number":5,"context_line":"    to enforce the OpenSSL FIPS mode if supported by the version of python."},{"line_number":6,"context_line":"security:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    We are now able to enforce the OpenSSL FIPS mode by using"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"e628ae29_e5a79ae6","line":5,"range":{"start_line":5,"start_character":68,"end_line":5,"end_character":74},"updated":"2021-10-20 09:58:16.000000000","message":"Python","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d33b76b4930b5155373a4c16b3cf15e63c0a450a","unresolved":true,"context_lines":[{"line_number":6,"context_line":"security:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    We are now able to enforce the OpenSSL FIPS mode by using"},{"line_number":9,"context_line":"    ``enforce_fips_mode``."}],"source_content_type":"text/x-yaml","patch_set":3,"id":"65e8ff12_839b4fd2","line":9,"range":{"start_line":9,"start_character":6,"end_line":9,"end_character":23},"updated":"2021-10-20 09:58:16.000000000","message":"nit:\n\n  ``[cache] enforce_fips_mode``","commit_id":"03d43f2799d04ff9441f402915aab657022108ae"}]}