plugin/builder: TLS/SSL support (client side certs)

Add support for client side certificates via a new configuration option: "ssl_cert", which should be a path to the certificate or a comma separated list of paths to certificates. Additionally, the "ssl_verify" option controls how the server certificate is validated. This can either be a boolean ("True", "False") or a path to a CA file. NB: The url for the composer host must contain "https" for the ssl/tls engine to kick in. When used as a stand-alone koji API client, two new command line options are provided, --cert and --ca. See their help text for a description.
2020-09-16 12:46:35 +02:00 · 2020-09-16 12:46:35 +02:00 · db82105eb0
commit db82105eb0
parent 790462e967
1 changed files with 27 additions and 0 deletions
--- a/plugins/builder/osbuild.py
+++ b/plugins/builder/osbuild.py
@ -220,6 +220,21 @@ class OSBuildImage(BaseTaskHandler):
        self.koji_url = cfg["koji"]["url"]
        self.client = Client(self.composer_url)

+        composer = cfg["composer"]
+
+        if "ssl_cert" in composer:
+            data = cfg["composer"]["ssl_cert"]
+            cert = [s.strip() for s in data.split(',')]
+            self.client.http.cert = cert
+
+        if "ssl_verify" in composer:
+            try:
+                val = composer.getboolean("ssl_verify")
+            except ValueError:
+                val = composer["ssl_verify"]
+
+            self.client.http.verify = val
+
    @staticmethod
    def arches_for_config(buildconfig: Dict):
        archstr = buildconfig["arches"]
@ -379,6 +394,10 @@ def main():
                        action="append", type=str, default=[])
    subpar.add_argument("--koji", metavar="URL", help='The koji url',
                        default=DEFAULT_KOJIHUB_URL)
+    subpar.add_argument("--cert", metavar="cert", help='The client SSL certificates to use',
+                        type=str, action="append", default=[])
+    subpar.add_argument("--ca", metavar="ca", help='The SSL certificate authority',
+                        type=str)
    subpar.set_defaults(cmd='compose')

    subpar = sp.add_parser("status", help='status of a compose')
@ -398,6 +417,14 @@ def main():

    client = Client(args.url)

+    if args.cert:
+        print("Using client certificates")
+        client.http.cert = args.cert
+        client.http.verify = True
+
+    if args.ca:
+        client.http.verify = args.ca
+
    if args.cmd == "compose":
        return compose_cmd(client, args)
    if args.cmd == "status":