diff options
author | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
---|---|---|
committer | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
commit | 6556fd79eb177d8ed7c390d56410b42afb4a0c70 (patch) | |
tree | a45f57fbdd4ba1468390868371484d299d23ed8c /policyhandler/policy_receiver.py | |
parent | 1d693376205c66af93283d04e8e9740c947a7d02 (diff) |
4.3.0 policy-handler - tls to policy-engine
- tls to policy-engine
- tls on web-socket to policy-engine
- tls to deployment-handler
- no tls on the web-server side
= that is internal API
= will add TLS in R4
- policy-handler expecting the deployment process
to mount certs at /opt/app/policy_handler/etc/tls/certs/
- blueprint for policy-handler will be updated to contain
cert_directory : /opt/app/policy_handler/etc/tls/certs/
- the matching local etc/config.json has new part tls with:
= cert_directory : etc/tls/certs/
= cacert : cacert.pem
- new optional fields tls_ca_mode in config on consul that
specify where to find the cacert.pem for tls per each https/web-socket
values are:
"cert_directory" - use the cacert.pem stored locally in cert_directory
this is the default if cacert.pem file is found
"os_ca_bundle" - use the public ca_bundle provided by linux system.
this is the default if cacert.pem file not found
"do_not_verify" - special hack to turn off the verification by cacert
and hostname
- config on consul now has 2 new fields for policy_engine
= "tls_ca_mode" : "cert_directory"
= "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
= "tls_ca_mode" : "cert_directory"
- removed customization for verify -- it is now a built-in feature
Change-Id: Ibe9120504ed6036d1ed4c84ff4cd8ad1d9e80f17
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611
Diffstat (limited to 'policyhandler/policy_receiver.py')
-rw-r--r-- | policyhandler/policy_receiver.py | 55 |
1 files changed, 44 insertions, 11 deletions
diff --git a/policyhandler/policy_receiver.py b/policyhandler/policy_receiver.py index 1edb24d..96afd59 100644 --- a/policyhandler/policy_receiver.py +++ b/policyhandler/policy_receiver.py @@ -25,8 +25,11 @@ on receiving the policy-notifications, the policy-receiver passes the notifications to policy-updater """ +import copy import json import logging +import os +import ssl import time from threading import Lock, Thread @@ -35,6 +38,7 @@ import websocket from .config import Config, Settings from .policy_consts import MATCHING_CONDITIONS, POLICY_NAME, POLICY_VERSION from .policy_updater import PolicyUpdater +from .policy_utils import Utils LOADED_POLICIES = 'loadedPolicies' REMOVED_POLICIES = 'removedPolicies' @@ -54,6 +58,8 @@ class _PolicyReceiver(Thread): self._settings = Settings(Config.FIELD_POLICY_ENGINE) self._web_socket_url = None + self._web_socket_sslopt = None + self._tls_wss_ca_mode = None self._web_socket = None self.reconfigure() @@ -71,21 +77,39 @@ class _PolicyReceiver(Thread): return False prev_web_socket_url = self._web_socket_url - resturl = config.get("url", "") + config.get("path_pdp", "") + prev_web_socket_sslopt = self._web_socket_sslopt + self._web_socket_sslopt = None + + resturl = (config.get("url", "").lower() + + config.get("path_notifications", "/pdp/notifications")) + + self._tls_wss_ca_mode = config.get(Config.TLS_WSS_CA_MODE) if resturl.startswith("https:"): - self._web_socket_url = resturl.replace("https:", "wss:") + "notifications" + self._web_socket_url = resturl.replace("https:", "wss:") + + verify = Config.get_tls_verify(self._tls_wss_ca_mode) + if verify is False: + self._web_socket_sslopt = {'cert_reqs': ssl.CERT_NONE} + elif verify is True: + pass + else: + self._web_socket_sslopt = {'ca_certs': verify} + else: - self._web_socket_url = resturl.replace("http:", "ws:") + "notifications" + self._web_socket_url = resturl.replace("http:", "ws:") - if self._web_socket_url == prev_web_socket_url: - _PolicyReceiver._logger.info("not changed web_socket_url(%s): %s", - self._web_socket_url, self._settings) + if (self._web_socket_url == prev_web_socket_url + and Utils.are_the_same(prev_web_socket_sslopt, self._web_socket_sslopt)): + _PolicyReceiver._logger.info( + "not changed web_socket_url(%s) or tls_wss_ca_mode(%s): %s", + self._web_socket_url, self._tls_wss_ca_mode, self._settings) self._settings.commit_change() return False - _PolicyReceiver._logger.info("changed web_socket_url(%s): %s", - self._web_socket_url, self._settings) + _PolicyReceiver._logger.info("changed web_socket_url(%s) or tls_wss_ca_mode(%s): %s", + self._web_socket_url, self._tls_wss_ca_mode, + self._settings) self._settings.commit_change() self._stop_notifications() @@ -103,18 +127,27 @@ class _PolicyReceiver(Thread): if restarting: time.sleep(5) + if not self._get_keep_running(): + break + + with self._lock: + web_socket_url = self._web_socket_url + sslopt = copy.deepcopy(self._web_socket_sslopt) + tls_wss_ca_mode = self._tls_wss_ca_mode _PolicyReceiver._logger.info( - "connecting to policy-notifications at: %s", self._web_socket_url) + "connecting to policy-notifications at %s with sslopt(%s) tls_wss_ca_mode(%s)", + web_socket_url, json.dumps(sslopt), tls_wss_ca_mode) + self._web_socket = websocket.WebSocketApp( - self._web_socket_url, + web_socket_url, on_message=self._on_pdp_message, on_close=self._on_ws_close, on_error=self._on_ws_error ) _PolicyReceiver._logger.info("waiting for policy-notifications...") - self._web_socket.run_forever() + self._web_socket.run_forever(sslopt=sslopt) restarting = True _PolicyReceiver._logger.info("exit policy-receiver") |