From 274faf3307c9e68fda2ba5c9fe1dcd82591c1262 Mon Sep 17 00:00:00 2001 From: Adam Hopkins Date: Mon, 20 Mar 2023 09:45:33 +0200 Subject: [PATCH 1/3] Allow password to be passed to TLS context --- sanic/http/tls/context.py | 2 +- tests/test_tls.py | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/sanic/http/tls/context.py b/sanic/http/tls/context.py index 98c090bb34..b210530f3c 100644 --- a/sanic/http/tls/context.py +++ b/sanic/http/tls/context.py @@ -159,7 +159,7 @@ def __new__(cls, cert, key, **kw): # try common aliases, rename to cert/key certfile = kw["cert"] = kw.pop("certificate", None) or cert keyfile = kw["key"] = kw.pop("keyfile", None) or key - password = kw.pop("password", None) + password = kw.get("password", None) if not certfile or not keyfile: raise ValueError("SSL dict needs filenames for cert and key.") subject = {} diff --git a/tests/test_tls.py b/tests/test_tls.py index db584a766b..d41784f097 100644 --- a/tests/test_tls.py +++ b/tests/test_tls.py @@ -33,12 +33,19 @@ current_dir = os.path.dirname(os.path.realpath(__file__)) localhost_dir = os.path.join(current_dir, "certs/localhost") +password_dir = os.path.join(current_dir, "certs/password") sanic_dir = os.path.join(current_dir, "certs/sanic.example") invalid_dir = os.path.join(current_dir, "certs/invalid.nonexist") localhost_cert = os.path.join(localhost_dir, "fullchain.pem") localhost_key = os.path.join(localhost_dir, "privkey.pem") sanic_cert = os.path.join(sanic_dir, "fullchain.pem") sanic_key = os.path.join(sanic_dir, "privkey.pem") +password_dict = { + "cert": os.path.join(password_dir, "fullchain.pem"), + "key": os.path.join(password_dir, "privkey.pem"), + "password": "password", + "names": ["localhost"], +} @pytest.fixture @@ -677,3 +684,34 @@ async def shutdown(app): logging.INFO, "Goin' Fast @ https://127.0.0.1:8000", ) in caplog.record_tuples + + +@pytest.mark.skipif( + sys.platform not in ("linux", "darwin"), + reason="This test requires fork context", +) +def test_ssl_in_multiprocess_mode_password( + app: Sanic, caplog: pytest.LogCaptureFixture +): + event = Event() + + @app.main_process_start + async def main_start(app: Sanic): + app.shared_ctx.event = event + + @app.after_server_start + async def shutdown(app): + app.shared_ctx.event.set() + app.stop() + + assert not event.is_set() + with use_context("fork"): + with caplog.at_level(logging.INFO): + app.run(ssl=password_dict) + assert event.is_set() + + assert ( + "sanic.root", + logging.INFO, + "Goin' Fast @ https://127.0.0.1:8000", + ) in caplog.record_tuples From 17cbeb9a27bf159304e0807e8fa77a8cd1bf1a14 Mon Sep 17 00:00:00 2001 From: Adam Hopkins Date: Mon, 20 Mar 2023 09:47:21 +0200 Subject: [PATCH 2/3] Cleanup code --- sanic/mixins/startup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sanic/mixins/startup.py b/sanic/mixins/startup.py index 4390196d05..b5fc1f30af 100644 --- a/sanic/mixins/startup.py +++ b/sanic/mixins/startup.py @@ -811,7 +811,7 @@ def serve( ssl = kwargs.get("ssl") if isinstance(ssl, SanicSSLContext): - kwargs["ssl"] = kwargs["ssl"].sanic + kwargs["ssl"] = ssl.sanic manager = WorkerManager( primary.state.workers, From a27f066c81462d39fa324aab66e28a2afed393ff Mon Sep 17 00:00:00 2001 From: Adam Hopkins Date: Mon, 20 Mar 2023 10:04:19 +0200 Subject: [PATCH 3/3] Add password protected certs --- tests/certs/password/fullchain.pem | 19 +++++++++++++++++++ tests/certs/password/privkey.pem | 30 ++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 tests/certs/password/fullchain.pem create mode 100644 tests/certs/password/privkey.pem diff --git a/tests/certs/password/fullchain.pem b/tests/certs/password/fullchain.pem new file mode 100644 index 0000000000..992320207c --- /dev/null +++ b/tests/certs/password/fullchain.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIUa7OOlAGQfXOgUgRENJ9GbUgO7kwwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTIzMDMyMDA3MzE1M1oXDTIzMDQx +OTA3MzE1M1owFDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAn2/RqVpzO7GFrgVGiowR5CzcFzf1tSFti1K/WIGr/jsu +NP+1R3sim17pgg6SCOFnUMRS0KnDihkzoeP6z+0tFsrbCH4V1+fq0iud8WgYQrgD +3ttUcHrz04p7wsMoeqndUQoLbyJzP8MpA2XJsoacdIVkuLv2AESGXLhJym/e9HGN +g8bqdz25X0hVTczZW1FN9AZyWWVf9Go6jqC7LCaOnYXAnOkEy2/JHdkeNXYFZHB3 +71UemfkCjfp0vlRV8pVpkBGMhRNFphBTfxdqeWiGQwVqrhaJO4M7DJlQHCAPY16P +o9ywnhLDhFHD7KIfTih9XxrdgTowqcwyGX3e3aJpTwIDAQABo1MwUTAdBgNVHQ4E +FgQU5NogMq6mRBeGl4i6hIuUlcR2bVEwHwYDVR0jBBgwFoAU5NogMq6mRBeGl4i6 +hIuUlcR2bVEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAYW34 +JY1kd0UO5HE41oxJD4PioQboXXX0al4RgKaUUsPykeHQbK0q0TSYAZLwRjooTVUO +Wvna5bU2mzyULqA2r/Cr/w4zb9xybO3SiHFHcU1RacouauHXROHwRm98i8A73xnH +vHws5BADr2ggnVcPNh4VOQ9ZvBlC7jhgpvMjqOEu5ZPCovhfZYfSsvBDHcD74ZYm +Di9DvqsJmrb23Dv3SUykm3W+Ql2q+JyjFj30rhD89CFwJ9iSlFwTYEwZLHA+mV6p +UKy3I3Fiht1Oc+nIivX5uhRSMbDVvDTVHbjjPujxxFjkiHXMjtwvwfg4Sb6du61q +AjBRFyXbNu4hZkkHOA== +-----END CERTIFICATE----- diff --git a/tests/certs/password/privkey.pem b/tests/certs/password/privkey.pem new file mode 100644 index 0000000000..b6b828b9f5 --- /dev/null +++ b/tests/certs/password/privkey.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI94UBqjaZlG4CAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCvJhEy+3/+0Ec0gpd5dkP6BIIE +0E7rLplTe9rxK3sR9V0cx8Xn6V+uFhG3p7dzeMDCCKpGo9MEaacF5m+paGnBkMlH +Pz3rRoLA5jqzwXl4US/C5E1Or//2YBgF1XXKi3BPF/bVx/g6vR+xeobf9kQGbqQk +FNPYtP7mpg2dekp5BUsKSosIt8BkknWFvhBeNuGZT/zlMUuq1WpMe4KIh/W9IdNr +HolcuZJWBhQAwGPciWIZRyq48wKa++W7Jdg/aG8FviJQnjaAUv4CyZJHUJnaNwUx +iHOETpzIC+bhF2K+s4g5w68VCj6Jtz78sIBEZKzo7LI5QHdRHqYB5SJ/dGiV+h09 +R/rQ/M+24mwHDlRSCxxq0yuDwUuGBlHyATeDCFeE3L5OX8yTLuqYJ6vUa6UbzMYA +8H4l5zfu9RrAhKYa9tD+4ONxMmHziIgmn5zvSXeBwJKfeUbnN4IKWLsSoSVspBRh +zLl51DMAnem4NEjLfIW8WYjhsvSYwd9BYqxXaAiv4Wjx9ZV1yLqFICC7tejpVdRT +afI0qMOfWu4ma6xVBg1ezLgF1wHIPrq6euTvWdnifYQopVICALlltEo5oxQ2i/OM +NY8RyovWujiGNsa3pId9HmZXiLyLXjKPstGWRK4liMyc2EiP099gTdBvrb+VQp+I +EyPavmh3WNhgZGOh3qah39X8HrBprc0PPfSPlxpaWdNMIIMSbcIWWdJEA/e4tcy/ +uBaV4H3sNCtBApgrb6B9YUbS9CXNUburJo19T1sk2uCaO12qYfdu2IDEnFf8JiF3 +i7nyftotRuoKq2D+V8d0PeMi/vJSo6+eZIn7VNe6ejYf+w0s7sxlpiKVzkslyOhq +n0T4M3ZkSwGIETzgkRRuTY1OK7slhglMgXlQ2FuIUUo6CRg9WjRJvI5rujLzLWfB +hkgP8STirjTV0DUWPFGtUcenvEcZPkYIQcoPHxOJGNW3ZPXNpt4RjbvPLeVzDm0O +WJiay/qhag/bXGqKraO3b6Y7FOzJa8kG4G0XrcFY1s2oCXRqRqYJAtwaEeVCjCSJ +Qy0OZkqcJEU7pv98pLMpG9OWz4Gle77g4KoQUJjQGtmg0MUMoPd0iPRmvkxsYg8E +Q9uZS3m6PpWmmYDY0Ik1w/4avs3skl2mW3dqcZGLEepkjiQSnFABsuvxKd+uIEQy +lyf9FrynXVcUI87LUkuniLRKwZZzFALVuc+BwtO3SA5mvEK22ZEq9QOysbwlpN54 +G5xXJKJEeexUSjEUIij4J89RLsXldibhp7YYZ7rFviR6chIqC0V7G6VqAM9TOCrV +PWZXr3ZY5/pCZYs5DYKFJBFMSQ2UT/++VYxdZCeBH75vaxugbS8RdUM+iVDevWpQ +/AnP1FolNAgkVhi3Rw4L16SibkqpEzIi1svPWKMwXdvewA32UidLElhuTWWjI2Wm +veXhmEqwk/7ML4JMI7wHcDQdvSKen0mCL2J9tB7A/pewYyDE0ffIUmjxglOtw30f +ZOlQKhMaKJGXp00U2zsHA2NJRI/hThbJncsnZyvuLei0P42RrF+r64b/0gUH6IZ5 +wPUttT815KSNoy+XXXum9YGDYYFoAL+6WVEkl6dgo+X0hcH7DDf5Nkewiq8UcJGh +/69vFIfp+JlpicXzZ+R42LO3T3luC907aFBywF3pmi// +-----END ENCRYPTED PRIVATE KEY-----