1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import os
from . import errors
from .ssladapter import ssladapter
class TLSConfig(object):
cert = None
verify = None
ssl_version = None
def __init__(self, client_cert=None, ca_cert=None, verify=None,
ssl_version=None):
# Argument compatibility/mapping with
# http://docs.docker.com/examples/https/
# This diverges from the Docker CLI in that users can specify 'tls'
# here, but also disable any public/default CA pool verification by
# leaving tls_verify=False
# urllib3 sets a default ssl_version if ssl_version is None
# http://tinyurl.com/kxga8hb
self.ssl_version = ssl_version
# "tls" and "tls_verify" must have both or neither cert/key files
# In either case, Alert the user when both are expected, but any are
# missing.
if client_cert:
try:
tls_cert, tls_key = client_cert
except ValueError:
raise errors.TLSParameterError(
'client_config must be a tuple of'
' (client certificate, key file)'
)
if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
not os.path.isfile(tls_key)):
raise errors.TLSParameterError(
'Path to a certificate and key files must be provided'
' through the client_config param'
)
self.cert = (tls_cert, tls_key)
# Either set verify to True (public/default CA checks) or to the
# path of a CA Cert file.
if verify is not None:
if not ca_cert:
self.verify = verify
elif os.path.isfile(ca_cert):
if not verify:
raise errors.TLSParameterError(
'verify can not be False when a CA cert is'
' provided.'
)
self.verify = ca_cert
else:
raise errors.TLSParameterError(
'Invalid CA certificate provided for `tls_ca_cert`.'
)
def configure_client(self, client):
client.ssl_version = self.ssl_version
if self.verify is not None:
client.verify = self.verify
if self.cert:
client.cert = self.cert
client.mount('https://', ssladapter.SSLAdapter(self.ssl_version))