Refactor SslConfigurationContext into platform specific classes

Author: Dos Moonen

examples/getting_started/getting_started.py

@@ -1,7 +1,7 @@
 # type: ignore
 
 
-from rabbitmq_amqp_python_client import (  # SSlConfigurationContext,; SslConfigurationContext,; ClientCert,
+from rabbitmq_amqp_python_client import (  # PosixSSlConfigurationContext,; PosixClientCert,
     AddressHelper,
     AMQPMessagingHandler,
     Connection,
@@ -68,7 +68,7 @@ def create_connection(environment: Environment) -> Connection:
     # client_key = ".ci/certs/client_key.pem"
     # connection = Connection(
     #    "amqps://guest:guest@localhost:5671/",
-    #    ssl_context=SslConfigurationContext(
+    #    ssl_context=PosixSslConfigurationContext(
     #        ca_cert=ca_cert_file,
     #        client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
     #    ),

examples/streams/example_with_streams.py

@@ -1,6 +1,6 @@
 # type: ignore
 
-from rabbitmq_amqp_python_client import (  # SSlConfigurationContext,; SslConfigurationContext,; ClientCert,
+from rabbitmq_amqp_python_client import (  # PosixSSlConfigurationContext,; PosixClientCert,
     AddressHelper,
     AMQPMessagingHandler,
     Connection,
@@ -72,9 +72,9 @@ def create_connection(environment: Environment) -> Connection:
     # client_key = ".ci/certs/client_key.pem"
     # connection = Connection(
     #    "amqps://guest:guest@localhost:5671/",
-    #    ssl_context=SslConfigurationContext(
+    #    ssl_context=PosixSslConfigurationContext(
     #        ca_cert=ca_cert_file,
-    #        client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
+    #        client_cert=PosixClientCert(client_cert=client_cert, client_key=client_key),
     #    ),
     # )
     connection.dial()

examples/tls/tls_example.py

@@ -1,18 +1,18 @@
 # type: ignore
 
 
-from rabbitmq_amqp_python_client import (  # SSlConfigurationContext,; SslConfigurationContext,; ClientCert,
+from rabbitmq_amqp_python_client import (
     AddressHelper,
     AMQPMessagingHandler,
-    ClientCert,
     Connection,
     Environment,
     Event,
     ExchangeSpecification,
     ExchangeToQueueBindingSpecification,
     Message,
+    PosixClientCert,
+    PosixSslConfigurationContext,
     QuorumQueueSpecification,
-    SslConfigurationContext,
 )
 
 messages_to_publish = 100
@@ -80,9 +80,9 @@ def main() -> None:
 
     environment = Environment(
         "amqps://guest:guest@localhost:5671/",
-        ssl_context=SslConfigurationContext(
+        ssl_context=PosixSslConfigurationContext(
             ca_cert=ca_cert_file,
-            client_cert=ClientCert(client_cert=client_cert, client_key=client_key),
+            client_cert=PosixClientCert(client_cert=client_cert, client_key=client_key),
         ),
     )
 

rabbitmq_amqp_python_client/__init__.py

@@ -32,8 +32,13 @@
     StreamSpecification,
 )
 from .ssl_configuration import (
-    ClientCert,
-    SslConfigurationContext,
+    CurrentUserStore,
+    LocalMachineStore,
+    PKCS12Store,
+    PosixClientCert,
+    PosixSslConfigurationContext,
+    WinClientCert,
+    WinSslConfigurationContext,
 )
 
 try:
@@ -69,8 +74,13 @@
     "AMQPMessagingHandler",
     "ArgumentOutOfRangeException",
     "ValidationCodeException",
-    "SslConfigurationContext",
-    "ClientCert",
+    "PosixSslConfigurationContext",
+    "WinSslConfigurationContext",
+    "PosixClientCert",
+    "WinClientCert",
+    "LocalMachineStore",
+    "CurrentUserStore",
+    "PKCS12Store",
     "ConnectionClosed",
     "StreamOptions",
     "OffsetSpecification",

rabbitmq_amqp_python_client/connection.py

@@ -1,5 +1,13 @@
 import logging
-from typing import Annotated, Callable, Optional, TypeVar
+from typing import (
+    Annotated,
+    Callable,
+    Optional,
+    TypeVar,
+    Union,
+)
+
+import typing_extensions
 
 from .address_helper import validate_address
 from .consumer import Consumer
@@ -10,7 +18,15 @@
 from .qpid.proton._handlers import MessagingHandler
 from .qpid.proton._transport import SSLDomain
 from .qpid.proton.utils import BlockingConnection
-from .ssl_configuration import SslConfigurationContext
+from .ssl_configuration import (
+    CurrentUserStore,
+    FriendlyName,
+    LocalMachineStore,
+    PKCS12Store,
+    PosixSslConfigurationContext,
+    Unambiguous,
+    WinSslConfigurationContext,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -34,7 +50,9 @@ def __init__(
         uri: Optional[str] = None,
         # multi-node mode
         uris: Optional[list[str]] = None,
-        ssl_context: Optional[SslConfigurationContext] = None,
+        ssl_context: Union[
+            PosixSslConfigurationContext, WinSslConfigurationContext, None
+        ] = None,
         on_disconnection_handler: Optional[CB] = None,  # type: ignore
     ):
         """
@@ -60,7 +78,9 @@ def __init__(
         self._conn: BlockingConnection
         self._management: Management
         self._on_disconnection_handler = on_disconnection_handler
-        self._conf_ssl_context: Optional[SslConfigurationContext] = ssl_context
+        self._conf_ssl_context: Union[
+            PosixSslConfigurationContext, WinSslConfigurationContext, None
+        ] = ssl_context
         self._ssl_domain = None
         self._connections = []  # type: ignore
         self._index: int = -1
@@ -80,17 +100,45 @@ def dial(self) -> None:
             logger.debug("Enabling SSL")
 
             self._ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)
-            if self._ssl_domain is not None:
-                self._ssl_domain.set_trusted_ca_db(self._conf_ssl_context.ca_cert)
+
+            if isinstance(self._conf_ssl_context, PosixSslConfigurationContext):
+                ca_cert = self._conf_ssl_context.ca_cert
+            elif isinstance(self._conf_ssl_context, WinSslConfigurationContext):
+                ca_cert = self._win_store_to_cert(self._conf_ssl_context.ca_store)
+            else:
+                typing_extensions.assert_never(self._conf_ssl_context)
+            self._ssl_domain.set_trusted_ca_db(ca_cert)
+
             # for mutual authentication
             if self._conf_ssl_context.client_cert is not None:
                 logger.debug("Enabling mutual authentication as well")
-                if self._ssl_domain is not None:
-                    self._ssl_domain.set_credentials(
-                        self._conf_ssl_context.client_cert.client_cert,
-                        self._conf_ssl_context.client_cert.client_key,
-                        self._conf_ssl_context.client_cert.password,
+
+                if isinstance(self._conf_ssl_context, PosixSslConfigurationContext):
+                    client_cert = self._conf_ssl_context.client_cert
+                    client_key = self._conf_ssl_context.client_cert.client_key
+                    password = self._conf_ssl_context.client_cert.password
+                elif isinstance(self._conf_ssl_context, WinSslConfigurationContext):
+                    client_cert = self._win_store_to_cert(
+                        self._conf_ssl_context.client_cert.store
                     )
+                    disambiguation_method = (
+                        self._conf_ssl_context.client_cert.disambiguation_method
+                    )
+                    if isinstance(disambiguation_method, Unambiguous):
+                        client_key = None
+                    elif isinstance(disambiguation_method, FriendlyName):
+                        client_key = disambiguation_method.name
+                    else:
+                        typing_extensions.assert_never(disambiguation_method)
+                    password = self._conf_ssl_context.client_cert.password
+                else:
+                    typing_extensions.assert_never(self._conf_ssl_context)
+
+                self._ssl_domain.set_credentials(
+                    client_cert,
+                    client_key,
+                    password,
+                )
         self._conn = BlockingConnection(
             url=self._addr,
             urls=self._addrs,
@@ -100,6 +148,19 @@ def dial(self) -> None:
         self._open()
         logger.debug("Connection to the server established")
 
+    def _win_store_to_cert(
+        self, store: Union[LocalMachineStore, CurrentUserStore, PKCS12Store]
+    ) -> str:
+        if isinstance(store, LocalMachineStore):
+            ca_cert = f"lmss:{store.name}"
+        elif isinstance(store, CurrentUserStore):
+            ca_cert = f"ss:{store.name}"
+        elif isinstance(store, PKCS12Store):
+            ca_cert = store.path
+        else:
+            typing_extensions.assert_never(store)
+        return ca_cert
+
     def _open(self) -> None:
         self._management = Management(self._conn)
         self._management.open()

rabbitmq_amqp_python_client/environment.py

@@ -1,9 +1,18 @@
 # For the moment this is just a Connection pooler to keep compatibility with other clients
 import logging
-from typing import Annotated, Callable, Optional, TypeVar
+from typing import (
+    Annotated,
+    Callable,
+    Optional,
+    TypeVar,
+    Union,
+)
 
 from .connection import Connection
-from .ssl_configuration import SslConfigurationContext
+from .ssl_configuration import (
+    PosixSslConfigurationContext,
+    WinSslConfigurationContext,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -28,7 +37,9 @@ def __init__(
         uri: Optional[str] = None,
         # multi-node mode
         uris: Optional[list[str]] = None,
-        ssl_context: Optional[SslConfigurationContext] = None,
+        ssl_context: Union[
+            PosixSslConfigurationContext, WinSslConfigurationContext, None
+        ] = None,
         on_disconnection_handler: Optional[CB] = None,  # type: ignore
     ):
         """

rabbitmq_amqp_python_client/qpid/proton/_transport.py

@@ -826,7 +826,7 @@ def __init__(self, mode: int) -> None:
     def _check(self, err: int) -> int:
         if err < 0:
             exc = EXCEPTIONS.get(err, SSLException)
-            raise exc("SSL failure.")
+            raise exc("SSL failure.", err)
         else:
             return err
 

rabbitmq_amqp_python_client/ssl_configuration.py

@@ -1,15 +1,57 @@
 from dataclasses import dataclass
-from typing import Optional
+from typing import Optional, Union
 
 
 @dataclass
-class ClientCert:
+class PosixClientCert:
     client_cert: str
     client_key: str
     password: Optional[str] = None
 
 
 @dataclass
-class SslConfigurationContext:
+class Unambiguous:
+    """Use the only certificate in the store."""
+
+    ...
+
+
+@dataclass
+class FriendlyName:
+    """Use the first certificate with a matching friendly name."""
+
+    name: str
+
+
+@dataclass
+class LocalMachineStore:
+    name: str
+
+
+@dataclass
+class CurrentUserStore:
+    name: str
+
+
+@dataclass
+class PKCS12Store:
+    path: str
+
+
+@dataclass
+class WinClientCert:
+    store: Union[LocalMachineStore, CurrentUserStore, PKCS12Store]
+    disambiguation_method: Union[Unambiguous, FriendlyName]
+    password: Optional[str] = None
+
+
+@dataclass
+class PosixSslConfigurationContext:
     ca_cert: str
-    client_cert: Optional[ClientCert] = None
+    client_cert: Union[PosixClientCert, WinClientCert, None] = None
+
+
+@dataclass
+class WinSslConfigurationContext:
+    ca_store: Union[LocalMachineStore, CurrentUserStore, PKCS12Store]
+    client_cert: Union[PosixClientCert, WinClientCert, None] = None