Skip to content

Commit af73137

Browse files
committed
Add a warning when curve is disabled and using tcp transport
1 parent 2f29d52 commit af73137

2 files changed

Lines changed: 32 additions & 0 deletions

File tree

ipykernel/kernelapp.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -359,6 +359,14 @@ def init_sockets(self):
359359
if self.enable_curve:
360360
self._curve_publickey, self._curve_secretkey = zmq.curve_keypair()
361361
self.log.debug("CurveZMQ enabled; generated server keypair")
362+
elif self.transport == "tcp":
363+
self.log.warning(
364+
"Kernel is running over TCP without encryption."
365+
" All communication (including code and outputs) is sent in plain text"
366+
" and is susceptible to eavesdropping."
367+
" Use IPC transport or set IPKernelApp.enable_curve=True to enable"
368+
" CurveZMQ encryption."
369+
)
362370

363371
self.shell_socket = context.socket(zmq.ROUTER)
364372
self.shell_socket.linger = 1000

tests/test_kernelapp.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,3 +129,27 @@ def test_trio_loop():
129129
app.io_loop.add_callback(app.io_loop.stop)
130130
app.kernel.destroy()
131131
app.close()
132+
133+
134+
def test_init_sockets_curve_enabled_logs_debug():
135+
app = IPKernelApp(enable_curve=True)
136+
with patch.object(app.log, "debug") as mock_debug:
137+
app.init_sockets()
138+
app.cleanup_connection_file()
139+
app.close()
140+
messages = [str(call) for call in mock_debug.call_args_list]
141+
assert any("CurveZMQ enabled" in m for m in messages), (
142+
"Expected a debug log mentioning CurveZMQ when enable_curve=True"
143+
)
144+
145+
146+
def test_init_sockets_tcp_without_curve_logs_warning():
147+
app = IPKernelApp(transport="tcp", enable_curve=False)
148+
with patch.object(app.log, "warning") as mock_warning:
149+
app.init_sockets()
150+
app.cleanup_connection_file()
151+
app.close()
152+
messages = [str(call) for call in mock_warning.call_args_list]
153+
assert any("Kernel is running over TCP without encryption" in m for m in messages), (
154+
"Expected a warning about missing encryption when transport=tcp and enable_curve=False"
155+
)

0 commit comments

Comments
 (0)