tarantool
diff --git a/Diff for: ‎CHANGELOG.md
+1 b/Diff for: ‎CHANGELOG.md
+1
diff --git a/Diff for: ‎Makefile
+2 b/Diff for: ‎Makefile
+2
diff --git a/Diff for: ‎tarantool/connection.py
+78-3 b/Diff for: ‎tarantool/connection.py
+78-3
diff --git a/Diff for: ‎tarantool/connection_pool.py
+40-24 b/Diff for: ‎tarantool/connection_pool.py
+40-24
diff --git a/Diff for: ‎tarantool/const.py
+12 b/Diff for: ‎tarantool/const.py
+12
diff --git a/Diff for: ‎tarantool/error.py
+8 b/Diff for: ‎tarantool/error.py
+8
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 
 ### Added
+- SSL support (PR #220, #217).
 
 ### Changed
 
 
@@ -1,6 +1,8 @@
 .PHONY: test
 test:
 	python setup.py test
+testdata:
+	cd ./test/data/; ./generate.sh
 coverage:
 	python -m coverage run -p --source=. setup.py test
 cov-html:
 
@@ -8,6 +8,11 @@
 import time
 import errno
 import socket
+try:
+    import ssl
+    is_ssl_supported = True
+except ImportError:
+    is_ssl_supported = False
 import abc
 
 import ctypes
@@ -44,6 +49,12 @@
     SOCKET_TIMEOUT,
     RECONNECT_MAX_ATTEMPTS,
     RECONNECT_DELAY,
+    DEFAULT_TRANSPORT,
+    SSL_TRANSPORT,
+    DEFAULT_SSL_KEY_FILE,
+    DEFAULT_SSL_CERT_FILE,
+    DEFAULT_SSL_CA_FILE,
+    DEFAULT_SSL_CIPHERS,
     REQUEST_TYPE_OK,
     REQUEST_TYPE_ERROR,
     IPROTO_GREETING_SIZE,
@@ -196,15 +207,28 @@ def __init__(self, host, port,
                  encoding=ENCODING_DEFAULT,
                  use_list=True,
                  call_16=False,
-                 connection_timeout=CONNECTION_TIMEOUT):
+                 connection_timeout=CONNECTION_TIMEOUT,
+                 transport=DEFAULT_TRANSPORT,
+                 ssl_key_file=DEFAULT_SSL_KEY_FILE,
+                 ssl_cert_file=DEFAULT_SSL_CERT_FILE,
+                 ssl_ca_file=DEFAULT_SSL_CA_FILE,
+                 ssl_ciphers=DEFAULT_SSL_CIPHERS):
         '''
         Initialize a connection to the server.
 
         :param str host: Server hostname or IP-address
         :param int port: Server port
         :param bool connect_now: if True (default) than __init__() actually
-        creates network connection.
-                             if False than you have to call connect() manualy.
+            creates network connection. if False than you have to call connect()
+            manualy.
+        :param str transport: It enables SSL encryption for a connection if set
+            to ssl.
+        :param str ssl_key_file: A path to a private SSL key file.
+        :param str ssl_cert_file: A path to an SSL certificate file.
+        :param str ssl_ca_file: A path to a trusted certificate authorities (CA)
+            file.
+        :param str ssl_ciphers: A colon-separated (:) list of SSL cipher suites
+            the connection can use.
         '''
 
         if msgpack.version >= (1, 0, 0) and encoding not in (None, 'utf-8'):
@@ -237,6 +261,11 @@ def __init__(self, host, port,
         self.use_list = use_list
         self.call_16 = call_16
         self.connection_timeout = connection_timeout
+        self.transport = transport
+        self.ssl_key_file = ssl_key_file
+        self.ssl_cert_file = ssl_cert_file
+        self.ssl_ca_file = ssl_ca_file
+        self.ssl_ciphers = ssl_ciphers
         if connect_now:
             self.connect()
 
@@ -263,6 +292,7 @@ def connect_basic(self):
     def connect_tcp(self):
         '''
         Create connection to the host and port specified in __init__().
+
         :raise: `NetworkError`
         '''
 
@@ -282,6 +312,7 @@ def connect_tcp(self):
     def connect_unix(self):
         '''
         Create connection to the host and port specified in __init__().
+
         :raise: `NetworkError`
         '''
 
@@ -298,6 +329,46 @@ def connect_unix(self):
             self.connected = False
             raise NetworkError(e)
 
+    def wrap_socket_ssl(self):
+        '''
+        Wrap an existing socket with SSL socket.
+
+        :raise: NetworkError
+        :raise: `ssl.SSLError`
+        '''
+        if is_ssl_supported == False:
+            raise NetworkError("SSL is unsupported by the python.")
+
+        if ssl.TLSVersion:
+            # Since python 3.7
+            context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+            # Reset to default OpenSSL values
+            context.check_hostname = False
+            context.verify_mode = ssl.CERT_NONE
+            # Require TLSv1.2, because other protocol versions don't seem to
+            # support the GOST cipher.
+            context.minimum_version = ssl.TLSVersion.TLSv1_2
+            context.maximum_version = ssl.TLSVersion.TLSv1_2
+        else:
+            # Deprecated, but it works for python < 3.7
+            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+
+        if self.ssl_cert_file:
+            context.load_cert_chain(certfile = self.ssl_cert_file,
+                                    keyfile = self.ssl_key_file)
+
+        if self.ssl_ca_file:
+            context.load_verify_locations(cafile=self.ssl_ca_file)
+            context.verify_mode = ssl.CERT_REQUIRED
+            if self.host:
+                context.check_hostname = True
+
+        if self.ssl_ciphers:
+            context.set_ciphers(self.ssl_ciphers)
+
+        self._socket = context.wrap_socket(self._socket,
+                                           server_hostname = self.host)
+
     def handshake(self):
         greeting_buf = self._recv(IPROTO_GREETING_SIZE)
         greeting = greeting_decode(greeting_buf)
@@ -319,6 +390,8 @@ def connect(self):
         '''
         try:
             self.connect_basic()
+            if self.transport == SSL_TRANSPORT:
+                self.wrap_socket_ssl()
             self.handshake()
             self.load_schema()
         except Exception as e:
@@ -447,6 +520,8 @@ def check():  # Check that connection is alive
                 raise NetworkError(
                     socket.error(last_errno, errno.errorcode[last_errno]))
             attempt += 1
+        if self.transport == SSL_TRANSPORT:
+            self.wrap_socket_ssl()
         self.handshake()
 
     def _send_request(self, request):
 
@@ -190,13 +190,13 @@ class ConnectionPool(ConnectionInterface):
     ConnectionPool API is the same as a plain Connection API.
     On each request, a connection is chosen to execute this request.
     Connection is selected based on request mode:
+
     * Mode.ANY chooses any instance.
     * Mode.RW chooses an RW instance.
     * Mode.RO chooses an RO instance.
-    * Mode.PREFER_RW chooses an RW instance, if possible, RO instance
-      otherwise.
-    * Mode.PREFER_RO chooses an RO instance, if possible, RW instance
-      otherwise.
+    * Mode.PREFER_RW chooses an RW instance, if possible, RO instance otherwise.
+    * Mode.PREFER_RO chooses an RO instance, if possible, RW instance otherwise.
+
     All requests that are guaranteed to write (insert, replace, delete,
     upsert, update) use RW mode by default. select uses ANY by default. You
     can set the mode explicitly. call, eval, execute and ping requests
@@ -218,28 +218,39 @@ def __init__(self,
         '''
         Initialize connections to the cluster of servers.
 
-        :param list addrs: List of {host: , port:} dictionaries,
-        describing server addresses.
-        :user str Username used to authenticate. User must be able
-        to call box.info function. For example, to give grants to 
-        'guest' user, evaluate
-          box.schema.func.create('box.info')
-          box.schema.user.grant('guest', 'execute', 'function', 'box.info')
-        on Tarantool instances.
+        :param list addrs: List of
+
+            .. code-block:: python
+
+                { host: "str",
+                  port: int,
+                  transport: "str",
+                  ssl_key_file: "str",
+                  ssl_cert_file: "str",
+                  ssl_ca_file: "str",
+                  ssl_ciphers: "str" }
+
+            dictionaries, describing server addresses.
+        :param str user: Username used to authenticate. User must be able
+            to call box.info function. For example, to give grants to
+            'guest' user, evaluate
+            box.schema.func.create('box.info')
+            box.schema.user.grant('guest', 'execute', 'function', 'box.info')
+            on Tarantool instances.
         :param int reconnect_max_attempts: Max attempts to reconnect
-        for each connection in the pool. Be careful with reconnect
-        parameters in ConnectionPool since every status refresh is
-        also a request with reconnection. Default is 0 (fail after
-        first attempt).
+            for each connection in the pool. Be careful with reconnect
+            parameters in ConnectionPool since every status refresh is
+            also a request with reconnection. Default is 0 (fail after
+            first attempt).
         :param float reconnect_delay: Time between reconnect
-        attempts for each connection in the pool. Be careful with
-        reconnect parameters in ConnectionPool since every status
-        refresh is also a request with reconnection. Default is 0.
+            attempts for each connection in the pool. Be careful with
+            reconnect parameters in ConnectionPool since every status
+            refresh is also a request with reconnection. Default is 0.
         :param StrategyInterface strategy_class: Class for choosing
-        instance based on request mode. By default, round-robin
-        strategy is used.
+            instance based on request mode. By default, round-robin
+            strategy is used.
         :param int refresh_delay: Minimal time between RW/RO status
-        refreshes.
+            refreshes.
         '''
 
         if not isinstance(addrs, list) or len(addrs) == 0:
@@ -272,7 +283,12 @@ def __init__(self,
                     connect_now=False, # Connect in ConnectionPool.connect()
                     encoding=encoding,
                     call_16=call_16,
-                    connection_timeout=connection_timeout)
+                    connection_timeout=connection_timeout,
+                    transport=addr['transport'],
+                    ssl_key_file=addr['ssl_key_file'],
+                    ssl_cert_file=addr['ssl_cert_file'],
+                    ssl_ca_file=addr['ssl_ca_file'],
+                    ssl_ciphers=addr['ssl_ciphers'])
             )
 
         if connect_now:
@@ -464,7 +480,7 @@ def ping(self, *, mode=None, **kwargs):
     def select(self, space_name, key, *, mode=Mode.ANY, **kwargs):
         '''
         :param tarantool.Mode mode: Request mode (default is
-        ANY).
+            ANY).
         '''
 
         return self._send(mode, 'select', space_name, key, **kwargs)
 
@@ -94,6 +94,18 @@
 RECONNECT_MAX_ATTEMPTS = 10
 # Default delay between attempts to reconnect (seconds)
 RECONNECT_DELAY = 0.1
+# Default value for transport
+DEFAULT_TRANSPORT = ""
+# Value for SSL transport
+SSL_TRANSPORT = "ssl"
+# Default value for a path to SSL key file
+DEFAULT_SSL_KEY_FILE = None
+# Default value for a path to SSL certificate file
+DEFAULT_SSL_CERT_FILE = None
+# Default value for a path to SSL certificatea uthorities file
+DEFAULT_SSL_CA_FILE = None
+# Default value for list of SSL ciphers
+DEFAULT_SSL_CIPHERS = None
 # Default cluster nodes list refresh interval (seconds)
 CLUSTER_DISCOVERY_DELAY = 60
 # Default cluster nodes state refresh interval (seconds)
 
@@ -21,6 +21,11 @@
 
 import os
 import socket
+try:
+    import ssl
+    is_ssl_supported = True
+except ImportError:
+    is_ssl_supported = False
 import sys
 import warnings
 
@@ -205,10 +210,13 @@ def __init__(self, orig_exception=None, *args):
             if isinstance(orig_exception, socket.timeout):
                 self.message = "Socket timeout"
                 super(NetworkError, self).__init__(0, self.message)
+            elif is_ssl_supported and isinstance(orig_exception, ssl.SSLError):
+                super(NetworkError, self).__init__(orig_exception, *args)
             elif isinstance(orig_exception, socket.error):
                 self.message = os.strerror(orig_exception.errno)
                 super(NetworkError, self).__init__(
                     orig_exception.errno, self.message)
+
             else:
                 super(NetworkError, self).__init__(orig_exception, *args)