From a5ceb2485df10aa4987c64975d7200ff090c5890 Mon Sep 17 00:00:00 2001
From: Brinda Santh <bs2796@att.com>
Date: Tue, 22 Oct 2019 20:47:12 -0400
Subject: Py executor grpc TLS server authentication.

Issue-ID: CCSDK-1854
Signed-off-by: Brinda Santh <bs2796@att.com>
Change-Id: I72b3deb7976e7d3e44478c497a46b9b4ac428623
---
 ms/py-executor/server.py | 44 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 34 insertions(+), 10 deletions(-)

(limited to 'ms/py-executor/server.py')

diff --git a/ms/py-executor/server.py b/ms/py-executor/server.py
index 5c149d96b..f506e9446 100644
--- a/ms/py-executor/server.py
+++ b/ms/py-executor/server.py
@@ -33,21 +33,45 @@ _ONE_DAY_IN_SECONDS = 60 * 60 * 24
 
 def serve(configuration: ScriptExecutorConfiguration):
     port = configuration.script_executor_property('port')
-    basic_auth = configuration.script_executor_property('auth')
+    authType = configuration.script_executor_property('authType')
     maxWorkers = configuration.script_executor_property('maxWorkers')
 
-    header_validator = RequestHeaderValidatorInterceptor(
-        'authorization', basic_auth, grpc.StatusCode.UNAUTHENTICATED,
-        'Access denied!')
+    if authType == 'tls-auth':
+        cert_chain_file = configuration.script_executor_property('certChain')
+        private_key_file = configuration.script_executor_property('privateKey')
+        logger.info("Setting GRPC server TLS authentication, cert file(%s) private key file(%s)", cert_chain_file,
+                    private_key_file)
+        # read in key and certificate
+        with open(cert_chain_file, 'rb') as f:
+            certificate_chain = f.read()
+        with open(private_key_file, 'rb') as f:
+            private_key = f.read()
 
-    server = grpc.server(futures.ThreadPoolExecutor(max_workers=int(maxWorkers)),
-                         interceptors=(header_validator,))
+        # create server credentials
+        server_credentials = grpc.ssl_server_credentials(((private_key, certificate_chain),))
 
-    BluePrintProcessing_pb2_grpc.add_BluePrintProcessingServiceServicer_to_server(
-        BluePrintProcessingServer(configuration), server)
+        # create server
+        server = grpc.server(futures.ThreadPoolExecutor(max_workers=int(maxWorkers)))
+        BluePrintProcessing_pb2_grpc.add_BluePrintProcessingServiceServicer_to_server(
+            BluePrintProcessingServer(configuration), server)
 
-    server.add_insecure_port('[::]:' + port)
-    server.start()
+        # add secure port using credentials
+        server.add_secure_port('[::]:' + port, server_credentials)
+        server.start()
+    else:
+        logger.info("Setting GRPC server base authentication")
+        basic_auth = configuration.script_executor_property('token')
+        header_validator = RequestHeaderValidatorInterceptor(
+            'authorization', basic_auth, grpc.StatusCode.UNAUTHENTICATED,
+            'Access denied!')
+        # create server with token authentication interceptors
+        server = grpc.server(futures.ThreadPoolExecutor(max_workers=int(maxWorkers)),
+                             interceptors=(header_validator,))
+        BluePrintProcessing_pb2_grpc.add_BluePrintProcessingServiceServicer_to_server(
+            BluePrintProcessingServer(configuration), server)
+
+        server.add_insecure_port('[::]:' + port)
+        server.start()
 
     logger.info("Command Executor Server started on %s" % port)
 
-- 
cgit 1.2.3-korg