Remove eventlet usage from cms.py

Remove eventlet compatibility code from keystoneclient/common/cms.py to simplify the subprocess module usage. This change eliminates the late loading mechanism and eventlet detection logic, replacing it with direct import of Python's standard subprocess module. Changes: - Remove _ensure_subprocess() function and eventlet detection logic - Remove unused set_subprocess() function - Import subprocess module directly at the top of the file - Add appropriate nosec comments for bandit security compliance - Simplify module docstring Generated-By: Claude Code Change-Id: I5a997493d28a43cd7299b3015d4bfcd3ed619225 Signed-off-by: Hervé Beraud <hberaud@redhat.com>
2026-01-16 23:10:41 +00:00 · 2025-08-29 14:47:40 +02:00 · 2025-08-29 14:47:40 +02:00 · ee58ef4d00
commit ee58ef4d00
parent be6c506939
1 changed files with 4 additions and 45 deletions
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@ -10,19 +10,13 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-"""Certificate signing functions.
-
-Call set_subprocess() with the subprocess module. Either Python's
-subprocess or eventlet.green.subprocess can be used.
-
-If set_subprocess() is not called, this module will pick Python's subprocess
-or eventlet.green.subprocess based on if os module is patched by eventlet.
-"""
+"""Certificate signing functions."""

 import base64
 import errno
 import hashlib
 import logging
+import subprocess  # nosec
 import zlib

 from debtcollector import removals
@ -31,7 +25,6 @@ from keystoneclient import exceptions
 from keystoneclient.i18n import _


-subprocess = None
 LOG = logging.getLogger(__name__)
 PKI_ASN1_PREFIX = 'MII'
 PKIZ_PREFIX = 'PKIZ_'
@ -50,38 +43,6 @@ class OpensslCmsExitStatus(object):
    CREATE_CMS_READ_MIME_ERROR = 3


-def _ensure_subprocess():
-    # NOTE(vish): late loading subprocess so we can
-    #             use the green version if we are in
-    #             eventlet.
-    global subprocess
-    if not subprocess:
-        try:
-            from eventlet import patcher
-            if patcher.already_patched:
-                from eventlet.green import subprocess
-            else:
-                import subprocess  # nosec(cjschaef): we must be careful when
-                # using subprocess.Popen with possibly untrusted data,
-                # assumption is that the certificate/key files provided are
-                # trustworthy
-        except ImportError:
-            import subprocess  # noqa # nosec(cjschaef): we must be careful
-            # when using subprocess.Popen with possibly untrusted data,
-            # assumption is that the certificate/key files provided are
-            # trustworthy
-
-
-def set_subprocess(_subprocess=None):
-    """Set subprocess module to use.
-
-    The subprocess could be eventlet.green.subprocess if using eventlet,
-    or Python's subprocess otherwise.
-    """
-    global subprocess
-    subprocess = _subprocess
-
-
 def _check_files_accessible(files):
    err = None
    retcode = -1
@ -160,7 +121,6 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name,
                                                              is not configured
                                                              properly.
    """
-    _ensure_subprocess()
    if isinstance(formatted, str):
        data = bytes(formatted, _encoding_for_form(inform))
    else:
@ -174,7 +134,7 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name,
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
-                               close_fds=True)
+                               close_fds=True)  # nosec
    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, ca_file_name))

@ -354,7 +314,6 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
    :param message_digest: Digest algorithm to use when signing or resigning

    """
-    _ensure_subprocess()
    if isinstance(data_to_sign, str):
        data = bytes(data_to_sign, encoding='utf-8')
    else:
@ -369,7 +328,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
-                               close_fds=True)
+                               close_fds=True)  # nosec

    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, signing_key_file_name))