From 18fb6c6c60abc306d482794459d0d647c257a5ae Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Fri, 22 Mar 2024 15:46:59 +0000 Subject: [PATCH 1/3] Made ODH cert default cert for Token Auth --- src/codeflare_sdk/cluster/auth.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index 36233a0ed..70d9ca68b 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -101,12 +101,16 @@ def login(self) -> str: """ global config_path global api_client + odh_ca_path = "/etc/pki/tls/custom-certs/ca-bundle.crt" try: configuration = client.Configuration() configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token if self.skip_tls == False and self.ca_cert_path == None: + if os.path.isfile(odh_ca_path): + print(f"Authenticated with certificate located at {odh_ca_path}") + configuration.ssl_ca_cert = odh_ca_path configuration.verify_ssl = True elif self.skip_tls == False: configuration.ssl_ca_cert = self.ca_cert_path From fb25d702089e8d6df342390a7ddb833f13b78496 Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Mon, 13 May 2024 12:25:16 +0100 Subject: [PATCH 2/3] Added env variable option for setting ca-cert path --- src/codeflare_sdk/cluster/auth.py | 26 ++++++++++++++++++-------- tests/auth-test.crt | 20 ++++++++++++++++++++ tests/unit_test.py | 23 +++++++++++++++++------ 3 files changed, 55 insertions(+), 14 deletions(-) create mode 100644 tests/auth-test.crt diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index 70d9ca68b..91dadb058 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -81,7 +81,7 @@ def __init__( token: str, server: str, skip_tls: bool = False, - ca_cert_path: str = None, + ca_cert_path: str = "/etc/pki/tls/custom-certs/ca-bundle.crt", ): """ Initialize a TokenAuthentication object that requires a value for `token`, the API Token @@ -101,19 +101,29 @@ def login(self) -> str: """ global config_path global api_client - odh_ca_path = "/etc/pki/tls/custom-certs/ca-bundle.crt" try: configuration = client.Configuration() configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token - if self.skip_tls == False and self.ca_cert_path == None: - if os.path.isfile(odh_ca_path): - print(f"Authenticated with certificate located at {odh_ca_path}") - configuration.ssl_ca_cert = odh_ca_path + ca_path_env = os.environ.get("CA_CERT_PATH") + + if self.skip_tls == False: + if ca_path_env != None: + self.ca_cert_path = ca_path_env + + if self.ca_cert_path == None: + configuration.ssl_ca_cert = None + elif os.path.isfile(self.ca_cert_path): + print( + f"Authenticated with certificate located at {self.ca_cert_path}" + ) + configuration.ssl_ca_cert = self.ca_cert_path + else: + raise FileNotFoundError( + f"Certificate file not found at {self.ca_cert_path}" + ) configuration.verify_ssl = True - elif self.skip_tls == False: - configuration.ssl_ca_cert = self.ca_cert_path else: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print("Insecure request warnings have been disabled") diff --git a/tests/auth-test.crt b/tests/auth-test.crt new file mode 100644 index 000000000..f470c6326 --- /dev/null +++ b/tests/auth-test.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOTCCAiGgAwIBAgIUENjaZDrvhc5uV3j7GI8deZJwc+YwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MTMxMTE1NDZaFw0yNTA1 +MTMxMTE1NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDEYYk81jvPijZXXeI9cByf5EIbOVaBTH7I51J9EKG5 +Y/KRXI43WgvVEiZ3jP8LJnSD79WhBiL6TgadQZje5ndroRYDM9vyqz1OUZapnOO+ +yzl01y/qSsH8Kn88eLAzkE9HSu4QN9PuJtySyksjDFQJ6kjyE8ZHUSorur0FlLLf +IToFgTuaIPDYjvFRchOCfZ7sV/MF7LxqFfFnaWOYvH41ZdvqJiRcVsMi+mYs9/I/ +I72IMXwVnQDVnK8H84ntEmHNN6NoVuMKla0So4/wKcHJSCgS3axLI2Ka2aaaJo9K +l2cn21NOyodF+DaSFy7qaGRXxoTQ2k9tUrSvxkBJvRmBAgMBAAGjITAfMB0GA1Ud +DgQWBBRTK8mO5XMcmR+Xg/PVNFnvz4eubDANBgkqhkiG9w0BAQsFAAOCAQEAlZva +6ws3zRff7u0tWT2JJaE1uPqsuAdHtVvEyAMp2QvYfyrgADTroUTaSU4p6ppX/t7v +ynHhuzR6UOVkuY0/CH1P3UUGrEPNOXT8i2BDwL+j4y2K2aRN8zU0Nu/IVePBhu+4 +Jdt+3P7/MuwiCON5JukgxUYlQKhVhzFj7GOd2+Ca+fh8Siq3tkWDSN54+90fgylQ ++74Yfya1NVabpzLqP3Isqu2XQhEVaBFvj8Yu0h83e3D8LeQToC3mVMF4yy5BZ9Ty +K66YGlGQgszWEUFPEdsB8Dj/iJMhkWXuyc3u/w0s3t7rXeMYYgr+xrEeK+g0oyB5 +xeZuMjd567Znmu5oMw== +-----END CERTIFICATE----- diff --git a/tests/unit_test.py b/tests/unit_test.py index 53c888889..c35f99f41 100644 --- a/tests/unit_test.py +++ b/tests/unit_test.py @@ -123,27 +123,30 @@ def test_token_auth_creation(): assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == None + assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication(token="token", server="server", skip_tls=True) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == True - assert token_auth.ca_cert_path == None + assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication(token="token", server="server", skip_tls=False) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == None + assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication( - token="token", server="server", skip_tls=False, ca_cert_path="path/to/cert" + token="token", + server="server", + skip_tls=False, + ca_cert_path=f"{parent}/tests/auth-test.crt", ) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == "path/to/cert" + assert token_auth.ca_cert_path == f"{parent}/tests/auth-test.crt" except Exception: assert 0 == 1 @@ -174,7 +177,15 @@ def test_token_auth_login_tls(mocker): token="testtoken", server="testserver:6443", skip_tls=False, - ca_cert_path="path/to/cert", + ca_cert_path=f"{parent}/tests/auth-test.crt", + ) + assert token_auth.login() == ("Logged into testserver:6443") + + os.environ["CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt" + token_auth = TokenAuthentication( + token="testtoken", + server="testserver:6443", + skip_tls=False, ) assert token_auth.login() == ("Logged into testserver:6443") From 14e732c8c4d316f8aa149f84d1102265252f0ee2 Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Wed, 15 May 2024 14:24:24 +0100 Subject: [PATCH 3/3] Updated env var --- docs/authentication.md | 2 +- src/codeflare_sdk/cluster/auth.py | 4 ++-- tests/unit_test.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/authentication.md b/docs/authentication.md index 8812a6fc0..bb27f1716 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -17,7 +17,7 @@ auth.login() # log out with auth.logout() ``` Setting `skip_tls=True` allows interaction with an HTTPS server bypassing the server certificate checks although this is not secure.
-You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`. +You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`. Alternatively you can set the environment variable `CF_SDK_CA_CERT_PATH` to the path of your custom certificate. ## Method 2 Kubernetes Config File Authentication (Default location) If a user has authenticated to their cluster by alternate means e.g. run a login command like `oc login --token= --server=` their kubernetes config file should have updated.
diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index 91dadb058..e22cd8283 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -106,10 +106,10 @@ def login(self) -> str: configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token - ca_path_env = os.environ.get("CA_CERT_PATH") + ca_path_env = os.environ.get("CF_SDK_CA_CERT_PATH", self.ca_cert_path) if self.skip_tls == False: - if ca_path_env != None: + if ca_path_env != self.ca_cert_path: self.ca_cert_path = ca_path_env if self.ca_cert_path == None: diff --git a/tests/unit_test.py b/tests/unit_test.py index c35f99f41..4aa04d148 100644 --- a/tests/unit_test.py +++ b/tests/unit_test.py @@ -181,7 +181,7 @@ def test_token_auth_login_tls(mocker): ) assert token_auth.login() == ("Logged into testserver:6443") - os.environ["CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt" + os.environ["CF_SDK_CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt" token_auth = TokenAuthentication( token="testtoken", server="testserver:6443",