From ee58ef4d0084b01a1bbfe193626642bfe57b80c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Beraud?= <hberaud@redhat.com>
Date: Fri, 29 Aug 2025 14:47:40 +0200
Subject: [PATCH] Remove eventlet usage from cms.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove eventlet compatibility code from keystoneclient/common/cms.py
to simplify the subprocess module usage. This change eliminates the
late loading mechanism and eventlet detection logic, replacing it
with direct import of Python's standard subprocess module.

Changes:
- Remove _ensure_subprocess() function and eventlet detection logic
- Remove unused set_subprocess() function
- Import subprocess module directly at the top of the file
- Add appropriate nosec comments for bandit security compliance
- Simplify module docstring

Generated-By: Claude Code
Change-Id: I5a997493d28a43cd7299b3015d4bfcd3ed619225
Signed-off-by: Hervé Beraud <hberaud@redhat.com>
---
 keystoneclient/common/cms.py | 49 +++---------------------------------
 1 file changed, 4 insertions(+), 45 deletions(-)

diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py
index 2ee8b52ae..edef46b5b 100644
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@@ -10,19 +10,13 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-"""Certificate signing functions.
-
-Call set_subprocess() with the subprocess module. Either Python's
-subprocess or eventlet.green.subprocess can be used.
-
-If set_subprocess() is not called, this module will pick Python's subprocess
-or eventlet.green.subprocess based on if os module is patched by eventlet.
-"""
+"""Certificate signing functions."""
 
 import base64
 import errno
 import hashlib
 import logging
+import subprocess  # nosec
 import zlib
 
 from debtcollector import removals
@@ -31,7 +25,6 @@ from keystoneclient import exceptions
 from keystoneclient.i18n import _
 
 
-subprocess = None
 LOG = logging.getLogger(__name__)
 PKI_ASN1_PREFIX = 'MII'
 PKIZ_PREFIX = 'PKIZ_'
@@ -50,38 +43,6 @@ class OpensslCmsExitStatus(object):
     CREATE_CMS_READ_MIME_ERROR = 3
 
 
-def _ensure_subprocess():
-    # NOTE(vish): late loading subprocess so we can
-    #             use the green version if we are in
-    #             eventlet.
-    global subprocess
-    if not subprocess:
-        try:
-            from eventlet import patcher
-            if patcher.already_patched:
-                from eventlet.green import subprocess
-            else:
-                import subprocess  # nosec(cjschaef): we must be careful when
-                # using subprocess.Popen with possibly untrusted data,
-                # assumption is that the certificate/key files provided are
-                # trustworthy
-        except ImportError:
-            import subprocess  # noqa # nosec(cjschaef): we must be careful
-            # when using subprocess.Popen with possibly untrusted data,
-            # assumption is that the certificate/key files provided are
-            # trustworthy
-
-
-def set_subprocess(_subprocess=None):
-    """Set subprocess module to use.
-
-    The subprocess could be eventlet.green.subprocess if using eventlet,
-    or Python's subprocess otherwise.
-    """
-    global subprocess
-    subprocess = _subprocess
-
-
 def _check_files_accessible(files):
     err = None
     retcode = -1
@@ -160,7 +121,6 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name,
                                                               is not configured
                                                               properly.
     """
-    _ensure_subprocess()
     if isinstance(formatted, str):
         data = bytes(formatted, _encoding_for_form(inform))
     else:
@@ -174,7 +134,7 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name,
                                stdin=subprocess.PIPE,
                                stdout=subprocess.PIPE,
                                stderr=subprocess.PIPE,
-                               close_fds=True)
+                               close_fds=True)  # nosec
     output, err, retcode = _process_communicate_handle_oserror(
         process, data, (signing_cert_file_name, ca_file_name))
 
@@ -354,7 +314,6 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
     :param message_digest: Digest algorithm to use when signing or resigning
 
     """
-    _ensure_subprocess()
     if isinstance(data_to_sign, str):
         data = bytes(data_to_sign, encoding='utf-8')
     else:
@@ -369,7 +328,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
                                stdin=subprocess.PIPE,
                                stdout=subprocess.PIPE,
                                stderr=subprocess.PIPE,
-                               close_fds=True)
+                               close_fds=True)  # nosec
 
     output, err, retcode = _process_communicate_handle_oserror(
         process, data, (signing_cert_file_name, signing_key_file_name))