From e5e7c61fa5834c9812aacaf56c23c55fcb3e0321 Mon Sep 17 00:00:00 2001
From: Hans Trompert <hans.trompert@surf.nl>
Date: Thu, 4 Nov 2021 12:55:39 +0100
Subject: [PATCH] simplified setupTLSContext()

In config.py _load_certificates() already makes sure that CERTIFICATE_DIR is
set and if TLS is enbled that KEY and CERTIFICATE are supplied, here we only
need to decide between a full 2 Way TLS context, either to start the server in
TLS mode and/or be able to do TLS client authentication, or a simple TLS
context that will only be able to verify the remote certificate in client
requests.
---
 opennsa/setup.py | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/opennsa/setup.py b/opennsa/setup.py
index 103311d9..e1624fa9 100644
--- a/opennsa/setup.py
+++ b/opennsa/setup.py
@@ -99,29 +99,16 @@ def setupBackend(backend_cfg, network_name, nrm_ports, parent_requester):
 
 def setupTLSContext(vc):
     # ssl/tls contxt
-    if vc[config.TLS]:
-        log.msg('setup for full client/server TLS mode')
+    if vc[config.KEY] and vc[config.CERTIFICATE]:
+        log.msg('setup full 2Way TLS context')
         from opennsa.opennsaTlsContext import opennsa2WayTlsContext
         ctx_factory = opennsa2WayTlsContext(
             vc[config.KEY], vc[config.CERTIFICATE], vc[config.CERTIFICATE_DIR], vc[config.VERIFY_CERT])
-    elif vc[config.CERTIFICATE_DIR]:
-        # create a context so we can verify https urls
-        if not os.path.isdir(vc[config.CERTIFICATE_DIR]):
-            raise config.ConfigurationError(
-                'certdir value {} is not a directory'.format(vc[config.CERTIFICATE_DIR]))
-        if vc[config.KEY] and vc[config.CERTIFICATE]:
-            # enable client authentication even when not in TLS mode
-            log.msg('setup for client TLS mode with client authentication')
-            from opennsa.opennsaTlsContext import opennsa2WayTlsContext
-            ctx_factory = opennsa2WayTlsContext(
-                vc[config.KEY], vc[config.CERTIFICATE], vc[config.CERTIFICATE_DIR], vc[config.VERIFY_CERT])
-        else:
-            from opennsa.opennsaTlsContext import opennsaTlsContext
-            log.msg('setup for client TLS mode without client authentication')
-            ctx_factory = opennsaTlsContext(
-                vc[config.CERTIFICATE_DIR], vc[config.VERIFY_CERT])
     else:
-        ctx_factory = None
+        from opennsa.opennsaTlsContext import opennsaTlsContext
+        log.msg('setup client TLS context without client authentication')
+        ctx_factory = opennsaTlsContext(
+            vc[config.CERTIFICATE_DIR], vc[config.VERIFY_CERT])
 
     return ctx_factory
 
-- 
GitLab