From 8aedd7887959a8bd1cabe5ef6d48c99e1c06b95e Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Sat, 6 Jul 2019 23:28:29 -0400 Subject: [PATCH] Support SSL for the API --- client-api/pvc-api.py | 18 +++++++++++++++--- client-api/pvc-api.sample.yaml | 10 ++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/client-api/pvc-api.py b/client-api/pvc-api.py index e9902408..7bfbe843 100755 --- a/client-api/pvc-api.py +++ b/client-api/pvc-api.py @@ -53,14 +53,21 @@ try: 'coordinators': o_config['pvc']['coordinators'], 'listen_address': o_config['pvc']['api']['listen_address'], 'listen_port': int(o_config['pvc']['api']['listen_port']), - 'authentication_key': o_config['pvc']['api']['authentication']['key'] + 'authentication_key': o_config['pvc']['api']['authentication']['key'], + 'secret_key': o_config['pvc']['api']['secret_key'], + 'ssl_enabled': o_config['pvc']['api']['ssl']['enabled'], + 'ssl_key_file': o_config['pvc']['api']['ssl']['key_file'], + 'ssl_cert_file': o_config['pvc']['api']['ssl']['cert_file'] } + # Set the config object in the pvcapi namespace pvcapi.config = config except Exception as e: print('ERROR: {}.'.format(e)) exit(1) +api.config["SECRET_KEY"] = config['secret_key'] + def authenticator(function): def authenticate(*args, **kwargs): request_values = flask.request.values @@ -914,6 +921,11 @@ def api_ceph_volume_snapshot_remove(pool, volume, snapshot): # # Entrypoint # -http_server = gevent.pywsgi.WSGIServer((config['listen_address'], config['listen_port']), api) +if config['api_ssl_enabled']: + # Run the WSGI server with SSL + http_server = gevent.pywsgi.WSGIServer((config['listen_address'], config['listen_port']), api, + keyfile=config['ssl_key_file'], certfile=config['ssl_cert_file']) +else: + # Run the ?WSGI server without SSL + http_server = gevent.pywsgi.WSGIServer((config['listen_address'], config['listen_port']), api) http_server.serve_forever() - diff --git a/client-api/pvc-api.sample.yaml b/client-api/pvc-api.sample.yaml index 8f23d84f..cd75c8fd 100644 --- a/client-api/pvc-api.sample.yaml +++ b/client-api/pvc-api.sample.yaml @@ -24,3 +24,13 @@ pvc: # key: A secure key to authorize against the API; must be sent in the body # arguments or in the URI of each request; leave blank for no authentication key: "" + # secret_key: Random, per-cluster secret key for the Flask API cookies; generate with uuidgen or pwgen + secret_key: "" + # ssl: SSL configuration + ssl: + # Enabled or disable SSL operation + enabled: False + # cert_file: SSL certificate file + cert_file: "" + # key_file: SSL certificate key file + key_file: ""