Refactor SslConfigurationContext into platform specific classes

Author: Dos Moonen

examples/getting_started/getting_started.py

@@ -1,7 +1,9 @@
 # type: ignore
 
 
-from rabbitmq_amqp_python_client import (  # SSlConfigurationContext,; SslConfigurationContext,; ClientCert,
+from rabbitmq_amqp_python_client import (
+    # PosixSSlConfigurationContext,
+    # PosixClientCert,
     AddressHelper,
     AMQPMessagingHandler,
     Connection,
@@ -68,7 +70,7 @@ def create_connection(environment: Environment) -> Connection:
     # client_key = ".ci/certs/client_key.pem"
     # connection = Connection(
     #    "amqps://guest:guest@localhost:5671/",
-    #    ssl_context=SslConfigurationContext(
+    #    ssl_context=PosixSslConfigurationContext(
     #        ca_cert=ca_cert_file,
     #        client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
     #    ),

examples/streams/example_with_streams.py

@@ -1,6 +1,8 @@
 # type: ignore
 
-from rabbitmq_amqp_python_client import (  # SSlConfigurationContext,; SslConfigurationContext,; ClientCert,
+from rabbitmq_amqp_python_client import (
+    # PosixSSlConfigurationContext,
+    # PosixClientCert,
     AddressHelper,
     AMQPMessagingHandler,
     Connection,
@@ -72,9 +74,9 @@ def create_connection(environment: Environment) -> Connection:
     # client_key = ".ci/certs/client_key.pem"
     # connection = Connection(
     #    "amqps://guest:guest@localhost:5671/",
-    #    ssl_context=SslConfigurationContext(
+    #    ssl_context=PosixSslConfigurationContext(
     #        ca_cert=ca_cert_file,
-    #        client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
+    #        client_cert=PosixClientCert(client_cert=client_cert, client_key=client_key),
     #    ),
     # )
     connection.dial()

examples/tls/tls_example.py

@@ -1,18 +1,18 @@
 # type: ignore
 
 
-from rabbitmq_amqp_python_client import (  # SSlConfigurationContext,; SslConfigurationContext,; ClientCert,
+from rabbitmq_amqp_python_client import (
     AddressHelper,
     AMQPMessagingHandler,
-    ClientCert,
+    PosixClientCert,
     Connection,
     Environment,
     Event,
     ExchangeSpecification,
     ExchangeToQueueBindingSpecification,
     Message,
     QuorumQueueSpecification,
-    SslConfigurationContext,
+    PosixSslConfigurationContext,
 )
 
 messages_to_publish = 100
@@ -80,9 +80,9 @@ def main() -> None:
 
     environment = Environment(
         "amqps://guest:guest@localhost:5671/",
-        ssl_context=SslConfigurationContext(
+        ssl_context=PosixSslConfigurationContext(
             ca_cert=ca_cert_file,
-            client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
+            client_cert=PosixClientCert(client_cert=client_cert, client_key=client_key),
         ),
     )
 

rabbitmq_amqp_python_client/__init__.py

@@ -32,8 +32,13 @@
     StreamSpecification,
 )
 from .ssl_configuration import (
-    ClientCert,
-    SslConfigurationContext,
+    PosixClientCert,
+    PosixSslConfigurationContext,
+    WinClientCert,
+    WinSslConfigurationContext,
+    LocalMachineStore,
+    CurrentUserStore,
+    PKCS12Store,
 )
 
 try:
@@ -69,8 +74,13 @@
     "AMQPMessagingHandler",
     "ArgumentOutOfRangeException",
     "ValidationCodeException",
-    "SslConfigurationContext",
-    "ClientCert",
+    "PosixSslConfigurationContext",
+    "WinSslConfigurationContext",
+    "PosixClientCert",
+    "WinClientCert",
+    "LocalMachineStore",
+    "CurrentUserStore",
+    "PKCS12Store",
     "ConnectionClosed",
     "StreamOptions",
     "OffsetSpecification",

rabbitmq_amqp_python_client/connection.py

@@ -1,5 +1,6 @@
 import logging
-from typing import Annotated, Callable, Optional, TypeVar
+import typing_extensions
+from typing import Annotated, Callable, Optional, TypeVar, Union
 
 from .address_helper import validate_address
 from .consumer import Consumer
@@ -10,7 +11,8 @@
 from .qpid.proton._handlers import MessagingHandler
 from .qpid.proton._transport import SSLDomain
 from .qpid.proton.utils import BlockingConnection
-from .ssl_configuration import SslConfigurationContext
+from .ssl_configuration import PosixSslConfigurationContext, WinSslConfigurationContext, LocalMachineStore, \
+    CurrentUserStore, PKCS12Store, Unambiguous, FriendlyName
 
 logger = logging.getLogger(__name__)
 
@@ -34,7 +36,7 @@ def __init__(
         uri: Optional[str] = None,
         # multi-node mode
         uris: Optional[list[str]] = None,
-        ssl_context: Optional[SslConfigurationContext] = None,
+        ssl_context: Union[PosixSslConfigurationContext, WinSslConfigurationContext, None] = None,
         on_disconnection_handler: Optional[CB] = None,  # type: ignore
     ):
         """
@@ -60,7 +62,7 @@ def __init__(
         self._conn: BlockingConnection
         self._management: Management
         self._on_disconnection_handler = on_disconnection_handler
-        self._conf_ssl_context: Optional[SslConfigurationContext] = ssl_context
+        self._conf_ssl_context: Union[PosixSslConfigurationContext, WinSslConfigurationContext, None] = ssl_context
         self._ssl_domain = None
         self._connections = []  # type: ignore
         self._index: int = -1
@@ -80,17 +82,41 @@ def dial(self) -> None:
             logger.debug("Enabling SSL")
 
             self._ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)
-            if self._ssl_domain is not None:
-                self._ssl_domain.set_trusted_ca_db(self._conf_ssl_context.ca_cert)
+
+            if isinstance(self._conf_ssl_context, PosixSslConfigurationContext):
+                ca_cert = self._conf_ssl_context.ca_cert
+            elif isinstance(self._conf_ssl_context, WinSslConfigurationContext):
+                ca_cert = self._win_store_to_cert(self._conf_ssl_context.ca_store)
+            else:
+                typing_extensions.assert_never(self._conf_ssl_context)
+            self._ssl_domain.set_trusted_ca_db(ca_cert)
+
             # for mutual authentication
             if self._conf_ssl_context.client_cert is not None:
                 logger.debug("Enabling mutual authentication as well")
-                if self._ssl_domain is not None:
-                    self._ssl_domain.set_credentials(
-                        self._conf_ssl_context.client_cert.client_cert,
-                        self._conf_ssl_context.client_cert.client_key,
-                        self._conf_ssl_context.client_cert.password,
-                    )
+
+                if isinstance(self._conf_ssl_context, PosixSslConfigurationContext):
+                    client_cert = self._conf_ssl_context.client_cert
+                    client_key = self._conf_ssl_context.client_cert.client_key
+                    password = self._conf_ssl_context.client_cert.password
+                elif isinstance(self._conf_ssl_context, WinSslConfigurationContext):
+                    client_cert = self._win_store_to_cert(self._conf_ssl_context.client_cert.store)
+                    disambiguation_method = self._conf_ssl_context.client_cert.disambiguation_method
+                    if isinstance(disambiguation_method, Unambiguous):
+                        client_key = None
+                    elif isinstance(disambiguation_method, FriendlyName):
+                        client_key = disambiguation_method.name
+                    else:
+                        typing_extensions.assert_never(disambiguation_method)
+                    password = self._conf_ssl_context.client_cert.password
+                else:
+                    typing_extensions.assert_never(self._conf_ssl_context)
+
+                self._ssl_domain.set_credentials(
+                    client_cert,
+                    client_key,
+                    password,
+                )
         self._conn = BlockingConnection(
             url=self._addr,
             urls=self._addrs,
@@ -100,6 +126,17 @@ def dial(self) -> None:
         self._open()
         logger.debug("Connection to the server established")
 
+    def _win_store_to_cert(self, store: Union[LocalMachineStore, CurrentUserStore, PKCS12Store]) -> str:
+        if isinstance(store, LocalMachineStore):
+            ca_cert = f"lmss:{store.name}"
+        elif isinstance(store, CurrentUserStore):
+            ca_cert = f"ss:{store.name}"
+        elif isinstance(store, PKCS12Store):
+            ca_cert = store.path
+        else:
+            typing_extensions.assert_never(store)
+        return ca_cert
+
     def _open(self) -> None:
         self._management = Management(self._conn)
         self._management.open()

rabbitmq_amqp_python_client/environment.py

@@ -1,9 +1,9 @@
 # For the moment this is just a Connection pooler to keep compatibility with other clients
 import logging
-from typing import Annotated, Callable, Optional, TypeVar
+from typing import Annotated, Callable, Optional, TypeVar, Union
 
 from .connection import Connection
-from .ssl_configuration import SslConfigurationContext
+from .ssl_configuration import PosixSslConfigurationContext, WinSslConfigurationContext
 
 logger = logging.getLogger(__name__)
 
@@ -28,7 +28,7 @@ def __init__(
         uri: Optional[str] = None,
         # multi-node mode
         uris: Optional[list[str]] = None,
-        ssl_context: Optional[SslConfigurationContext] = None,
+        ssl_context: Union[PosixSslConfigurationContext, WinSslConfigurationContext, None] = None,
         on_disconnection_handler: Optional[CB] = None,  # type: ignore
     ):
         """

rabbitmq_amqp_python_client/qpid/proton/_transport.py

@@ -826,7 +826,7 @@ def __init__(self, mode: int) -> None:
     def _check(self, err: int) -> int:
         if err < 0:
             exc = EXCEPTIONS.get(err, SSLException)
-            raise exc("SSL failure.")
+            raise exc("SSL failure.", err)
         else:
             return err
 

rabbitmq_amqp_python_client/ssl_configuration.py

@@ -1,15 +1,53 @@
 from dataclasses import dataclass
-from typing import Optional
+from typing import Optional, Union
 
 
 @dataclass
-class ClientCert:
+class PosixClientCert:
     client_cert: str
     client_key: str
     password: Optional[str] = None
 
+@dataclass
+class Unambiguous:
+    """Use the only certificate in the store."""
+    ...
+
+@dataclass
+class FriendlyName:
+    """Use the first certificate with a matching friendly name."""
+    name: str
+
+
+@dataclass
+class LocalMachineStore:
+    name: str
+
+
+@dataclass
+class CurrentUserStore:
+    name: str
+
 
 @dataclass
-class SslConfigurationContext:
+class PKCS12Store:
+    path: str
+
+
+@dataclass
+class WinClientCert:
+    store: Union[LocalMachineStore, CurrentUserStore, PKCS12Store]
+    disambiguation_method: Union[Unambiguous, FriendlyName]
+    password: Optional[str] = None
+
+
+@dataclass
+class PosixSslConfigurationContext:
     ca_cert: str
-    client_cert: Optional[ClientCert] = None
+    client_cert: Union[PosixClientCert, WinClientCert, None] = None
+
+
+@dataclass
+class WinSslConfigurationContext:
+    ca_store: Union[LocalMachineStore, CurrentUserStore, PKCS12Store]
+    client_cert: Union[PosixClientCert, WinClientCert, None] = None

tests/conftest.py

@@ -1,17 +1,24 @@
+import os
+import sys
 from typing import Optional
 
 import pytest
 
 from rabbitmq_amqp_python_client import (
     AddressHelper,
     AMQPMessagingHandler,
-    ClientCert,
+    PosixClientCert,
+    WinClientCert,
     Environment,
     Event,
-    SslConfigurationContext,
+    PosixSslConfigurationContext,
+    WinSslConfigurationContext,
     symbol,
+    PKCS12Store,
 )
+from rabbitmq_amqp_python_client.ssl_configuration import FriendlyName
 
+os.chdir(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
 @pytest.fixture()
 def environment(pytestconfig):
@@ -34,19 +41,31 @@ def connection(pytestconfig):
     finally:
         environment.close()
 
+@pytest.fixture()
+def ssl_context(pytestconfig):
+    if sys.platform == "win32":
+        return WinSslConfigurationContext(
+            ca_store=PKCS12Store(path=".ci/certs/ca.p12"),
+            client_cert=WinClientCert(
+                store=PKCS12Store(path=".ci/certs/client.p12"),
+                disambiguation_method=FriendlyName(name="gsantomagg6LVDM.vmware.com"),
+            ),
+        )
+    else:
+        return PosixSslConfigurationContext(
+            ca_cert=".ci/certs/ca_certificate.pem",
+            client_cert=PosixClientCert(
+                client_cert=".ci/certs/client_certificate.pem",
+                client_key=".ci/certs/client_key.pem",
+            ),
+        )
 
 @pytest.fixture()
-def connection_ssl(pytestconfig):
-    ca_cert_file = ".ci/certs/ca_certificate.pem"
-    client_cert = ".ci/certs/client_certificate.pem"
-    client_key = ".ci/certs/client_key.pem"
+def connection_ssl(pytestconfig, ssl_context):
 
     environment = Environment(
         "amqps://guest:guest@localhost:5671/",
-        ssl_context=SslConfigurationContext(
-            ca_cert=ca_cert_file,
-            client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
-        ),
+        ssl_context=ssl_context,
     )
     connection = environment.connection()
     connection.dial()

tests/test_connection.py

@@ -1,10 +1,8 @@
 import time
 
 from rabbitmq_amqp_python_client import (
-    ClientCert,
     ConnectionClosed,
     Environment,
-    SslConfigurationContext,
     StreamSpecification,
 )
 
@@ -31,17 +29,10 @@ def test_environment_context_manager() -> None:
         connection.dial()
 
 
-def test_connection_ssl() -> None:
-    ca_cert_file = ".ci/certs/ca_certificate.pem"
-    client_cert = ".ci/certs/client_certificate.pem"
-    client_key = ".ci/certs/client_key.pem"
-
+def test_connection_ssl(ssl_context) -> None:
     environment = Environment(
         "amqps://guest:guest@localhost:5671/",
-        ssl_context=SslConfigurationContext(
-            ca_cert=ca_cert_file,
-            client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
-        ),
+        ssl_context=ssl_context,
     )
 
     connection = environment.connection()