Merge pull request #390 from chngtrn/pr/issue_376

Enable SSL support.

Author: royrusso

application.py

@@ -8,6 +8,8 @@
 default_host = '0.0.0.0'
 default_port = 5000
 default_debug = False
+default_enable_ssl = False
+default_ca_certs = None
 default_url = 'http://localhost:9200'
 is_gunicorn = "gunicorn" in os.environ.get("SERVER_SOFTWARE", "")
 
@@ -28,11 +30,19 @@
                       action="store_true", dest="debug", default=default_debug,
                       help=optparse.SUPPRESS_HELP)
     parser.add_option("-u", "--url", default=default_url)
+    parser.add_option("-s", "--enable-ssl",
+                      action="store_true", default=default_enable_ssl)
+    parser.add_option("-c", "--ca-certs", default=default_ca_certs,
+                      help='Required when --use-ssl is set. ' + \
+                           'Path to CA file or directory [default %s]' % default_ca_certs)
+
 
     options, _ = parser.parse_args()
 
     # set default url, override with env for docker
     application.config['DEFAULT_URL'] = os.environ.get('HQ_DEFAULT_URL', options.url)
+    application.config['ENABLE_SSL'] = os.environ.get('HQ_ENABLE_SSL', options.enable_ssl)
+    application.config['CA_CERTS'] = os.environ.get('HQ_CA_CERTS', options.ca_certs)
 
     if is_gunicorn:
         # we set reloader False so gunicorn doesn't call two instances of all the Flask init functions.

elastichq/api/clusters.py

@@ -4,7 +4,7 @@
 .. moduleauthor:: Roy Russo <royrusso@gmail.com>
 """
 
-from flask import request
+from flask import request, current_app
 from flask_restful import Resource
 from requests.exceptions import ConnectionError
 
@@ -111,10 +111,14 @@ def post(self):
             scheme = 'https'
 
         try:
+            enable_ssl = current_app.config.get('ENABLE_SSL', False)
+            ca_certs = current_app.config.get('CA_CERTS', None)
+
             response = ConnectionService().create_connection(ip=params['ip'], port=params.get('port', "9200"),
                                                              scheme=scheme, username=params.get('username', None),
                                                              password=params.get('password', None),
-                                                             fail_on_exception=True)
+                                                             fail_on_exception=True,
+                                                             enable_ssl=enable_ssl, ca_certs=ca_certs)
 
             schema = ClusterDTO(many=False)
             result = schema.dump(response)

elastichq/service/ConnectionService.py

@@ -1,5 +1,6 @@
 __author__ = 'royrusso'
 
+import os
 import json
 
 import requests
@@ -34,7 +35,8 @@ def ping(self, ip, port, scheme='http'):
         except Exception as e:
             return False
 
-    def create_connection(self, ip, port, scheme='http', username=None, password=None, fail_on_exception=False):
+    def create_connection(self, ip, port, scheme='http', username=None, password=None,
+                          fail_on_exception=False, enable_ssl=False, ca_certs=None):
         """
         Creates a connection with a cluster and place the connection inside of a connection pool, using the cluster_name as an alias.
         :param ip: 
@@ -55,10 +57,17 @@ def create_connection(self, ip, port, scheme='http', username=None, password=Non
 
             # determine version first
             if is_basic_auth is True:
-                response = requests.get(scheme + "://" + ip + ":" + port, auth=(username, password),
-                                        timeout=REQUEST_TIMEOUT)
+                if enable_ssl:
+                    response = requests.get(scheme + "://" + ip + ":" + port, auth=(username, password),
+                                            timeout=REQUEST_TIMEOUT, verify=ca_certs)
+                else:
+                    response = requests.get(scheme + "://" + ip + ":" + port, auth=(username, password),
+                                            timeout=REQUEST_TIMEOUT)
             else:
-                response = requests.get(scheme + "://" + ip + ":" + port, timeout=REQUEST_TIMEOUT)
+                if enable_ssl:
+                    response = requests.get(scheme + "://" + ip + ":" + port, timeout=REQUEST_TIMEOUT, verify=ca_certs)
+                else:
+                    response = requests.get(scheme + "://" + ip + ":" + port, timeout=REQUEST_TIMEOUT)
 
             if response.status_code == 401:
                 message = "Unable to create connection! Server returned 401 - UNAUTHORIZED: " + scheme + "://" + ip + ":" + port
@@ -68,11 +77,22 @@ def create_connection(self, ip, port, scheme='http', username=None, password=Non
 
             # SAVE to Connection Pools
             if is_basic_auth is True:
-                conn = Elasticsearch(hosts=[scheme + "://" + ip + ":" + port], maxsize=5,
-                                     version=content.get('version').get('number'), http_auth=(username, password))
+                if enable_ssl:
+                    conn = Elasticsearch(hosts=[scheme + "://" + ip + ":" + port], maxsize=5,
+                                         use_ssl=True, verify_certs=True, ca_certs=ca_certs,
+                                         version=content.get('version').get('number'), http_auth=(username, password))
+                else:
+                    conn = Elasticsearch(hosts=[scheme + "://" + ip + ":" + port], maxsize=5,
+                                         version=content.get('version').get('number'), http_auth=(username, password))
+
             else:
-                conn = Elasticsearch(hosts=[scheme + "://" + ip + ":" + port], maxsize=5,
-                                     version=content.get('version').get('number'))
+                if enable_ssl:
+                    conn = Elasticsearch(hosts=[scheme + "://" + ip + ":" + port], maxsize=5,
+                                         use_ssl=True, verify_certs=True, ca_certs=ca_certs,
+                                         version=content.get('version').get('number'))
+                else:
+                    conn = Elasticsearch(hosts=[scheme + "://" + ip + ":" + port], maxsize=5,
+                                         version=content.get('version').get('number'))
 
             self.add_connection(content.get('cluster_name'), conn=conn)