Add client certificate support

snoonetIRC · Sep 22, 2019 · 7ebf59f · 7ebf59f
1 parent 0a5fa18
commit 7ebf59f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 17 deletions.
diff --git a/cloudbot/clients/irc.py b/cloudbot/clients/irc.py
@@ -6,6 +6,7 @@
 import ssl
 import traceback
 from functools import partial
+from pathlib import Path
 
 from irclib.parser import Message
 
@@ -67,34 +68,48 @@ def __init__(self, bot, _type, name, nick, *, channels=None, config=None):
         super().__init__(bot, _type, name, nick, channels=channels, config=config)
 
         self.target_nick = nick
-        self.use_ssl = config['connection'].get('ssl', False)
-        self._ignore_cert_errors = config['connection'].get('ignore_cert', False)
-        self._timeout = config['connection'].get('timeout', 300)
-        self.server = config['connection']['server']
-        self.port = config['connection'].get('port', 6667)
-
-        local_bind = (config['connection'].get('bind_addr', False), config['connection'].get('bind_port', 0))
+        conn_config = config['connection']
+        self.use_ssl = conn_config.get('ssl', False)
+        self._ignore_cert_errors = conn_config.get('ignore_cert', False)
+        self._timeout = conn_config.get('timeout', 300)
+        self.server = conn_config['server']
+        self.port = conn_config.get('port', 6667)
+
+        local_bind = (conn_config.get('bind_addr', False), conn_config.get('bind_port', 0))
         if local_bind[0] is False:
             local_bind = False
 
         self.local_bind = local_bind
         # create SSL context
-        if self.use_ssl:
-            self.ssl_context = ssl.create_default_context()
-            if self._ignore_cert_errors:
-                self.ssl_context.check_hostname = False
-                self.ssl_context.verify_mode = ssl.CERT_NONE
-            else:
-                self.ssl_context.verify_mode = ssl.CERT_REQUIRED
-        else:
-            self.ssl_context = None
+        self.ssl_context = self.make_ssl_context(conn_config)
 
         # transport and protocol
         self._transport = None
         self._protocol = None
 
         self._connecting = False
 
+    def make_ssl_context(self, conn_config):
+        if self.use_ssl:
+            ssl_context = ssl.create_default_context()
+            client_cert = conn_config.get('client_cert')
+            if client_cert:
+                path = Path(client_cert).resolve()
+                if path.exists():
+                    ssl_context.load_cert_chain(str(path))
+                else:
+                    logger.warning("[%s] Unable to load client cert", self.name)
+
+            if self._ignore_cert_errors:
+                ssl_context.check_hostname = False
+                ssl_context.verify_mode = ssl.CERT_NONE
+            else:
+                ssl_context.verify_mode = ssl.CERT_REQUIRED
+        else:
+            ssl_context = None
+
+        return ssl_context
+
     def describe_server(self):
         if self.use_ssl:
             return "+{}:{}".format(self.server, self.port)

diff --git a/config.default.json b/config.default.json
@@ -9,7 +9,8 @@
                 "ssl": false,
                 "ignore_cert": true,
                 "password": "",
-                "timeout": 300
+                "timeout": 300,
+                "client_cert": "cloudbot.pem"
             },
             "ping_settings": {
                 "interval": 60,