4.3.0 policy-handler - tls to policy-engine

- tls to policy-engine
- tls on web-socket to policy-engine
- tls to deployment-handler
- no tls on the web-server side
  = that is internal API
  = will add TLS in R4

- policy-handler expecting the deployment process
  to mount certs at /opt/app/policy_handler/etc/tls/certs/
- blueprint for policy-handler will be updated to contain
  cert_directory : /opt/app/policy_handler/etc/tls/certs/

- the matching local etc/config.json has new part tls with:
  = cert_directory : etc/tls/certs/
  = cacert : cacert.pem

- new optional fields tls_ca_mode in config on consul that
  specify where to find the cacert.pem for tls per each https/web-socket
    values are:
    "cert_directory" - use the cacert.pem stored locally in cert_directory
                       this is the default if cacert.pem file is found
    "os_ca_bundle"   - use the public ca_bundle provided by linux system.
                       this is the default if cacert.pem file not found
    "do_not_verify"  - special hack to turn off the verification by cacert
                       and hostname
- config on consul now has 2 new fields for policy_engine
  = "tls_ca_mode" : "cert_directory"
  = "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
  = "tls_ca_mode" : "cert_directory"

- removed customization for verify -- it is now a built-in feature

Change-Id: Ibe9120504ed6036d1ed4c84ff4cd8ad1d9e80f17
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611

1 files changed, 100 insertions, 1 deletions

diff --git a/policyhandler/config.py b/policyhandler/config.py
index 3d68235..a69954f 100644
--- a/policyhandler/config.py
+++ b/policyhandler/config.py
@@ -56,6 +56,12 @@ class Settings(object):
 
     def __str__(self):
         """get str of the config"""
+        if not self._changed:
+            return Audit.json_dumps({
+                "config_keys": self._config_keys,
+                "config": self._config
+            })
+
         return Audit.json_dumps({
             "config_keys": self._config_keys,
             "changed": self._changed,
@@ -129,6 +135,7 @@ class Config(object):
 
     FIELD_SYSTEM = "system"
     FIELD_WSERVICE_PORT = "wservice_port"
+    FIELD_TLS = "tls"
     FIELD_POLICY_ENGINE = "policy_engine"
     POOL_CONNECTIONS = "pool_connections"
     DEPLOY_HANDLER = "deploy_handler"
@@ -137,13 +144,74 @@ class Config(object):
     POLICY_RETRY_SLEEP = "policy_retry_sleep"
     RECONFIGURE = "reconfigure"
     TIMER_INTERVAL = "interval"
+    REQUESTS_VERIFY = "verify"
+    TLS_CA_MODE = "tls_ca_mode"
+    TLS_WSS_CA_MODE = "tls_wss_ca_mode"
+    TLS_CA_MODE_DO_NOT_VERIFY = "do_not_verify"
 
     system_name = SERVICE_NAME_POLICY_HANDLER
     wservice_port = 25577
+    tls_cacert_file = None
+    tls_server_cert_file = None
+    tls_private_key_file = None
+
     _local_config = Settings()
     discovered_config = Settings()
 
     @staticmethod
+    def _set_tls_config(tls_config):
+        """verify and set tls certs in config"""
+        try:
+            Config.tls_cacert_file = None
+            Config.tls_server_cert_file = None
+            Config.tls_private_key_file = None
+
+            if not (tls_config and isinstance(tls_config, dict)):
+                Config._logger.info("no tls in config: %s", json.dumps(tls_config))
+                return
+
+            cert_directory = tls_config.get("cert_directory")
+
+            if not (cert_directory and isinstance(cert_directory, str)):
+                Config._logger.info("unexpected tls.cert_directory: %r", cert_directory)
+                return
+
+            cert_directory = os.path.join(
+                os.path.dirname(os.path.dirname(os.path.realpath(__file__))), cert_directory)
+            if not (cert_directory and os.path.isdir(cert_directory)):
+                Config._logger.info("ignoring invalid cert_directory: %s", cert_directory)
+                return
+
+            cacert = tls_config.get("cacert")
+            if cacert:
+                tls_cacert_file = os.path.join(cert_directory, cacert)
+                if not os.path.isfile(tls_cacert_file):
+                    Config._logger.error("invalid tls_cacert_file: %s", tls_cacert_file)
+                else:
+                    Config.tls_cacert_file = tls_cacert_file
+
+            server_cert = tls_config.get("server_cert")
+            if server_cert:
+                tls_server_cert_file = os.path.join(cert_directory, server_cert)
+                if not os.path.isfile(tls_server_cert_file):
+                    Config._logger.error("invalid tls_server_cert_file: %s", tls_server_cert_file)
+                else:
+                    Config.tls_server_cert_file = tls_server_cert_file
+
+            private_key = tls_config.get("private_key")
+            if private_key:
+                tls_private_key_file = os.path.join(cert_directory, private_key)
+                if not os.path.isfile(tls_private_key_file):
+                    Config._logger.error("invalid tls_private_key_file: %s", tls_private_key_file)
+                else:
+                    Config.tls_private_key_file = tls_private_key_file
+
+        finally:
+            Config._logger.info("tls_cacert_file = %s", Config.tls_cacert_file)
+            Config._logger.info("tls_server_cert_file = %s", Config.tls_server_cert_file)
+            Config._logger.info("tls_private_key_file = %s", Config.tls_private_key_file)
+
+    @staticmethod
     def init_config(file_path=None):
         """read and store the config from config file"""
         if Config._local_config.is_loaded():
@@ -169,9 +237,11 @@ class Config(object):
 
         Config.wservice_port = loaded_config.get(Config.FIELD_WSERVICE_PORT, Config.wservice_port)
 
-        local_config = loaded_config.get(Config.SERVICE_NAME_POLICY_HANDLER)
+        local_config = loaded_config.get(Config.SERVICE_NAME_POLICY_HANDLER, {})
         Config.system_name = local_config.get(Config.FIELD_SYSTEM, Config.system_name)
 
+        Config._set_tls_config(local_config.get(Config.FIELD_TLS))
+
         Config._local_config.set_config(local_config, auto_commit=True)
         Config._logger.info("config loaded from file(%s): %s", file_path, Config._local_config)
 
@@ -190,3 +260,32 @@ class Config(object):
 
         Config.discovered_config.set_config(new_config.get(Config.SERVICE_NAME_POLICY_HANDLER))
         Config._logger.info("config from discovery: %s", Config.discovered_config)
+
+
+    @staticmethod
+    def get_tls_verify(tls_ca_mode=None):
+        """
+        generate verify value based on tls_ca_mode
+
+        tls_ca_mode can be one of:
+
+        "cert_directory" - use the cacert.pem stored locally in cert_directory.
+        this is the default if cacert.pem file is found
+
+        "os_ca_bundle" - use the public ca_bundle provided by linux system.
+        this is the default if cacert.pem file not found
+
+        "do_not_verify" - special hack to turn off the verification by cacert and hostname
+        """
+        if tls_ca_mode == Config.TLS_CA_MODE_DO_NOT_VERIFY:
+            return False
+
+        if tls_ca_mode == "os_ca_bundle" or not Config.tls_cacert_file:
+            return True
+
+        return Config.tls_cacert_file
+
+    @staticmethod
+    def get_requests_kwargs(tls_ca_mode=None):
+        """generate kwargs with verify for requests based on the tls_ca_mode"""
+        return {Config.REQUESTS_VERIFY: Config.get_tls_verify(tls_ca_mode)}