From 64086c30915349b1b6440aa2de36f753bbb0741c Mon Sep 17 00:00:00 2001
From: Cyril Roelandt <cyril@redhat.com>
Date: Fri, 28 Jun 2024 01:37:09 +0200
Subject: [PATCH] Python 3.12: do not use ssl.wrap_socket

The ssl.wrap_socket method has been removed in 3.12.
SSLContext.wrap_socket should now be used.

Change-Id: I6119e054289eac263ff5448d7d118209f98678d9
---
 swift/common/wsgi.py          |  9 +++++++--
 test/unit/common/test_wsgi.py | 33 ++++++++++++++++++---------------
 2 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/swift/common/wsgi.py b/swift/common/wsgi.py
index 77b0d25248..a9a22f2260 100644
--- a/swift/common/wsgi.py
+++ b/swift/common/wsgi.py
@@ -198,9 +198,14 @@ def get_socket(conf):
             sock = listen(bind_addr, backlog=int(conf.get('backlog', 4096)),
                           family=address_family)
             if 'cert_file' in conf:
+                if six.PY2:
+                    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+                else:
+                    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+                context.verify_mode = ssl.CERT_NONE
+                context.load_cert_chain(conf['cert_file'], conf['key_file'])
                 warn_ssl = True
-                sock = ssl.wrap_socket(sock, certfile=conf['cert_file'],
-                                       keyfile=conf['key_file'])
+                sock = context.wrap_socket(sock, server_side=True)
         except socket.error as err:
             if err.args[0] != errno.EADDRINUSE:
                 raise
diff --git a/test/unit/common/test_wsgi.py b/test/unit/common/test_wsgi.py
index 73f3a22cf8..e5476c98b5 100644
--- a/test/unit/common/test_wsgi.py
+++ b/test/unit/common/test_wsgi.py
@@ -463,8 +463,8 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
         conf = {'bind_port': 54321}
         ssl_conf = conf.copy()
         ssl_conf.update({
-            'cert_file': '',
-            'key_file': '',
+            'cert_file': 'cert.pem',
+            'key_file': 'private.key',
         })
 
         # mocks
@@ -478,20 +478,25 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
         def mock_listen(*args, **kwargs):
             return MockSocket()
 
-        class MockSsl(object):
-            def __init__(self):
-                self.wrap_socket_called = []
+        class MockSslContext(object):
+            _instance = None
 
-            def wrap_socket(self, sock, **kwargs):
-                self.wrap_socket_called.append(kwargs)
+            def __init__(self, *args, **kwargs):
+                MockSslContext._instance = self
+                self.load_cert_chain_args = []
+
+            def wrap_socket(self, sock, *args, **kwargs):
                 return sock
 
+            def load_cert_chain(self, *args, **kwargs):
+                self.load_cert_chain_args.extend(args)
+
         # patch
         old_listen = wsgi.listen
-        old_ssl = wsgi.ssl
+        old_ssl_context = wsgi.ssl.SSLContext
         try:
             wsgi.listen = mock_listen
-            wsgi.ssl = MockSsl()
+            wsgi.ssl.SSLContext = MockSslContext
             # test
             sock = wsgi.get_socket(conf)
             # assert
@@ -510,11 +515,9 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
             self.assertEqual(sock.opts, expected_socket_opts)
             # test ssl
             sock = wsgi.get_socket(ssl_conf)
-            expected_kwargs = {
-                'certfile': '',
-                'keyfile': '',
-            }
-            self.assertEqual(wsgi.ssl.wrap_socket_called, [expected_kwargs])
+            expected_args = ['cert.pem', 'private.key']
+            self.assertEqual(MockSslContext._instance.load_cert_chain_args,
+                             expected_args)
 
             # test keep_idle value
             keepIdle_value = 700
@@ -550,7 +553,7 @@ class TestWSGI(unittest.TestCase, ConfigAssertMixin):
 
         finally:
             wsgi.listen = old_listen
-            wsgi.ssl = old_ssl
+            wsgi.ssl.SSLContext = old_ssl_context
 
     def test_address_in_use(self):
         # stubs