Implement support of scylla cloud config bundle

```python
path_to_bundle_yaml='/file/download/from/cloud/config.yaml'
cluster= Cluster(scylla_cloud=path_to_bundle_yaml)
```

Author: fruch

cassandra/cluster.py

@@ -91,6 +91,7 @@
                                       GraphSON3Serializer)
 from cassandra.datastax.graph.query import _request_timeout_key, _GraphSONContextRowFactory
 from cassandra.datastax import cloud as dscloud
+from cassandra.scylla.cloud import CloudConfiguration
 
 try:
     from cassandra.io.twistedreactor import TwistedConnection
@@ -1137,6 +1138,7 @@ def __init__(self,
                  monitor_reporting_interval=30,
                  client_id=None,
                  cloud=None,
+                 scylla_cloud=None,
                  shard_aware_options=None):
         """
         ``executor_threads`` defines the number of threads in a pool for handling asynchronous tasks such as
@@ -1157,6 +1159,21 @@ def __init__(self,
         if connection_class is not None:
             self.connection_class = connection_class
 
+        if scylla_cloud is not None:
+            if contact_points is not _NOT_SET or endpoint_factory or ssl_context or ssl_options:
+                raise ValueError("contact_points, endpoint_factory, ssl_context, and ssl_options "
+                                 "cannot be specified with a scylla cloud configuration")
+
+            uses_twisted = TwistedConnection and issubclass(self.connection_class, TwistedConnection)
+            uses_eventlet = EventletConnection and issubclass(self.connection_class, EventletConnection)
+
+            scylla_cloud_config = CloudConfiguration.create(scylla_cloud, pyopenssl=uses_twisted or uses_eventlet)
+            ssl_context = scylla_cloud_config.ssl_context
+            endpoint_factory = scylla_cloud_config.endpoint_factory
+            contact_points = scylla_cloud_config.contact_points
+            ssl_options = scylla_cloud_config.ssl_options
+            auth_provider = scylla_cloud_config.auth_provider
+
         if cloud is not None:
             self.cloud = cloud
             if contact_points is not _NOT_SET or endpoint_factory or ssl_context or ssl_options:

cassandra/connection.py

@@ -309,16 +309,17 @@ def __repr__(self):
 
 class SniEndPointFactory(EndPointFactory):
 
-    def __init__(self, proxy_address, port):
+    def __init__(self, proxy_address, port, node_domain=None):
         self._proxy_address = proxy_address
         self._port = port
+        self._node_domain = node_domain
 
     def create(self, row):
         host_id = row.get("host_id")
         if host_id is None:
             raise ValueError("No host_id to create the SniEndPoint")
-
-        return SniEndPoint(self._proxy_address, str(host_id), self._port)
+        address = "{}.{}".format(host_id, self._node_domain) if self._node_domain else str(host_id)
+        return SniEndPoint(self._proxy_address, str(address), self._port)
 
     def create_from_sni(self, sni):
         return SniEndPoint(self._proxy_address, sni, self._port)

cassandra/scylla/cloud.py

@@ -0,0 +1,142 @@
+# Copyright ScyllaDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+import ssl
+import tempfile
+import base64
+from ssl import SSLContext
+from contextlib import contextmanager
+from itertools import islice
+
+import six
+import yaml
+
+from cassandra.connection import SniEndPointFactory
+from cassandra.auth import AuthProvider, PlainTextAuthProvider
+
+
+@contextmanager
+def file_or_memory(path=None, data=None):
+    # since we can't read keys/cert from memory yet
+    # see https://github.com/python/cpython/pull/2449 which isn't accepted and PEP-543 that was withdrawn
+    # so we use temporary file to load the key
+    if data:
+        with tempfile.NamedTemporaryFile(mode="wb") as f:
+            d = base64.decodebytes(bytes(data, encoding='utf-8'))
+            f.write(d)
+            if not d.endswith(b"\n"):
+                f.write(b"\n")
+
+            f.flush()
+            yield f.name
+
+    if path:
+        yield path
+
+
+def nth(iterable, n, default=None):
+    "Returns the nth item or a default value"
+    return next(islice(iterable, n, None), default)
+
+
+class CloudConfiguration:
+    endpoint_factory: SniEndPointFactory
+    contact_points: list
+    auth_provider: AuthProvider = None
+    ssl_options: dict
+    ssl_context: SSLContext
+    skip_tls_verify: bool
+
+    def __init__(self, configuration_file, pyopenssl=False):
+        cloud_config = yaml.safe_load(open(configuration_file))
+
+        self.current_context = cloud_config['contexts'][cloud_config['currentContext']]
+        self.data_centers = cloud_config['datacenters']
+        self.auth_info = cloud_config['authInfos'][self.current_context['authInfoName']]
+        self.ssl_options = {}
+        self.skip_tls_verify = self.auth_info.get('insecureSkipTLSVerify', False)
+        self.ssl_context = self.create_pyopenssl_context() if pyopenssl else self.create_ssl_context()
+
+        proxy_address, port, node_domain = self.get_server(self.data_centers[self.current_context['datacenterName']],
+                                                           keys_order=['testServer', 'server'])
+        self.endpoint_factory = SniEndPointFactory(proxy_address, port=int(port), node_domain=node_domain)
+
+        username, password = self.auth_info.get('username'), self.auth_info.get('password')
+        if username and password:
+            self.auth_provider = PlainTextAuthProvider(username, password)
+
+
+    @property
+    def contact_points(self):
+        _contact_points = []
+        for data_center in self.data_centers.values():
+            address, _, _ = self.get_server(data_center)
+            _contact_points.append(self.endpoint_factory.create_from_sni(address))
+        return _contact_points
+
+    def get_server(self, data_center, keys_order=None):
+        keys_order = keys_order or ['server']
+        for key in keys_order:
+            address = data_center.get(key, '')
+            if not address:
+                continue
+            address = address.split(":")
+            port = nth(address, 1, default=443)
+            address = nth(address, 0)
+            node_domain = data_center.get('nodeDomain')
+            return address, port, node_domain
+
+    def create_ssl_context(self):
+        ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_SSLv23)
+        ssl_context.verify_mode = ssl.VerifyMode.CERT_NONE if self.skip_tls_verify else ssl.VerifyMode.CERT_REQUIRED
+        for data_center in self.data_centers.values():
+            with file_or_memory(path=data_center.get('certificateAuthorityPath'),
+                                data=data_center.get('certificateAuthorityData')) as cafile:
+                ssl_context.load_verify_locations(cadata=open(cafile).read())
+        with file_or_memory(path=self.auth_info.get('clientCertificatePath'),
+                            data=self.auth_info.get('clientCertificateData')) as certfile, \
+                file_or_memory(path=self.auth_info.get('clientKeyPath'), data=self.auth_info.get('clientKeyData')) as keyfile:
+            ssl_context.load_cert_chain(keyfile=keyfile,
+                                        certfile=certfile)
+
+        return ssl_context
+
+    def create_pyopenssl_context(self):
+        try:
+            from OpenSSL import SSL
+        except ImportError as e:
+            six.reraise(
+                ImportError,
+                ImportError(
+                    "PyOpenSSL must be installed to connect to scylla-cloud with the Eventlet or Twisted event loops"),
+                sys.exc_info()[2]
+            )
+        ssl_context = SSL.Context(SSL.TLS_METHOD)
+        ssl_context.set_verify(SSL.VERIFY_PEER, callback=lambda _1, _2, _3, _4, ok: True if self.skip_tls_verify else ok)
+        for data_center in self.data_centers.values():
+            with file_or_memory(path=data_center.get('certificateAuthorityPath'),
+                                data=data_center.get('certificateAuthorityData')) as cafile:
+                ssl_context.load_verify_locations(cafile)
+        with file_or_memory(path=self.auth_info.get('clientCertificatePath'),
+                            data=self.auth_info.get('clientCertificateData')) as certfile, \
+                file_or_memory(path=self.auth_info.get('clientKeyPath'), data=self.auth_info.get('clientKeyData')) as keyfile:
+            ssl_context.use_privatekey_file(keyfile)
+            ssl_context.use_certificate_file(certfile)
+
+        return ssl_context
+
+    @classmethod
+    def create(cls, configuration_file, pyopenssl=False):
+        return cls(configuration_file, pyopenssl)

setup.py

@@ -404,7 +404,8 @@ def run_setup(extensions):
             sys.stderr.write("Bypassing Cython setup requirement\n")
 
     dependencies = ['six >=1.9',
-                    'geomet>=0.1,<0.3']
+                    'geomet>=0.1,<0.3',
+                    'pyyaml > 5.0']
 
     if not PY3:
         dependencies.append('futures')
@@ -429,7 +430,7 @@ def run_setup(extensions):
         packages=[
             'cassandra', 'cassandra.io', 'cassandra.cqlengine', 'cassandra.graph',
             'cassandra.datastax', 'cassandra.datastax.insights', 'cassandra.datastax.graph',
-            'cassandra.datastax.graph.fluent', 'cassandra.datastax.cloud'
+            'cassandra.datastax.graph.fluent', 'cassandra.datastax.cloud', 'cassandra.scylla'
         ],
         keywords='cassandra,cql,orm,dse,graph',
         include_package_data=True,