- TLS Refactoring

2025-09-04 15:22:45 +02:00
parent af8b5f54cd
commit 54a9641440
5 changed files with 80 additions and 67 deletions
--- a/config/config.py
+++ b/config/config.py
@@ -2,6 +2,9 @@ import os
 from os import environ, path
 from datetime import timedelta
 import redis
+import ssl
+import tempfile
+from ipaddress import ip_address

 from common.utils.prompt_loader import load_prompt_templates

@@ -30,11 +33,38 @@ class Config(object):
    REDIS_PASS = environ.get('REDIS_PASS')
    REDIS_CERT_DATA = environ.get('REDIS_CERT')

+    # Determine if REDIS_URL is an IP; use it to control hostname checking
+    REDIS_IS_IP = False
+    try:
+        ip_address(REDIS_URL)
+        REDIS_IS_IP = True
+    except Exception:
+        REDIS_IS_IP = False
+    REDIS_SSL_CHECK_HOSTNAME = not REDIS_IS_IP
+
+    # Write CA once to a file, expose path
+    REDIS_CA_CERT_PATH = None
+    if REDIS_CERT_DATA:
+        _tmp = tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem')
+        _tmp.write(REDIS_CERT_DATA)
+        _tmp.flush()
+        _tmp.close()
+        REDIS_CA_CERT_PATH = _tmp.name
+
    if not REDIS_CERT_DATA:   # We are in a simple dev/test environment
        REDIS_BASE_URI = f'redis://{REDIS_URL}:{REDIS_PORT}'
    else:   # We are in a scaleway environment, providing name, user and certificate
        REDIS_BASE_URI = f'rediss://{REDIS_USER}:{REDIS_PASS}@{REDIS_URL}:{REDIS_PORT}'

+    # Central SSL options dict for reuse (Celery/Dogpile/etc.)
+    REDIS_SSL_OPTIONS = None
+    if REDIS_CERT_DATA and REDIS_CA_CERT_PATH:
+        REDIS_SSL_OPTIONS = {
+            'ssl_cert_reqs': ssl.CERT_REQUIRED,
+            'ssl_ca_certs': REDIS_CA_CERT_PATH,
+            'ssl_check_hostname': REDIS_SSL_CHECK_HOSTNAME,
+        }
+
    REDIS_PREFIXES = {
        'celery_app': 'celery:app:',
        'celery_chat': 'celery:chat:',
@@ -62,7 +92,20 @@ class Config(object):
    SESSION_USE_SIGNER = True
    PERMANENT_SESSION_LIFETIME = timedelta(minutes=60)
    SESSION_REFRESH_EACH_REQUEST = True
-    SESSION_REDIS = redis.from_url(f'{REDIS_BASE_URI}/0')
+    # Configure SESSION_REDIS with SSL when cert is provided
+    if REDIS_CERT_DATA and REDIS_CA_CERT_PATH:
+        SESSION_REDIS = redis.Redis(
+            host=REDIS_URL,
+            port=int(REDIS_PORT or 6379),
+            username=REDIS_USER,
+            password=REDIS_PASS,
+            ssl=True,
+            ssl_cert_reqs=ssl.CERT_REQUIRED,
+            ssl_ca_certs=REDIS_CA_CERT_PATH,
+            ssl_check_hostname=REDIS_SSL_CHECK_HOSTNAME,
+        )
+    else:
+        SESSION_REDIS = redis.from_url(f'{REDIS_BASE_URI}/0')
    SESSION_KEY_PREFIX = f'session_{COMPONENT_NAME}:'
    SESSION_COOKIE_NAME = f'{COMPONENT_NAME}_session'
    SESSION_COOKIE_DOMAIN = None  # Laat Flask dit automatisch bepalen