diff options
author | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
---|---|---|
committer | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
commit | 6556fd79eb177d8ed7c390d56410b42afb4a0c70 (patch) | |
tree | a45f57fbdd4ba1468390868371484d299d23ed8c /policyhandler/config.py | |
parent | 1d693376205c66af93283d04e8e9740c947a7d02 (diff) |
4.3.0 policy-handler - tls to policy-engine
- tls to policy-engine
- tls on web-socket to policy-engine
- tls to deployment-handler
- no tls on the web-server side
= that is internal API
= will add TLS in R4
- policy-handler expecting the deployment process
to mount certs at /opt/app/policy_handler/etc/tls/certs/
- blueprint for policy-handler will be updated to contain
cert_directory : /opt/app/policy_handler/etc/tls/certs/
- the matching local etc/config.json has new part tls with:
= cert_directory : etc/tls/certs/
= cacert : cacert.pem
- new optional fields tls_ca_mode in config on consul that
specify where to find the cacert.pem for tls per each https/web-socket
values are:
"cert_directory" - use the cacert.pem stored locally in cert_directory
this is the default if cacert.pem file is found
"os_ca_bundle" - use the public ca_bundle provided by linux system.
this is the default if cacert.pem file not found
"do_not_verify" - special hack to turn off the verification by cacert
and hostname
- config on consul now has 2 new fields for policy_engine
= "tls_ca_mode" : "cert_directory"
= "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
= "tls_ca_mode" : "cert_directory"
- removed customization for verify -- it is now a built-in feature
Change-Id: Ibe9120504ed6036d1ed4c84ff4cd8ad1d9e80f17
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611
Diffstat (limited to 'policyhandler/config.py')
-rw-r--r-- | policyhandler/config.py | 101 |
1 files changed, 100 insertions, 1 deletions
diff --git a/policyhandler/config.py b/policyhandler/config.py index 3d68235..a69954f 100644 --- a/policyhandler/config.py +++ b/policyhandler/config.py @@ -56,6 +56,12 @@ class Settings(object): def __str__(self): """get str of the config""" + if not self._changed: + return Audit.json_dumps({ + "config_keys": self._config_keys, + "config": self._config + }) + return Audit.json_dumps({ "config_keys": self._config_keys, "changed": self._changed, @@ -129,6 +135,7 @@ class Config(object): FIELD_SYSTEM = "system" FIELD_WSERVICE_PORT = "wservice_port" + FIELD_TLS = "tls" FIELD_POLICY_ENGINE = "policy_engine" POOL_CONNECTIONS = "pool_connections" DEPLOY_HANDLER = "deploy_handler" @@ -137,13 +144,74 @@ class Config(object): POLICY_RETRY_SLEEP = "policy_retry_sleep" RECONFIGURE = "reconfigure" TIMER_INTERVAL = "interval" + REQUESTS_VERIFY = "verify" + TLS_CA_MODE = "tls_ca_mode" + TLS_WSS_CA_MODE = "tls_wss_ca_mode" + TLS_CA_MODE_DO_NOT_VERIFY = "do_not_verify" system_name = SERVICE_NAME_POLICY_HANDLER wservice_port = 25577 + tls_cacert_file = None + tls_server_cert_file = None + tls_private_key_file = None + _local_config = Settings() discovered_config = Settings() @staticmethod + def _set_tls_config(tls_config): + """verify and set tls certs in config""" + try: + Config.tls_cacert_file = None + Config.tls_server_cert_file = None + Config.tls_private_key_file = None + + if not (tls_config and isinstance(tls_config, dict)): + Config._logger.info("no tls in config: %s", json.dumps(tls_config)) + return + + cert_directory = tls_config.get("cert_directory") + + if not (cert_directory and isinstance(cert_directory, str)): + Config._logger.info("unexpected tls.cert_directory: %r", cert_directory) + return + + cert_directory = os.path.join( + os.path.dirname(os.path.dirname(os.path.realpath(__file__))), cert_directory) + if not (cert_directory and os.path.isdir(cert_directory)): + Config._logger.info("ignoring invalid cert_directory: %s", cert_directory) + return + + cacert = tls_config.get("cacert") + if cacert: + tls_cacert_file = os.path.join(cert_directory, cacert) + if not os.path.isfile(tls_cacert_file): + Config._logger.error("invalid tls_cacert_file: %s", tls_cacert_file) + else: + Config.tls_cacert_file = tls_cacert_file + + server_cert = tls_config.get("server_cert") + if server_cert: + tls_server_cert_file = os.path.join(cert_directory, server_cert) + if not os.path.isfile(tls_server_cert_file): + Config._logger.error("invalid tls_server_cert_file: %s", tls_server_cert_file) + else: + Config.tls_server_cert_file = tls_server_cert_file + + private_key = tls_config.get("private_key") + if private_key: + tls_private_key_file = os.path.join(cert_directory, private_key) + if not os.path.isfile(tls_private_key_file): + Config._logger.error("invalid tls_private_key_file: %s", tls_private_key_file) + else: + Config.tls_private_key_file = tls_private_key_file + + finally: + Config._logger.info("tls_cacert_file = %s", Config.tls_cacert_file) + Config._logger.info("tls_server_cert_file = %s", Config.tls_server_cert_file) + Config._logger.info("tls_private_key_file = %s", Config.tls_private_key_file) + + @staticmethod def init_config(file_path=None): """read and store the config from config file""" if Config._local_config.is_loaded(): @@ -169,9 +237,11 @@ class Config(object): Config.wservice_port = loaded_config.get(Config.FIELD_WSERVICE_PORT, Config.wservice_port) - local_config = loaded_config.get(Config.SERVICE_NAME_POLICY_HANDLER) + local_config = loaded_config.get(Config.SERVICE_NAME_POLICY_HANDLER, {}) Config.system_name = local_config.get(Config.FIELD_SYSTEM, Config.system_name) + Config._set_tls_config(local_config.get(Config.FIELD_TLS)) + Config._local_config.set_config(local_config, auto_commit=True) Config._logger.info("config loaded from file(%s): %s", file_path, Config._local_config) @@ -190,3 +260,32 @@ class Config(object): Config.discovered_config.set_config(new_config.get(Config.SERVICE_NAME_POLICY_HANDLER)) Config._logger.info("config from discovery: %s", Config.discovered_config) + + + @staticmethod + def get_tls_verify(tls_ca_mode=None): + """ + generate verify value based on tls_ca_mode + + tls_ca_mode can be one of: + + "cert_directory" - use the cacert.pem stored locally in cert_directory. + this is the default if cacert.pem file is found + + "os_ca_bundle" - use the public ca_bundle provided by linux system. + this is the default if cacert.pem file not found + + "do_not_verify" - special hack to turn off the verification by cacert and hostname + """ + if tls_ca_mode == Config.TLS_CA_MODE_DO_NOT_VERIFY: + return False + + if tls_ca_mode == "os_ca_bundle" or not Config.tls_cacert_file: + return True + + return Config.tls_cacert_file + + @staticmethod + def get_requests_kwargs(tls_ca_mode=None): + """generate kwargs with verify for requests based on the tls_ca_mode""" + return {Config.REQUESTS_VERIFY: Config.get_tls_verify(tls_ca_mode)} |