Merge pull request #208 from permitio/asaf/per-150-opal-207-support-s…

…elf-signed Fix support in self signed certificates
permitio · Jan 31, 2022 · 60e0c09 · 60e0c09
2 parents 2b7933e + 3fc3636
commit 60e0c09
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 20 deletions.
diff --git a/opal_client/data/updater.py b/opal_client/data/updater.py
@@ -2,8 +2,6 @@
 import hashlib
 import itertools
 import json
-from opal_client.callbacks.reporter import CallbacksReporter
-from opal_client.callbacks.register import CallbackConfig, CallbacksRegister
 from typing import List, Optional, Tuple
 import uuid
 import aiohttp
@@ -13,23 +11,24 @@
 from fastapi_websocket_rpc.rpc_channel import RpcChannel
 
 from opal_common.config import opal_common_config
-from opal_client.config import opal_client_config
-from opal_client.data.fetcher import DataFetcher
-from opal_client.data.rpc import TenantAwareRpcEventClientMethods
-from opal_client.logger import logger
-from opal_client.policy_store.base_policy_store_client import \
-    BasePolicyStoreClient
-from opal_client.policy_store.policy_store_client_factory import \
-    DEFAULT_POLICY_STORE_GETTER
 from opal_common.fetcher.events import FetcherConfig
-from opal_common.fetcher.providers.http_fetch_provider import HttpFetcherConfig
 from opal_common.schemas.data import (DataEntryReport, DataSourceConfig,
                                       DataSourceEntry, DataUpdate,
                                       DataUpdateReport)
 from opal_common.schemas.store import TransactionType
 from opal_common.utils import get_authorization_header
 from opal_common.http import is_http_error_response
 from opal_common.security.sslcontext import get_custom_ssl_context
+from opal_client.callbacks.reporter import CallbacksReporter
+from opal_client.callbacks.register import CallbacksRegister
+from opal_client.config import opal_client_config
+from opal_client.data.fetcher import DataFetcher
+from opal_client.data.rpc import TenantAwareRpcEventClientMethods
+from opal_client.logger import logger
+from opal_client.policy_store.base_policy_store_client import \
+    BasePolicyStoreClient
+from opal_client.policy_store.policy_store_client_factory import \
+    DEFAULT_POLICY_STORE_GETTER
 
 
 class DataUpdater:
@@ -85,6 +84,7 @@ def __init__(self, token: str = None,
         else:
             self._extra_headers = [get_authorization_header(self._token)]
         self._stopping = False
+        # custom SSL context (for self-signed certificates)
         self._custom_ssl_context = get_custom_ssl_context()
         self._ssl_context_kwargs = {'ssl': self._custom_ssl_context} if self._custom_ssl_context is not None else {}
 
@@ -198,7 +198,8 @@ async def _subscriber(self):
             on_connect=[self.on_connect],
             extra_headers=self._extra_headers,
             keep_alive=opal_client_config.KEEP_ALIVE_INTERVAL,
-            server_uri=self._server_url
+            server_uri=self._server_url,
+            **self._ssl_context_kwargs
         )
         async with self._client:
             await self._client.wait_until_done()

diff --git a/opal_client/policy/fetcher.py b/opal_client/policy/fetcher.py
@@ -4,9 +4,10 @@
 from pydantic import ValidationError
 from fastapi import status, HTTPException
 from tenacity import retry, wait, stop
-from opal_common.utils import throw_if_bad_status_code, tuple_to_dict
 
+from opal_common.utils import throw_if_bad_status_code, tuple_to_dict
 from opal_common.utils import get_authorization_header
+from opal_common.security.sslcontext import get_custom_ssl_context
 from opal_common.schemas.policy import PolicyBundle
 from opal_client.logger import logger
 from opal_client.config import opal_client_config
@@ -41,6 +42,9 @@ def __init__(self, backend_url=None, token=None, retry_config=None):
         self._auth_headers = tuple_to_dict(get_authorization_header(self._token))
         self._retry_config = retry_config if retry_config is not None else self.DEFAULT_RETRY_CONFIG
         self._policy_endpoint_url = f"{self._backend_url}/policy"
+        # custom SSL context (for self-signed certificates)
+        self._custom_ssl_context = get_custom_ssl_context()
+        self._ssl_context_kwargs = {'ssl': self._custom_ssl_context} if self._custom_ssl_context is not None else {}
 
     @property
     def policy_endpoint_url(self):
@@ -74,7 +78,8 @@ async def _fetch_policy_bundle(
                 async with session.get(
                     self._policy_endpoint_url,
                     headers={'content-type': 'text/plain', **self._auth_headers},
-                    params=params
+                    params=params,
+                    **self._ssl_context_kwargs
                 ) as response:
                     if response.status == status.HTTP_404_NOT_FOUND:
                         logger.warning("requested paths not found: {paths}", paths=directories)

diff --git a/opal_client/policy/updater.py b/opal_client/policy/updater.py
@@ -13,11 +13,8 @@
 from opal_common.config import opal_common_config
 from opal_common.utils import get_authorization_header
 from opal_common.schemas.policy import PolicyBundle, PolicyUpdateMessage
-from opal_common.topics.utils import (
-    pubsub_topics_from_directories,
-    POLICY_PREFIX,
-    remove_prefix
-)
+from opal_common.security.sslcontext import get_custom_ssl_context
+from opal_common.topics.utils import pubsub_topics_from_directories
 from opal_client.logger import logger
 from opal_client.config import opal_client_config
 from opal_client.policy.fetcher import PolicyFetcher
@@ -83,6 +80,9 @@ def __init__(
         self._callbacks_register = callbacks_register or CallbacksRegister()
         self._callbacks_reporter = CallbacksReporter(self._callbacks_register, self._data_fetcher)
         self._should_send_reports = opal_client_config.SHOULD_REPORT_ON_DATA_UPDATES or False
+        # custom SSL context (for self-signed certificates)
+        self._custom_ssl_context = get_custom_ssl_context()
+        self._ssl_context_kwargs = {'ssl': self._custom_ssl_context} if self._custom_ssl_context is not None else {}
 
     async def __aenter__(self):
         await self.start()
@@ -193,7 +193,8 @@ async def _subscriber(self):
             on_disconnect=[self._on_disconnect],
             extra_headers=self._extra_headers,
             keep_alive=opal_client_config.KEEP_ALIVE_INTERVAL,
-            server_uri=self._server_url
+            server_uri=self._server_url,
+            **self._ssl_context_kwargs
         )
         async with self._client:
             await self._client.wait_until_done()