refs #2054 send client cert to ogcore, optionally verify ogcore's cert

src/opengnsys/RESTApi.py

@@ -109,21 +109,22 @@ class REST(object):
             logger.debug ('TLS not available: python requests library is old')
 
         self.use_tls = url.startswith ('https')
-        #if self.use_tls:
-        #    if not ca_file or not crt_file or not key_file:
-        #        raise Exception ('missing TLS parameters in REST constructor')
-        #
-        #    errs = 0
-        #    for f in [ca_file, crt_file, key_file]:
-        #        if not os.path.exists (f):
-        #            logger.error (f'{f}: No such file or directory')
-        #            errs += 1
-        #    if errs:
-        #        raise Exception ('TLS files not found')
-        #
-        #self.ca_file  = ca_file
-        #self.crt_file = crt_file
-        #self.key_file = key_file
+        if self.use_tls:
+            if not ca_file or not crt_file or not key_file:
+                raise Exception ('missing TLS parameters in REST constructor')
+
+            errs = 0
+            for f in [ca_file, crt_file, key_file]:
+                if not os.path.exists (f):
+                    logger.error (f'{f}: No such file or directory')
+                    errs += 1
+            if errs:
+                raise Exception ('TLS files not found')
+
+        self.ca_file  = ca_file
+        self.crt_file = crt_file
+        self.key_file = key_file
+        self.verify_tls = False
 
         # Disable logging requests messages except for errors, ...
         logging.getLogger("requests").setLevel(logging.CRITICAL)
@@ -156,7 +157,13 @@ class REST(object):
                 # Old requests version does not support verify, but it do not checks ssl certificate by default
                 if self.newerRequestLib:
                     if self.use_tls:
-                        r = requests.get(url, verify=False, timeout=TIMEOUT)
+                        if self.verify_tls:
+                            logger.debug ('nati: using TLS for GET')
+                            v = self.ca_file
+                        else:
+                            logger.warning ('using insecure TLS for GET')
+                            v = False
+                        r = requests.get(url, cert=(self.crt_file, self.key_file), verify=v, timeout=TIMEOUT)
                     else:
                         r = requests.get(url, timeout=TIMEOUT)
                 else:
@@ -165,7 +172,13 @@ class REST(object):
                 logger.debug('Requesting using POST {}, data: {}'.format(url, data))
                 if self.newerRequestLib:
                     if self.use_tls:
-                        r = requests.post(url, data=data, headers={'content-type': 'application/json'}, verify=False, timeout=TIMEOUT)
+                        if self.verify_tls:
+                            logger.debug ('nati: using TLS for POST')
+                            v = self.ca_file
+                        else:
+                            logger.warning ('using insecure TLS for POST')
+                            v = False
+                        r = requests.post(url, data=data, headers={'content-type': 'application/json'}, cert=(self.crt_file, self.key_file), verify=v, timeout=TIMEOUT)
                     else:
                         r = requests.post(url, data=data, headers={'content-type': 'application/json'}, timeout=TIMEOUT)
                 else: