Merge branch 'apel:dev' into rpm_and_deb_naming_convention

.github/workflows/build-pkgs.yml

@@ -51,7 +51,7 @@ jobs:
       run: rpmlint ${{ steps.rpm.outputs.rpm_dir_path }}
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4.3.3
+      uses: actions/upload-artifact@v4.4.3
       with:
         name: Binary and Source RPMs
         path: |

.github/workflows/docker.yml

@@ -48,7 +48,7 @@ jobs:
         # Build and push Docker image
         # https://github.com/docker/build-push-action
         name: Build and push Docker image
-        uses: docker/build-push-action@v5.3.0
+        uses: docker/build-push-action@v6.10.0
         with:
           # Only push containers to the registry on GitHub pushes,
           # not pull requests. GitHub won't let a rogue PR create a container

.github/workflows/unit-test.yml

@@ -4,31 +4,37 @@ on: [push, pull_request]
 
 jobs:
   unit-test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04  # 20.04 to allow for Py 3.6
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.x']
+        # Python versions on Rocky 8, Ubuntu 20.04, Rocky 9
+        python-version: ['3.6', '3.8', '3.9']
     name: Python ${{ matrix.python-version }} test
     steps:
     - uses: actions/checkout@v4
-    - name: Set up Python
+
+    - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
-    - name: Set up dependencies for python-ldap
-      run: sudo apt-get install libsasl2-dev libldap2-dev libssl-dev
+        cache: 'pip'
+
     - name: Base requirements for SSM
       run: pip install -r requirements.txt
+
     - name: Additional requirements for the unit and coverage tests
       run: pip install -r requirements-test.txt
+
     - name: Pre-test set up
       run: |
         export TMPDIR=$PWD/tmp
         mkdir $TMPDIR
         export PYTHONPATH=$PYTHONPATH:`pwd -P`
         cd test
+
     - name: Run unit tests
       run: coverage run --branch --source=ssm,bin -m unittest discover --buffer
+
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v4.3.1
+      uses: codecov/codecov-action@v5

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 # See https://pre-commit.com for more information
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v2.5.0
+  rev: v4.1.0  # Python 3.6 compatible
   hooks:
   # Python related checks
   - id: check-ast
@@ -13,9 +13,13 @@ repos:
     files: 'test/.*'
   # Other checks
   - id: check-added-large-files
+  - id: check-case-conflict
   - id: check-merge-conflict
   - id: check-yaml
   - id: debug-statements
+  - id: detect-private-key
+    # This file has a test cert and key
+    exclude: 'test_ssm.py'
   - id: end-of-file-fixer
   - id: mixed-line-ending
     name: Force line endings to LF

CHANGELOG

@@ -1,3 +1,10 @@
+* Fri Aug 30 2024 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.4.1-1
+ - Improved error logging to store full traceback on unexpected exceptions.
+ - Changed more code to use pyOpenSSL to improve compatibility with newer OpenSSL versions.
+ - Added a check to prevent a host certificate being to used for target server encryption.
+ - Changed which version of exit function is used to avoid edge case.
+ - Various changes and improvements to build scripts and processes.
+
 * Wed Feb 21 2024 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.4.0-1
  - Fixed compatability with newer versions of OpenSSL that only provide comma separated DNs.
  - Fixed Python 3 compatability (indirectly fixing EL8+ compatability) by performing explicit

Dockerfile

@@ -15,17 +15,14 @@ RUN yum -y install epel-release && yum clean all
 # Then get pip
 RUN yum -y install python3-pip && yum clean all
 
-# Install the system requirements of python-ldap
-RUN yum -y install gcc python3-devel openldap-devel && yum clean all
-
 # Install libffi, a requirement of openssl
 RUN yum -y install libffi-devel && yum clean all
 
 # Install the system requirements of ssm
 RUN yum -y install openssl && yum clean all
 
 # Install the python requirements of SSM
-RUN pip install -r requirements-docker.txt
+RUN pip install -r requirements.txt
 # Then install the SSM
 RUN python3 setup.py install
 

README.md

@@ -1,16 +1,15 @@
 # Secure STOMP Messenger
 
-[![Build Status](https://travis-ci.org/apel/ssm.svg?branch=dev)](https://travis-ci.org/apel/ssm)
 [![Coverage Status](https://coveralls.io/repos/github/apel/ssm/badge.svg?branch=dev)](https://coveralls.io/github/apel/ssm?branch=dev)
 [![Codacy Badge](https://app.codacy.com/project/badge/Grade/9d2b1c88ab844f0081e5fafab49b269d)](https://www.codacy.com/gh/apel/ssm/dashboard)
 [![Maintainability](https://api.codeclimate.com/v1/badges/34aa04f3583afce2ceb2/maintainability)](https://codeclimate.com/github/apel/ssm/maintainability)
 
 Secure STOMP Messenger (SSM) is designed to simply send messages
 using the [STOMP protocol](http://stomp.github.io/) or via the ARGO Messaging Service (AMS).
-Messages are signed and may be encrypted during transit.
+Messages are signed and may additionally be encrypted during transit.
 Persistent queues should be used to guarantee delivery.
 
-SSM is written in Python. Packages are available for RHEL 7, and Ubuntu Trusty.
+SSM is written in Python 3. Packages are available for EL 8 and 9, and Ubuntu.
 
 For more information about SSM, see the [EGI wiki](https://wiki.egi.eu/wiki/APEL/SSM).
 
@@ -31,15 +30,11 @@ the RPM for your version of SL, which is available on this page:
 http://fedoraproject.org/wiki/EPEL
 You will also need to have the OpenSSL library installed. Other prerequisites are listed below.
 
-The Python STOMP library (N.B. versions between 3.1.1 (inclusive) and 5.0.0
-(exclusive) are currently supported)
+The Python STOMP library
 * `yum install stomppy`
 
 The Python AMS library. This is only required if you want to use AMS. See here for details on obtaining an RPM: https://github.com/ARGOeu/argo-ams-library/
 
-The Python ldap library (N.B. versions before 3.4.0 (exclusive) are currently supported)
-* `yum install python-ldap`
-
 Optionally, the Python dirq library (N.B. this is only required if your messages
 are stored in a dirq structure)
 * `yum install python-dirq`
@@ -99,7 +94,7 @@ Install any missing system packages needed for the SSM:
 * `apt-get -f install`
 
 Install any missing Python requirements that don't have system packages:
-* `pip install "stomp.py<5.0.0" dirq`
+* `pip install stomp.py dirq`
 
 If you wish to run the SSM as a receiver, you will also need to install the python-daemon system package:
 * `apt-get install python-daemon`
@@ -239,7 +234,6 @@ add your messages using the `add` method.
 
 * `yum remove stomppy`
 * `yum remove python-daemon`
-* `yum remove python-ldap`
 
 * `rm -rf /var/spool/apel`
 * `rm -rf /var/log/apel`

apel-ssm.spec

@@ -1,10 +1,12 @@
+%define __python /usr/bin/python3
+
 # Conditionally define python_sitelib
 %if ! (0%{?fedora} > 12 || 0%{?rhel} > 5)
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
 %endif
 
 Name:           apel-ssm
-Version:        3.4.0
+Version:        3.4.1
 %define releasenumber 1
 Release:        %{releasenumber}%{?dist}
 Summary:        Secure stomp messenger
@@ -21,7 +23,7 @@ BuildArch:      noarch
 BuildRequires:  python-devel
 %endif
 
-Requires:       stomppy < 5.0.0, python-ldap < 3.4.0, python-setuptools, openssl
+Requires:       stomppy < 8.1.1, python-setuptools, openssl
 Requires(pre):  shadow-utils
 
 %define ssmconf %_sysconfdir/apel
@@ -100,6 +102,13 @@ rm -rf $RPM_BUILD_ROOT
 %doc %_defaultdocdir/%{name}
 
 %changelog
+* Fri Aug 30 2024 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.4.1-1
+ - Improved error logging to store full traceback on unexpected exceptions.
+ - Changed more code to use pyOpenSSL to improve compatibility with newer OpenSSL versions.
+ - Added a check to prevent a host certificate being to used for target server encryption.
+ - Changed which version of exit function is used to avoid edge case.
+ - Various changes and improvements to build scripts and processes.
+
 * Wed Feb 21 2024 Adrian Coveney <adrian.coveney@stfc.ac.uk> - 3.4.0-1
  - Fixed compatability with newer versions of OpenSSL that only provide comma separated DNs.
  - Fixed Python 3 compatability (indirectly fixing EL8+ compatability) by performing explicit

bin/receiver.py

@@ -21,36 +21,38 @@
 import ssm.agents
 from ssm import __version__, LOG_BREAK
 
+from argparse import ArgumentParser
 import logging
 import os
 import sys
-from optparse import OptionParser
 
-try:
-    import ConfigParser
-except ImportError:
-    import configparser as ConfigParser
+import configparser
 
 
 def main():
     """Set up connection, and listen for messages."""
     ver = "SSM %s.%s.%s" % __version__
     default_conf_location = '/etc/apel/receiver.cfg'
     default_dns_location = '/etc/apel/dns'
-    op = OptionParser(description=__doc__, version=ver)
-    op.add_option('-c', '--config',
-                  help=('location of config file, '
-                        'default path: ' + default_conf_location),
-                  default=default_conf_location)
-    op.add_option('-l', '--log_config',
-                  help='DEPRECATED - location of logging config file (optional)',
-                  default=None)
-    op.add_option('-d', '--dn_file',
-                  help=('location of the file containing valid DNs, '
-                        'default path: ' + default_dns_location),
-                  default=default_dns_location)
-
-    options, unused_args = op.parse_args()
+    arg_parser = ArgumentParser(description=__doc__)
+
+    arg_parser.add_argument('-c', '--config',
+                            help='location of config file, default path: '
+                                  '%s' % default_conf_location,
+                            default=default_conf_location)
+    arg_parser.add_argument('-l', '--log_config',
+                            help='DEPRECATED - location of logging config file',
+                            default=None)
+    arg_parser.add_argument('-d', '--dn_file',
+                            help='location of the file containing valid DNs, '
+                                  'default path: %s' % default_dns_location,
+                            default=default_dns_location)
+    arg_parser.add_argument('-v', '--version',
+                            action='version',
+                            version=ver)
+
+    # Parsing arguments into an argparse.Namespace object for structured access.
+    options = arg_parser.parse_args()
 
     # Deprecating functionality.
     old_log_config_default_path = '/etc/apel/logging.cfg'
@@ -62,11 +64,11 @@ def main():
 
     # Check if config file exists using os.path.isfile function.
     if os.path.isfile(options.config):
-        cp = ConfigParser.ConfigParser({'use_ssl': 'true'})
+        cp = configparser.ConfigParser({'use_ssl': 'true'})
         cp.read(options.config)
     else:
         print("Config file not found at", options.config)
-        exit(1)
+        sys.exit(1)
 
     # Check for pidfile
     pidfile = cp.get('daemon', 'pidfile')

bin/sender.py

@@ -21,30 +21,33 @@
 import ssm.agents
 from ssm import __version__, LOG_BREAK
 
+from argparse import ArgumentParser
 import logging
-from optparse import OptionParser
 import os
+import sys
 
-try:
-    import ConfigParser
-except ImportError:
-    import configparser as ConfigParser
+import configparser
 
 
 def main():
     """Set up connection, send all messages and quit."""
     ver = "SSM %s.%s.%s" % __version__
     default_conf_location = '/etc/apel/sender.cfg'
-    op = OptionParser(description=__doc__, version=ver)
-    op.add_option('-c', '--config',
-                  help=('location of config file, '
-                        'default path: ' + default_conf_location),
-                  default=default_conf_location)
-    op.add_option('-l', '--log_config',
-                  help='DEPRECATED - location of logging config file (optional)',
-                  default=None)
-
-    options, unused_args = op.parse_args()
+    arg_parser = ArgumentParser(description=__doc__)
+
+    arg_parser.add_argument('-c', '--config',
+                            help='location of config file, default path: '
+                                  '%s' % default_conf_location,
+                            default=default_conf_location)
+    arg_parser.add_argument('-l', '--log_config',
+                            help='DEPRECATED - location of logging config file',
+                            default=None)
+    arg_parser.add_argument('-v', '--version',
+                            action='version',
+                            version=ver)
+
+    # Parsing arguments into an argparse.Namespace object for structured access.
+    options = arg_parser.parse_args()
 
     # Deprecating functionality.
     old_log_config_default_path = '/etc/apel/logging.cfg'
@@ -53,11 +56,11 @@ def main():
 
     # Check if config file exists using os.path.isfile function.
     if os.path.isfile(options.config):
-        cp = ConfigParser.ConfigParser({'use_ssl': 'true'})
+        cp = configparser.ConfigParser({'use_ssl': 'true'})
         cp.read(options.config)
     else:
         print("Config file not found at", options.config)
-        exit(1)
+        sys.exit(1)
 
     ssm.agents.logging_helper(cp)
 

conf/receiver.cfg

@@ -3,16 +3,10 @@
 protocol: AMS
 
 [broker]
-
-# The SSM will query a BDII to find brokers available.  These details are for the
-# EGI production broker network
-#bdii: ldap://lcg-bdii.cern.ch:2170
-#network: PROD
-# Alternatively, 'host' and 'port' can be set manually (with 'bdii' and
-# 'network' commented out). The 'host' option MUST be used for AMS.
+# 'host' and 'port' must be set manually as LDAP broker search is now removed.
+# 'port' is not used with AMS.
 host: msg-devel.argo.grnet.gr
-#host: msg.argo.grnet.gr
-#port:
+# port: 443
 
 # broker authentication.  If use_ssl is set, the certificates configured
 # in the mandatory [certificates] section will be used.