added variable for custom cert path

2025-04-22 14:38:05 +02:00 · 2025-04-22 14:38:05 +02:00 · 6af9cd04c9
commit 6af9cd04c9
parent 29268b1658
3 changed files with 23 additions and 17 deletions
--- a/README.md
+++ b/README.md
@ -418,10 +418,11 @@ After first success you have to replace `--issue` with `--renew`.
 # Configuration

 | Variable               | Default                                | Usage                                                                                                |
-|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+|------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------|
 | `DEBUG`                | `false`                                | Toggles `fastapi` debug mode                                                                         |
 | `DLS_URL`              | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                            |
 | `DLS_PORT`             | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                            |
+| `CERT_PATH`            | `None`                                 | Path to a Directory where generated Certificates are stored. Defaults to `/<app-dir>/cert`.          |
 | `TOKEN_EXPIRE_DAYS`    | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)          |
 | `LEASE_EXPIRE_DAYS`    | `90`                                   | Lease time in days                                                                                   |
 | `LEASE_RENEWAL_PERIOD` | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 |
@ -429,7 +430,7 @@ After first success you have to replace `--issue` with `--renew`.
 | `CORS_ORIGINS`         | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2                               |
 | `SITE_KEY_XID`         | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                             |
 | `INSTANCE_REF`         | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                         |
-| `ALLOTMENT_REF`          | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                                       | |
+| `ALLOTMENT_REF`        | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                        |

 \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
 every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
--- a/app/main.py
+++ b/app/main.py
@ -40,6 +40,7 @@ db_init(db), migrate(db)
 # Load DLS variables (all prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service)
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
+CERT_PATH = str(env('CERT_PATH', None))
 SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
 INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
 ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
@ -53,7 +54,7 @@ DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
 PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json'))

 # Create certificate chain and signing keys
-ca_setup = CASetup(service_instance_ref=INSTANCE_REF)
+ca_setup = CASetup(service_instance_ref=INSTANCE_REF, cert_path=CERT_PATH)
 my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename)
 my_root_public_key = my_root_private_key.public_key()
 my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename)
--- a/app/util.py
+++ b/app/util.py
@ -1,7 +1,7 @@
 import logging
 from datetime import datetime, UTC, timedelta
 from json import loads as json_loads
-from os.path import join, dirname, isfile
+from os.path import join, dirname, isfile, isdir

 from cryptography import x509
 from cryptography.hazmat._oid import NameOID
@ -38,9 +38,13 @@ class CASetup:
    SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem'
    SI_CERTIFICATE_FILENAME = 'si_certificate.pem'

-    def __init__(self, service_instance_ref: str):
+    def __init__(self, service_instance_ref: str, cert_path: str = None):
+        cert_path_prefix = join(dirname(__file__), 'cert')
+        if cert_path is not None and len(cert_path) > 0 and isdir(cert_path):
+            cert_path_prefix = cert_path
+
        self.service_instance_ref = service_instance_ref
-        self.root_private_key_filename = join(dirname(__file__), 'cert', CASetup.ROOT_PRIVATE_KEY_FILENAME)
+        self.root_private_key_filename = join(cert_path_prefix, CASetup.ROOT_PRIVATE_KEY_FILENAME)
        self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME)
        self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME)
        self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME)