mirror of
https://github.com/ansible-collections/community.docker.git
synced 2025-12-15 11:32:05 +00:00
1f2817fa20
* Bump version to 5.0.0-a1. * Drop support for ansible-core 2.15 and 2.16. * Remove Python 2 and early Python 3 compatibility.
102 lines
3.4 KiB
Python
102 lines
3.4 KiB
Python
# -*- coding: utf-8 -*-
|
|
# This code is part of the Ansible collection community.docker, but is an independent component.
|
|
# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
|
|
#
|
|
# Copyright (c) 2016-2022 Docker, Inc.
|
|
#
|
|
# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import ssl
|
|
|
|
from . import errors
|
|
from .transport.ssladapter import SSLHTTPAdapter
|
|
|
|
|
|
class TLSConfig(object):
|
|
"""
|
|
TLS configuration.
|
|
|
|
Args:
|
|
client_cert (tuple of str): Path to client cert, path to client key.
|
|
ca_cert (str): Path to CA cert file.
|
|
verify (bool or str): This can be ``False`` or a path to a CA cert
|
|
file.
|
|
ssl_version (int): A valid `SSL version`_.
|
|
assert_hostname (bool): Verify the hostname of the server.
|
|
|
|
.. _`SSL version`:
|
|
https://docs.python.org/3.5/library/ssl.html#ssl.PROTOCOL_TLSv1
|
|
"""
|
|
cert = None
|
|
ca_cert = None
|
|
verify = None
|
|
ssl_version = None
|
|
|
|
def __init__(self, client_cert=None, ca_cert=None, verify=None,
|
|
ssl_version=None, assert_hostname=None):
|
|
# Argument compatibility/mapping with
|
|
# https://docs.docker.com/engine/articles/https/
|
|
# This diverges from the Docker CLI in that users can specify 'tls'
|
|
# here, but also disable any public/default CA pool verification by
|
|
# leaving verify=False
|
|
|
|
self.assert_hostname = assert_hostname
|
|
|
|
# If the user provides an SSL version, we should use their preference
|
|
if ssl_version:
|
|
self.ssl_version = ssl_version
|
|
else:
|
|
self.ssl_version = ssl.PROTOCOL_TLS_CLIENT
|
|
|
|
# "client_cert" must have both or neither cert/key files. In
|
|
# either case, Alert the user when both are expected, but any are
|
|
# missing.
|
|
|
|
if client_cert:
|
|
try:
|
|
tls_cert, tls_key = client_cert
|
|
except ValueError:
|
|
raise errors.TLSParameterError(
|
|
'client_cert must be a tuple of'
|
|
' (client certificate, key file)'
|
|
)
|
|
|
|
if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
|
|
not os.path.isfile(tls_key)):
|
|
raise errors.TLSParameterError(
|
|
'Path to a certificate and key files must be provided'
|
|
' through the client_cert param'
|
|
)
|
|
self.cert = (tls_cert, tls_key)
|
|
|
|
# If verify is set, make sure the cert exists
|
|
self.verify = verify
|
|
self.ca_cert = ca_cert
|
|
if self.verify and self.ca_cert and not os.path.isfile(self.ca_cert):
|
|
raise errors.TLSParameterError(
|
|
'Invalid CA certificate provided for `ca_cert`.'
|
|
)
|
|
|
|
def configure_client(self, client):
|
|
"""
|
|
Configure a client with these TLS options.
|
|
"""
|
|
client.ssl_version = self.ssl_version
|
|
|
|
if self.verify and self.ca_cert:
|
|
client.verify = self.ca_cert
|
|
else:
|
|
client.verify = self.verify
|
|
|
|
if self.cert:
|
|
client.cert = self.cert
|
|
|
|
client.mount('https://', SSLHTTPAdapter(
|
|
ssl_version=self.ssl_version,
|
|
assert_hostname=self.assert_hostname,
|
|
))
|