From 6af9cd04c9c35404c056f326c1702f0594e44f11 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 14:38:05 +0200 Subject: [PATCH] added variable for custom cert path --- README.md | 27 ++++++++++++++------------- app/main.py | 3 ++- app/util.py | 10 +++++++--- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 43a5490..fe20827 100644 --- a/README.md +++ b/README.md @@ -417,19 +417,20 @@ After first success you have to replace `--issue` with `--renew`. # Configuration -| Variable | Default | Usage | -|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| `DEBUG` | `false` | Toggles `fastapi` debug mode | -| `DLS_URL` | `localhost` | Used in client-token to tell guest driver where dls instance is reachable | -| `DLS_PORT` | `443` | Used in client-token to tell guest driver where dls instance is reachable | -| `TOKEN_EXPIRE_DAYS` | `1` | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**) | -| `LEASE_EXPIRE_DAYS` | `90` | Lease time in days | -| `LEASE_RENEWAL_PERIOD` | `0.15` | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 | -| `DATABASE` | `sqlite:///db.sqlite` | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html) | -| `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2 | -| `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | -| `INSTANCE_REF` | `10000000-0000-0000-0000-000000000001` | Instance identification uuid | -| `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | | +| Variable | Default | Usage | +|------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------| +| `DEBUG` | `false` | Toggles `fastapi` debug mode | +| `DLS_URL` | `localhost` | Used in client-token to tell guest driver where dls instance is reachable | +| `DLS_PORT` | `443` | Used in client-token to tell guest driver where dls instance is reachable | +| `CERT_PATH` | `None` | Path to a Directory where generated Certificates are stored. Defaults to `//cert`. | +| `TOKEN_EXPIRE_DAYS` | `1` | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**) | +| `LEASE_EXPIRE_DAYS` | `90` | Lease time in days | +| `LEASE_RENEWAL_PERIOD` | `0.15` | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 | +| `DATABASE` | `sqlite:///db.sqlite` | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html) | +| `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2 | +| `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | +| `INSTANCE_REF` | `10000000-0000-0000-0000-000000000001` | Instance identification uuid | +| `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the diff --git a/app/main.py b/app/main.py index dcdcba8..9278936 100644 --- a/app/main.py +++ b/app/main.py @@ -40,6 +40,7 @@ db_init(db), migrate(db) # Load DLS variables (all prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service) DLS_URL = str(env('DLS_URL', 'localhost')) DLS_PORT = int(env('DLS_PORT', '443')) +CERT_PATH = str(env('CERT_PATH', None)) SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000')) INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001')) ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001')) @@ -53,7 +54,7 @@ DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json')) # Create certificate chain and signing keys -ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +ca_setup = CASetup(service_instance_ref=INSTANCE_REF, cert_path=CERT_PATH) my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename) my_root_public_key = my_root_private_key.public_key() my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename) diff --git a/app/util.py b/app/util.py index f112000..ac58f74 100644 --- a/app/util.py +++ b/app/util.py @@ -1,7 +1,7 @@ import logging from datetime import datetime, UTC, timedelta from json import loads as json_loads -from os.path import join, dirname, isfile +from os.path import join, dirname, isfile, isdir from cryptography import x509 from cryptography.hazmat._oid import NameOID @@ -38,9 +38,13 @@ class CASetup: SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem' SI_CERTIFICATE_FILENAME = 'si_certificate.pem' - def __init__(self, service_instance_ref: str): + def __init__(self, service_instance_ref: str, cert_path: str = None): + cert_path_prefix = join(dirname(__file__), 'cert') + if cert_path is not None and len(cert_path) > 0 and isdir(cert_path): + cert_path_prefix = cert_path + self.service_instance_ref = service_instance_ref - self.root_private_key_filename = join(dirname(__file__), 'cert', CASetup.ROOT_PRIVATE_KEY_FILENAME) + self.root_private_key_filename = join(cert_path_prefix, CASetup.ROOT_PRIVATE_KEY_FILENAME) self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME) self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME) self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME)