pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1412 from dod-ccpo/redis-ssl-verify

Browse Source 
Set Redis verification mode for TLS connections.
This commit is contained in:
dandds 2020-02-10 17:18:24 -05:00 committed by GitHub
commit 9a05d64439
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.secrets.baseline
View File

@ -3,7 +3,7 @@
"files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
"lines": null "lines": null
}, },
"generated_at": "2020-01-27T19:24:43Z", "generated_at": "2020-02-10T21:40:38Z",
"plugins_used": [ "plugins_used": [
{ {
"base64_limit": 4.5, "base64_limit": 4.5,
@ -82,7 +82,7 @@
"hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
"is_secret": false, "is_secret": false,
"is_verified": false, "is_verified": false,
"line_number": 32, "line_number": 33,
"type": "Secret Keyword" "type": "Secret Keyword"
} }
], ],

8
atst/app.py
View File

@ -233,12 +233,18 @@ def make_config(direct_config=None):
config.set("default", "DATABASE_URI", database_uri) config.set("default", "DATABASE_URI", database_uri)
# Assemble REDIS_URI value # Assemble REDIS_URI value
redis_use_tls = config["default"].getboolean("REDIS_TLS")
redis_uri = "redis{}://{}:{}@{}".format( # pragma: allowlist secret redis_uri = "redis{}://{}:{}@{}".format( # pragma: allowlist secret
("s" if config["default"].getboolean("REDIS_TLS") else ""), ("s" if redis_use_tls else ""),
(config.get("default", "REDIS_USER") or ""), (config.get("default", "REDIS_USER") or ""),
(config.get("default", "REDIS_PASSWORD") or ""), (config.get("default", "REDIS_PASSWORD") or ""),
config.get("default", "REDIS_HOST"), config.get("default", "REDIS_HOST"),
) )
if redis_use_tls:
tls_mode = config.get("default", "REDIS_SSLMODE")
tls_mode_str = tls_mode.lower() if tls_mode else "none"
redis_uri = f"{redis_uri}/?ssl_cert_reqs={tls_mode_str}"
config.set("default", "REDIS_URI", redis_uri) config.set("default", "REDIS_URI", redis_uri)
return map_config(config) return map_config(config)

1
config/base.ini
View File

@ -38,6 +38,7 @@ PGUSER = postgres
PORT=8000 PORT=8000
REDIS_HOST=localhost:6379 REDIS_HOST=localhost:6379
REDIS_PASSWORD REDIS_PASSWORD
REDIS_SSLMODE
REDIS_TLS=False REDIS_TLS=False
REDIS_USER REDIS_USER
SECRET_KEY = change_me_into_something_secret SECRET_KEY = change_me_into_something_secret

16
tests/test_app.py
View File

@ -7,6 +7,7 @@ from atst.app import (
make_crl_validator, make_crl_validator,
apply_config_from_directory, apply_config_from_directory,
apply_config_from_environment, apply_config_from_environment,
make_config,
) )
@ -67,3 +68,18 @@ def test_apply_config_from_environment_skips_unknown_settings(
monkeypatch.setenv("FLARF", "MAYO") monkeypatch.setenv("FLARF", "MAYO")
apply_config_from_environment(config_object) apply_config_from_environment(config_object)
assert "FLARF" not in config_object.options("default") assert "FLARF" not in config_object.options("default")
class TestMakeConfig:
def test_redis_ssl_connection(self):
config = make_config({"REDIS_TLS": True})
uri = config.get("REDIS_URI")
assert "rediss" in uri
assert "ssl_cert_reqs" in uri
def test_non_redis_ssl_connection(self):
config = make_config({"REDIS_TLS": False})
uri = config.get("REDIS_URI")
assert "rediss" not in uri
assert "redis" in uri
assert "ssl_cert_reqs" not in uri