docker/tls.py - external/github.com/docker/docker-py - Git at Google

 import os
 import ssl

 from . import errors
 from .transport import SSLHTTPAdapter


 class TLSConfig:
     """
     TLS configuration.

     Args:
         client_cert (tuple of str): Path to client cert, path to client key.
         ca_cert (str): Path to CA cert file.
         verify (bool or str): This can be ``False`` or a path to a CA cert
             file.
         ssl_version (int): A valid `SSL version`_.
         assert_hostname (bool): Verify the hostname of the server.

     .. _`SSL version`:
         https://docs.python.org/3.5/library/ssl.html#ssl.PROTOCOL_TLSv1
     """
     cert = None
     ca_cert = None
     verify = None
     ssl_version = None

     def __init__(self, client_cert=None, ca_cert=None, verify=None,
                  ssl_version=None, assert_hostname=None,
                  assert_fingerprint=None):
         # Argument compatibility/mapping with
         # https://docs.docker.com/engine/articles/https/
         # This diverges from the Docker CLI in that users can specify 'tls'
         # here, but also disable any public/default CA pool verification by
         # leaving verify=False

         self.assert_hostname = assert_hostname
         self.assert_fingerprint = assert_fingerprint

         # TODO(dperny): according to the python docs, PROTOCOL_TLSvWhatever is
         # depcreated, and it's recommended to use OPT_NO_TLSvWhatever instead
         # to exclude versions. But I think that might require a bigger
         # architectural change, so I've opted not to pursue it at this time

         # If the user provides an SSL version, we should use their preference
         if ssl_version:
             self.ssl_version = ssl_version
         else:
             # If the user provides no ssl version, we should default to
             # TLSv1_2.  This option is the most secure, and will work for the
             # majority of users with reasonably up-to-date software. However,
             # before doing so, detect openssl version to ensure we can support
             # it.
             if ssl.OPENSSL_VERSION_INFO[:3] >= (1, 0, 1) and hasattr(
                     ssl, 'PROTOCOL_TLSv1_2'):
                 # If the OpenSSL version is high enough to support TLSv1_2,
                 # then we should use it.
                 self.ssl_version = getattr(ssl, 'PROTOCOL_TLSv1_2')
             else:
                 # Otherwise, TLS v1.0 seems to be the safest default;
                 # SSLv23 fails in mysterious ways:
                 # https://github.com/docker/docker-py/issues/963
                 self.ssl_version = ssl.PROTOCOL_TLSv1

         # "client_cert" must have both or neither cert/key files. In
         # either case, Alert the user when both are expected, but any are
         # missing.

         if client_cert:
             try:
                 tls_cert, tls_key = client_cert
             except ValueError:
                 raise errors.TLSParameterError(
                     'client_cert must be a tuple of'
                     ' (client certificate, key file)'
                 )

             if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
                                               not os.path.isfile(tls_key)):
                 raise errors.TLSParameterError(
                     'Path to a certificate and key files must be provided'
                     ' through the client_cert param'
                 )
             self.cert = (tls_cert, tls_key)

         # If verify is set, make sure the cert exists
         self.verify = verify
         self.ca_cert = ca_cert
         if self.verify and self.ca_cert and not os.path.isfile(self.ca_cert):
             raise errors.TLSParameterError(
                 'Invalid CA certificate provided for `ca_cert`.'
             )

     def configure_client(self, client):
         """
         Configure a client with these TLS options.
         """
         client.ssl_version = self.ssl_version

         if self.verify and self.ca_cert:
             client.verify = self.ca_cert
         else:
             client.verify = self.verify

         if self.cert:
             client.cert = self.cert

         client.mount('https://', SSLHTTPAdapter(
             ssl_version=self.ssl_version,
             assert_hostname=self.assert_hostname,
             assert_fingerprint=self.assert_fingerprint,
         ))
	import os
	import ssl

	from . import errors
	from .transport import SSLHTTPAdapter


	class TLSConfig:
	"""
	TLS configuration.

	Args:
	client_cert (tuple of str): Path to client cert, path to client key.
	ca_cert (str): Path to CA cert file.
	verify (bool or str): This can be ``False`` or a path to a CA cert
	file.
	ssl_version (int): A valid `SSL version`_.
	assert_hostname (bool): Verify the hostname of the server.

	.. _`SSL version`:
	https://docs.python.org/3.5/library/ssl.html#ssl.PROTOCOL_TLSv1
	"""
	cert = None
	ca_cert = None
	verify = None
	ssl_version = None

	def __init__(self, client_cert=None, ca_cert=None, verify=None,
	ssl_version=None, assert_hostname=None,
	assert_fingerprint=None):
	# Argument compatibility/mapping with
	# https://docs.docker.com/engine/articles/https/
	# This diverges from the Docker CLI in that users can specify 'tls'
	# here, but also disable any public/default CA pool verification by
	# leaving verify=False

	self.assert_hostname = assert_hostname
	self.assert_fingerprint = assert_fingerprint

	# TODO(dperny): according to the python docs, PROTOCOL_TLSvWhatever is
	# depcreated, and it's recommended to use OPT_NO_TLSvWhatever instead
	# to exclude versions. But I think that might require a bigger
	# architectural change, so I've opted not to pursue it at this time

	# If the user provides an SSL version, we should use their preference
	if ssl_version:
	self.ssl_version = ssl_version
	else:
	# If the user provides no ssl version, we should default to
	# TLSv1_2. This option is the most secure, and will work for the
	# majority of users with reasonably up-to-date software. However,
	# before doing so, detect openssl version to ensure we can support
	# it.
	if ssl.OPENSSL_VERSION_INFO[:3] >= (1, 0, 1) and hasattr(
	ssl, 'PROTOCOL_TLSv1_2'):
	# If the OpenSSL version is high enough to support TLSv1_2,
	# then we should use it.
	self.ssl_version = getattr(ssl, 'PROTOCOL_TLSv1_2')
	else:
	# Otherwise, TLS v1.0 seems to be the safest default;
	# SSLv23 fails in mysterious ways:
	# https://github.com/docker/docker-py/issues/963
	self.ssl_version = ssl.PROTOCOL_TLSv1

	# "client_cert" must have both or neither cert/key files. In
	# either case, Alert the user when both are expected, but any are
	# missing.

	if client_cert:
	try:
	tls_cert, tls_key = client_cert
	except ValueError:
	raise errors.TLSParameterError(
	'client_cert must be a tuple of'
	' (client certificate, key file)'
	)

	if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
	not os.path.isfile(tls_key)):
	raise errors.TLSParameterError(
	'Path to a certificate and key files must be provided'
	' through the client_cert param'
	)
	self.cert = (tls_cert, tls_key)

	# If verify is set, make sure the cert exists
	self.verify = verify
	self.ca_cert = ca_cert
	if self.verify and self.ca_cert and not os.path.isfile(self.ca_cert):
	raise errors.TLSParameterError(
	'Invalid CA certificate provided for `ca_cert`.'
	)

	def configure_client(self, client):
	"""
	Configure a client with these TLS options.
	"""
	client.ssl_version = self.ssl_version

	if self.verify and self.ca_cert:
	client.verify = self.ca_cert
	else:
	client.verify = self.verify

	if self.cert:
	client.cert = self.cert

	client.mount('https://', SSLHTTPAdapter(
	ssl_version=self.ssl_version,
	assert_hostname=self.assert_hostname,
	assert_fingerprint=self.assert_fingerprint,
	))