From ecb4fbc04322492c48ec574ecf3675c24027acf5 Mon Sep 17 00:00:00 2001 From: Kent Bull Date: Wed, 6 Sep 2023 19:50:30 -0600 Subject: [PATCH] Add TLS support --- src/keria/app/agenting.py | 37 +++++++++++++++++++++++++---- src/keria/app/cli/commands/start.py | 20 ++++++++++++---- 2 files changed, 48 insertions(+), 9 deletions(-) diff --git a/src/keria/app/agenting.py b/src/keria/app/agenting.py index 588aeebe..a4219c12 100644 --- a/src/keria/app/agenting.py +++ b/src/keria/app/agenting.py @@ -17,7 +17,7 @@ import falcon from falcon import media from hio.base import doing -from hio.core import http +from hio.core import http, tcp from hio.help import decking from keri.app import configing, keeping, habbing, storing, signaling, oobiing, agenting, delegating, \ forwarding, querying, connecting @@ -46,7 +46,8 @@ logger = ogler.getLogger() -def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=None, configDir=None): +def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=None, configDir=None, + keypath=None, certpath=None, cafilepath=None): """ Set up an ahab in Signify mode """ agency = Agency(name=name, base=base, bran=bran, configFile=configFile, configDir=configDir) @@ -54,7 +55,8 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No allow_origins='*', allow_credentials='*', expose_headers=['cesr-attachment', 'cesr-date', 'content-type', 'signature', 'signature-input', 'signify-resource', 'signify-timestamp'])) - bootServer = http.Server(port=bootPort, app=bootApp) + + bootServer = createHttpServer(bootPort, bootApp, keypath, certpath, cafilepath) bootServerDoer = http.ServerDoer(server=bootServer) bootEnd = BootEnd(agency) bootApp.add_route("/boot", bootEnd) @@ -72,7 +74,7 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No app.req_options.media_handlers.update(media.Handlers()) app.resp_options.media_handlers.update(media.Handlers()) - adminServer = http.Server(port=adminPort, app=app) + adminServer = createHttpServer(adminPort, app, keypath, certpath, cafilepath) adminServerDoer = http.ServerDoer(server=adminServer) doers = [agency, bootServerDoer, adminServerDoer] @@ -93,7 +95,7 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No ending.loadEnds(agency=agency, app=happ) indirecting.loadEnds(agency=agency, app=happ) - server = http.Server(port=httpPort, app=happ) + server = createHttpServer(httpPort, happ, keypath, certpath, cafilepath) httpServerDoer = http.ServerDoer(server=server) doers.append(httpServerDoer) @@ -108,6 +110,31 @@ def setup(name, bran, adminPort, bootPort, base='', httpPort=None, configFile=No return doers +def createHttpServer(port, app, keypath, certpath, cafilepath): + """ + Create an HTTP or HTTPS server depending on whether TLS key material is present + + Parameters: + port (int) : port to listen on for all HTTP(s) server instances + app (falcon.App) : application instance to pass to the http.Server instance + keypath (string) : the file path to the TLS private key + certpath (string) : the file path to the TLS signed certificate (public key) + cafilepath (string): the file path to the TLS CA certificate chain file + Returns: + hio.core.http.Server + """ + if keypath is not None and certpath is not None and cafilepath is not None: + servant = tcp.ServerTls(certify=False, + keypath=keypath, + certpath=certpath, + cafilepath=cafilepath, + port=port) + server = http.Server(port=port, app=app, servant=servant) + else: + server = http.Server(port=port, app=app) + return server + + class Agency(doing.DoDoer): """ Agency diff --git a/src/keria/app/cli/commands/start.py b/src/keria/app/cli/commands/start.py index 92fd3e30..7381e024 100644 --- a/src/keria/app/cli/commands/start.py +++ b/src/keria/app/cli/commands/start.py @@ -54,6 +54,12 @@ action="store", default=None, help="directory override for configuration data") +parser.add_argument("--keypath", action="store", required=False, default=None, + help="TLS server private key file") +parser.add_argument("--certpath", action="store", required=False, default=None, + help="TLS server signed certificate (public key) file") +parser.add_argument("--cafilepath", action="store", required=False, default=None, + help="TLS server CA certificate chain") def launch(args): @@ -72,16 +78,19 @@ def launch(args): http=int(args.http), boot=int(args.boot), configFile=args.configFile, - configDir=args.configDir) + configDir=args.configDir, + keypath=args.keypath, + certpath=args.certpath, + cafilepath=args.cafilepath) logger.info("******* Ended Agent for %s listening: admin/%s, http/%s" ".******", args.name, args.admin, args.http) def runAgent(name="ahab", base="", bran="", admin=3901, http=3902, boot=3903, configFile=None, - configDir=None, expire=0.0): + configDir=None, keypath=None, certpath=None, cafilepath=None, expire=0.0): """ - Setup and run one witness + Setup and run a KERIA Agency """ doers = [] @@ -90,6 +99,9 @@ def runAgent(name="ahab", base="", bran="", admin=3901, http=3902, boot=3903, co httpPort=http, bootPort=boot, configFile=configFile, - configDir=configDir)) + configDir=configDir, + keypath=keypath, + certpath=certpath, + cafilepath=cafilepath)) directing.runController(doers=doers, expire=expire)