Allow password to be passed to TLS context (#2719)

2023-03-20 12:34:36 +02:00 · 2023-03-20 12:34:36 +02:00 · 53820bc241
commit 53820bc241
parent 009954003c
5 changed files with 89 additions and 2 deletions
--- a/sanic/http/tls/context.py
+++ b/sanic/http/tls/context.py
@ -159,7 +159,7 @@ class CertSimple(SanicSSLContext):
        # try common aliases, rename to cert/key
        certfile = kw["cert"] = kw.pop("certificate", None) or cert
        keyfile = kw["key"] = kw.pop("keyfile", None) or key
-        password = kw.pop("password", None)
+        password = kw.get("password", None)
        if not certfile or not keyfile:
            raise ValueError("SSL dict needs filenames for cert and key.")
        subject = {}
--- a/sanic/mixins/startup.py
+++ b/sanic/mixins/startup.py
@ -811,7 +811,7 @@ class StartupMixin(metaclass=SanicMeta):
            ssl = kwargs.get("ssl")
            if isinstance(ssl, SanicSSLContext):
-                kwargs["ssl"] = kwargs["ssl"].sanic
+                kwargs["ssl"] = ssl.sanic
            manager = WorkerManager(
                primary.state.workers,
--- a/tests/certs/password/fullchain.pem
+++ b/tests/certs/password/fullchain.pem
@ -0,0 +1,19 @@
 -----BEGIN CERTIFICATE-----
 MIIDCTCCAfGgAwIBAgIUa7OOlAGQfXOgUgRENJ9GbUgO7kwwDQYJKoZIhvcNAQEL
 BQAwFDESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTIzMDMyMDA3MzE1M1oXDTIzMDQx
 OTA3MzE1M1owFDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEAn2/RqVpzO7GFrgVGiowR5CzcFzf1tSFti1K/WIGr/jsu
 NP+1R3sim17pgg6SCOFnUMRS0KnDihkzoeP6z+0tFsrbCH4V1+fq0iud8WgYQrgD
 3ttUcHrz04p7wsMoeqndUQoLbyJzP8MpA2XJsoacdIVkuLv2AESGXLhJym/e9HGN
 g8bqdz25X0hVTczZW1FN9AZyWWVf9Go6jqC7LCaOnYXAnOkEy2/JHdkeNXYFZHB3
 71UemfkCjfp0vlRV8pVpkBGMhRNFphBTfxdqeWiGQwVqrhaJO4M7DJlQHCAPY16P
 o9ywnhLDhFHD7KIfTih9XxrdgTowqcwyGX3e3aJpTwIDAQABo1MwUTAdBgNVHQ4E
 FgQU5NogMq6mRBeGl4i6hIuUlcR2bVEwHwYDVR0jBBgwFoAU5NogMq6mRBeGl4i6
 hIuUlcR2bVEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAYW34
 JY1kd0UO5HE41oxJD4PioQboXXX0al4RgKaUUsPykeHQbK0q0TSYAZLwRjooTVUO
 Wvna5bU2mzyULqA2r/Cr/w4zb9xybO3SiHFHcU1RacouauHXROHwRm98i8A73xnH
 vHws5BADr2ggnVcPNh4VOQ9ZvBlC7jhgpvMjqOEu5ZPCovhfZYfSsvBDHcD74ZYm
 Di9DvqsJmrb23Dv3SUykm3W+Ql2q+JyjFj30rhD89CFwJ9iSlFwTYEwZLHA+mV6p
 UKy3I3Fiht1Oc+nIivX5uhRSMbDVvDTVHbjjPujxxFjkiHXMjtwvwfg4Sb6du61q
 AjBRFyXbNu4hZkkHOA==
 -----END CERTIFICATE-----
--- a/tests/certs/password/privkey.pem
+++ b/tests/certs/password/privkey.pem
@ -0,0 +1,30 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
 MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI94UBqjaZlG4CAggA
 MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCvJhEy+3/+0Ec0gpd5dkP6BIIE
 0E7rLplTe9rxK3sR9V0cx8Xn6V+uFhG3p7dzeMDCCKpGo9MEaacF5m+paGnBkMlH
 Pz3rRoLA5jqzwXl4US/C5E1Or//2YBgF1XXKi3BPF/bVx/g6vR+xeobf9kQGbqQk
 FNPYtP7mpg2dekp5BUsKSosIt8BkknWFvhBeNuGZT/zlMUuq1WpMe4KIh/W9IdNr
 HolcuZJWBhQAwGPciWIZRyq48wKa++W7Jdg/aG8FviJQnjaAUv4CyZJHUJnaNwUx
 iHOETpzIC+bhF2K+s4g5w68VCj6Jtz78sIBEZKzo7LI5QHdRHqYB5SJ/dGiV+h09
 R/rQ/M+24mwHDlRSCxxq0yuDwUuGBlHyATeDCFeE3L5OX8yTLuqYJ6vUa6UbzMYA
 8H4l5zfu9RrAhKYa9tD+4ONxMmHziIgmn5zvSXeBwJKfeUbnN4IKWLsSoSVspBRh
 zLl51DMAnem4NEjLfIW8WYjhsvSYwd9BYqxXaAiv4Wjx9ZV1yLqFICC7tejpVdRT
 afI0qMOfWu4ma6xVBg1ezLgF1wHIPrq6euTvWdnifYQopVICALlltEo5oxQ2i/OM
 NY8RyovWujiGNsa3pId9HmZXiLyLXjKPstGWRK4liMyc2EiP099gTdBvrb+VQp+I
 EyPavmh3WNhgZGOh3qah39X8HrBprc0PPfSPlxpaWdNMIIMSbcIWWdJEA/e4tcy/
 uBaV4H3sNCtBApgrb6B9YUbS9CXNUburJo19T1sk2uCaO12qYfdu2IDEnFf8JiF3
 i7nyftotRuoKq2D+V8d0PeMi/vJSo6+eZIn7VNe6ejYf+w0s7sxlpiKVzkslyOhq
 n0T4M3ZkSwGIETzgkRRuTY1OK7slhglMgXlQ2FuIUUo6CRg9WjRJvI5rujLzLWfB
 hkgP8STirjTV0DUWPFGtUcenvEcZPkYIQcoPHxOJGNW3ZPXNpt4RjbvPLeVzDm0O
 WJiay/qhag/bXGqKraO3b6Y7FOzJa8kG4G0XrcFY1s2oCXRqRqYJAtwaEeVCjCSJ
 Qy0OZkqcJEU7pv98pLMpG9OWz4Gle77g4KoQUJjQGtmg0MUMoPd0iPRmvkxsYg8E
 Q9uZS3m6PpWmmYDY0Ik1w/4avs3skl2mW3dqcZGLEepkjiQSnFABsuvxKd+uIEQy
 lyf9FrynXVcUI87LUkuniLRKwZZzFALVuc+BwtO3SA5mvEK22ZEq9QOysbwlpN54
 G5xXJKJEeexUSjEUIij4J89RLsXldibhp7YYZ7rFviR6chIqC0V7G6VqAM9TOCrV
 PWZXr3ZY5/pCZYs5DYKFJBFMSQ2UT/++VYxdZCeBH75vaxugbS8RdUM+iVDevWpQ
 /AnP1FolNAgkVhi3Rw4L16SibkqpEzIi1svPWKMwXdvewA32UidLElhuTWWjI2Wm
 veXhmEqwk/7ML4JMI7wHcDQdvSKen0mCL2J9tB7A/pewYyDE0ffIUmjxglOtw30f
 ZOlQKhMaKJGXp00U2zsHA2NJRI/hThbJncsnZyvuLei0P42RrF+r64b/0gUH6IZ5
 wPUttT815KSNoy+XXXum9YGDYYFoAL+6WVEkl6dgo+X0hcH7DDf5Nkewiq8UcJGh
 /69vFIfp+JlpicXzZ+R42LO3T3luC907aFBywF3pmi//
 -----END ENCRYPTED PRIVATE KEY-----
--- a/tests/test_tls.py
+++ b/tests/test_tls.py
@ -33,12 +33,19 @@ from sanic.response import text
 current_dir = os.path.dirname(os.path.realpath(__file__))
 localhost_dir = os.path.join(current_dir, "certs/localhost")
 password_dir = os.path.join(current_dir, "certs/password")
 sanic_dir = os.path.join(current_dir, "certs/sanic.example")
 invalid_dir = os.path.join(current_dir, "certs/invalid.nonexist")
 localhost_cert = os.path.join(localhost_dir, "fullchain.pem")
 localhost_key = os.path.join(localhost_dir, "privkey.pem")
 sanic_cert = os.path.join(sanic_dir, "fullchain.pem")
 sanic_key = os.path.join(sanic_dir, "privkey.pem")
 password_dict = {
    "cert": os.path.join(password_dir, "fullchain.pem"),
    "key": os.path.join(password_dir, "privkey.pem"),
    "password": "password",
    "names": ["localhost"],
 }
@pytest.fixture
@ -677,3 +684,34 @@ def test_ssl_in_multiprocess_mode(app: Sanic, caplog):
        logging.INFO,
        "Goin' Fast @ https://127.0.0.1:8000",
    ) in caplog.record_tuples
@pytest.mark.skipif(
    sys.platform not in ("linux", "darwin"),
    reason="This test requires fork context",
 )
 def test_ssl_in_multiprocess_mode_password(
    app: Sanic, caplog: pytest.LogCaptureFixture
 ):
    event = Event()
    @app.main_process_start
    async def main_start(app: Sanic):
        app.shared_ctx.event = event
    @app.after_server_start
    async def shutdown(app):
        app.shared_ctx.event.set()
        app.stop()
    assert not event.is_set()
    with use_context("fork"):
        with caplog.at_level(logging.INFO):
            app.run(ssl=password_dict)
    assert event.is_set()
    assert (
        "sanic.root",
        logging.INFO,
        "Goin' Fast @ https://127.0.0.1:8000",
    ) in caplog.record_tuples