Add TLS support

WebOfTrust · Sep 7, 2023 · ecb4fbc · ecb4fbc
1 parent 46b774b
commit ecb4fbc
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 9 deletions.
diff --git a/src/keria/app/agenting.py b/src/keria/app/agenting.py
@@ -17,7 +17,7 @@
 import falcon
 from falcon import media
 from hio.base import doing
-from hio.core import http
+from hio.core import http, tcp
 from hio.help import decking
 from keri.app import configing, keeping, habbing, storing, signaling, oobiing, agenting, delegating, \
     forwarding, querying, connecting
@@ -46,15 +46,17 @@
 logger = ogler.getLogger()
 
 
-def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=None, configDir=None):
+def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=None, configDir=None,
+          keypath=None, certpath=None, cafilepath=None):
     """ Set up an ahab in Signify mode """
 
     agency = Agency(name=name, base=base, bran=bran, configFile=configFile, configDir=configDir)
     bootApp = falcon.App(middleware=falcon.CORSMiddleware(
         allow_origins='*', allow_credentials='*',
         expose_headers=['cesr-attachment', 'cesr-date', 'content-type', 'signature', 'signature-input',
                         'signify-resource', 'signify-timestamp']))
-    bootServer = http.Server(port=bootPort, app=bootApp)
+
+    bootServer = createHttpServer(bootPort, bootApp, keypath, certpath, cafilepath)
     bootServerDoer = http.ServerDoer(server=bootServer)
     bootEnd = BootEnd(agency)
     bootApp.add_route("/boot", bootEnd)
@@ -72,7 +74,7 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No
     app.req_options.media_handlers.update(media.Handlers())
     app.resp_options.media_handlers.update(media.Handlers())
 
-    adminServer = http.Server(port=adminPort, app=app)
+    adminServer = createHttpServer(adminPort, app, keypath, certpath, cafilepath)
     adminServerDoer = http.ServerDoer(server=adminServer)
 
     doers = [agency, bootServerDoer, adminServerDoer]
@@ -93,7 +95,7 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No
         ending.loadEnds(agency=agency, app=happ)
         indirecting.loadEnds(agency=agency, app=happ)
 
-        server = http.Server(port=httpPort, app=happ)
+        server = createHttpServer(httpPort, happ, keypath, certpath, cafilepath)
         httpServerDoer = http.ServerDoer(server=server)
         doers.append(httpServerDoer)
 
@@ -108,6 +110,31 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No
     return doers
 
 
+def createHttpServer(port, app, keypath, certpath, cafilepath):
+    """
+    Create an HTTP or HTTPS server depending on whether TLS key material is present
+
+    Parameters:
+        port (int)         : port to listen on for all HTTP(s) server instances
+        app (falcon.App)   : application instance to pass to the http.Server instance
+        keypath (string)   : the file path to the TLS private key
+        certpath (string)  : the file path to the TLS signed certificate (public key)
+        cafilepath (string): the file path to the TLS CA certificate chain file
+    Returns:
+        hio.core.http.Server
+    """
+    if keypath is not None and certpath is not None and cafilepath is not None:
+        servant = tcp.ServerTls(certify=False,
+                                keypath=keypath,
+                                certpath=certpath,
+                                cafilepath=cafilepath,
+                                port=port)
+        server = http.Server(port=port, app=app, servant=servant)
+    else:
+        server = http.Server(port=port, app=app)
+    return server
+
+
 class Agency(doing.DoDoer):
     """
     Agency

diff --git a/src/keria/app/cli/commands/start.py b/src/keria/app/cli/commands/start.py
@@ -54,6 +54,12 @@
                     action="store",
                     default=None,
                     help="directory override for configuration data")
+parser.add_argument("--keypath", action="store", required=False, default=None,
+                    help="TLS server private key file")
+parser.add_argument("--certpath", action="store", required=False, default=None,
+                    help="TLS server signed certificate (public key) file")
+parser.add_argument("--cafilepath", action="store", required=False, default=None,
+                    help="TLS server CA certificate chain")
 
 
 def launch(args):
@@ -72,16 +78,19 @@ def launch(args):
              http=int(args.http),
              boot=int(args.boot),
              configFile=args.configFile,
-             configDir=args.configDir)
+             configDir=args.configDir,
+             keypath=args.keypath,
+             certpath=args.certpath,
+             cafilepath=args.cafilepath)
 
     logger.info("******* Ended Agent for %s listening: admin/%s, http/%s"
                 ".******", args.name, args.admin, args.http)
 
 
 def runAgent(name="ahab", base="", bran="", admin=3901, http=3902, boot=3903, configFile=None,
-             configDir=None, expire=0.0):
+             configDir=None, keypath=None, certpath=None, cafilepath=None, expire=0.0):
     """
-    Setup and run one witness
+    Setup and run a KERIA Agency
     """
 
     doers = []
@@ -90,6 +99,9 @@ def runAgent(name="ahab", base="", bran="", admin=3901, http=3902, boot=3903, co
                                 httpPort=http,
                                 bootPort=boot,
                                 configFile=configFile,
-                                configDir=configDir))
+                                configDir=configDir,
+                                keypath=keypath,
+                                certpath=certpath,
+                                cafilepath=cafilepath))
 
     directing.runController(doers=doers, expire=expire)