From 788f73b7a9f577c725d816f42a29e367fbd785f5 Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Tue, 11 Feb 2020 06:37:32 -0500
Subject: [PATCH] Separate config for Celery BROKER_URL.

I found out the hard way that, despite the Celery docs saying it will
respect settings of "none", "required", etc for the ssl_cert_reqs option
on ths broker connection uri, one it's underlying dependencies does not.
That dependency, Kombu, requires that the option be set as the string
version of one of the constants available on the standard library's ssl
module ("CERT_NONE", etc.). This fixes our code to supply slightly
variant connection URIs for Celery and for the session library. This
change can be reverted when Kombu is updated with the correct behavior.
---
 atst/app.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/atst/app.py b/atst/app.py
index db6a09c7..04aed44d 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -157,7 +157,6 @@ def map_config(config):
         **config["default"],
         "USE_AUDIT_LOG": config["default"].getboolean("USE_AUDIT_LOG"),
         "ENV": config["default"]["ENVIRONMENT"],
-        "BROKER_URL": config["default"]["REDIS_URI"],
         "DEBUG": config["default"].getboolean("DEBUG"),
         "DEBUG_MAILER": config["default"].getboolean("DEBUG_MAILER"),
         "SQLALCHEMY_ECHO": config["default"].getboolean("SQLALCHEMY_ECHO"),
@@ -240,12 +239,27 @@ def make_config(direct_config=None):
         (config.get("default", "REDIS_PASSWORD") or ""),
         config.get("default", "REDIS_HOST"),
     )
+    celery_uri = redis_uri
     if redis_use_tls:
         tls_mode = config.get("default", "REDIS_SSLMODE")
         tls_mode_str = tls_mode.lower() if tls_mode else "none"
         redis_uri = f"{redis_uri}/?ssl_cert_reqs={tls_mode_str}"
 
+        # TODO: Kombu, one of Celery's dependencies, still requires
+        # that ssl_cert_reqs be passed as the string version of an
+        # option on the ssl module. We can clean this up and use
+        # the REDIS_URI for both when this PR to Kombu is released:
+        # https://github.com/celery/kombu/pull/1139
+        kombu_modes = {
+            "none": "CERT_NONE",
+            "required": "CERT_REQUIRED",
+            "optional": "CERT_OPTIONAL",
+        }
+        celery_tls_mode_str = kombu_modes[tls_mode_str]
+        celery_uri = f"{celery_uri}/?ssl_cert_reqs={celery_tls_mode_str}"
+
     config.set("default", "REDIS_URI", redis_uri)
+    config.set("default", "BROKER_URL", celery_uri)
 
     return map_config(config)