TLS configuration. Args: client_cert (tuple of str): Path to client cert, path to client key. ca_cert (str): Path to CA cert file. verify (bool or str): This can be a bool or a path to a CA cert file to verify against. If ``True``, verify using ca_cert;
| 4 | |
| 5 | |
| 6 | class TLSConfig: |
| 7 | """ |
| 8 | TLS configuration. |
| 9 | |
| 10 | Args: |
| 11 | client_cert (tuple of str): Path to client cert, path to client key. |
| 12 | ca_cert (str): Path to CA cert file. |
| 13 | verify (bool or str): This can be a bool or a path to a CA cert |
| 14 | file to verify against. If ``True``, verify using ca_cert; |
| 15 | if ``False`` or not specified, do not verify. |
| 16 | """ |
| 17 | cert = None |
| 18 | ca_cert = None |
| 19 | verify = None |
| 20 | |
| 21 | def __init__(self, client_cert=None, ca_cert=None, verify=None): |
| 22 | # Argument compatibility/mapping with |
| 23 | # https://docs.docker.com/engine/articles/https/ |
| 24 | # This diverges from the Docker CLI in that users can specify 'tls' |
| 25 | # here, but also disable any public/default CA pool verification by |
| 26 | # leaving verify=False |
| 27 | |
| 28 | # "client_cert" must have both or neither cert/key files. In |
| 29 | # either case, Alert the user when both are expected, but any are |
| 30 | # missing. |
| 31 | |
| 32 | if client_cert: |
| 33 | try: |
| 34 | tls_cert, tls_key = client_cert |
| 35 | except ValueError: |
| 36 | raise errors.TLSParameterError( |
| 37 | 'client_cert must be a tuple of' |
| 38 | ' (client certificate, key file)' |
| 39 | ) from None |
| 40 | |
| 41 | if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or |
| 42 | not os.path.isfile(tls_key)): |
| 43 | raise errors.TLSParameterError( |
| 44 | 'Path to a certificate and key files must be provided' |
| 45 | ' through the client_cert param' |
| 46 | ) |
| 47 | self.cert = (tls_cert, tls_key) |
| 48 | |
| 49 | # If verify is set, make sure the cert exists |
| 50 | self.verify = verify |
| 51 | self.ca_cert = ca_cert |
| 52 | if self.verify and self.ca_cert and not os.path.isfile(self.ca_cert): |
| 53 | raise errors.TLSParameterError( |
| 54 | 'Invalid CA certificate provided for `ca_cert`.' |
| 55 | ) |
| 56 | |
| 57 | def configure_client(self, client): |
| 58 | """ |
| 59 | Configure a client with these TLS options. |
| 60 | """ |
| 61 | if self.verify and self.ca_cert: |
| 62 | client.verify = self.ca_cert |
| 63 | else: |
no outgoing calls