add support for connecting docker api with tls

frankli0324 · May 25, 2021 · a1b5315 · a1b5315
1 parent 5fd0b26
commit a1b5315
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 9 deletions.
diff --git a/templates/config/docker.config.html b/templates/config/docker.config.html
@@ -12,15 +12,62 @@ <h5>Common</h5>
         <div class="form-group">
             <label for="{{ val[0].replace('_', '-') }}">
                 {{ config }}
-                <small class="form-text text-muted">
-                    {{ val[1] }}
-                </small>
+                <small class="form-text text-muted">{{ val[1] }}</small>
             </label>
             <input type="text" class="form-control"
                    id="{{ val[0].replace('_', '-') }}" name="{{ 'whale:' + val[0] }}"
                    {% if value != None %}value="{{ value }}"{% endif %}>
         </div>
     {% endfor %}
+        {% set use_ssl = get_config('whale:docker_use_ssl') %}
+        <div class="form-check">
+            <input type="checkbox" id="docker-use-ssl" name="whale:docker_use_ssl"
+                   {% if use_ssl == True %}checked{% endif %}>
+            <label for="docker-use-ssl">Use SSL</label>
+        </div>
+        <div class="container" id="docker-ssl-config">
+            <div class="form-group">
+                <label for="docker-ssl-ca-cert">
+                    SSL CA Certificate
+                    <small class="form-text text-muted">
+                        the location of the CA certificate file used in ssl connection
+                    </small>
+                </label>
+                <input type="text" class="form-control"
+                       id="docker-ssl-ca-cert" name="whale:docker_ssl_ca_cert"
+                       value="{{ get_config('whale:docker_ssl_ca_cert') }}">
+            </div>
+            <div class="form-group">
+                <label for="docker-ssl-client-cert">
+                    SSL Client Certificate
+                    <small class="form-text text-muted">
+                        the location of the client certificate file used in ssl connection
+                    </small>
+                </label>
+                <input type="text" class="form-control"
+                       id="docker-ssl-client-cert" name="whale:docker_ssl_client_cert"
+                       value="{{ get_config('whale:docker_ssl_client_cert') }}">
+            </div>
+            <div class="form-group">
+                <label for="docker-ssl-client-key">
+                    SSL Client Key
+                    <small class="form-text text-muted">
+                        the location of the client key file used in ssl connection
+                    </small>
+                </label>
+                <input type="text" class="form-control"
+                       id="docker-ssl-client-key" name="whale:docker_ssl_client_key"
+                       value="{{ get_config('whale:docker_ssl_client_key') }}">
+            </div>
+        </div>
+        <script>
+            (function () {
+                let config = document.getElementById('docker-ssl-config');
+                let option = document.getElementById('docker-use-ssl');
+                config.hidden = !option.checked;
+                option.onclick = () => (config.hidden = !option.checked) || true;
+            }) ()
+        </script>
     <hr>
     <h5>Standalone Containers</h5>
     <small class="form-text text-muted">

diff --git a/utils/cache.py b/utils/cache.py
@@ -1,4 +1,3 @@
-import docker
 import ipaddress
 import warnings
 from CTFd.cache import cache
@@ -32,7 +31,8 @@ def init_port_sets(self):
             if port not in used_port_list:
                 self.add_available_port(port)
 
-        client = docker.DockerClient(base_url=get_config("whale:docker_api_url"))
+        from .docker import get_docker_client
+        client = get_docker_client()
 
         docker_subnet = get_config("whale:docker_subnet", "174.1.0.0/16")
         docker_subnet_new_prefix = int(

diff --git a/utils/checks.py b/utils/checks.py
@@ -1,14 +1,17 @@
-from docker import DockerClient
-from docker.errors import DockerException, APIError, requests
+from docker.errors import DockerException, TLSParameterError, APIError, requests
 
 from CTFd.utils import get_config
 
+from .docker import get_docker_client
+
 
 class WhaleChecks:
     @staticmethod
     def check_docker_api():
         try:
-            client = DockerClient(base_url=get_config("whale:docker_api_url"))
+            client = get_docker_client()
+        except TLSParameterError as e:
+            return f'Docker TLS Parameters incorrect ({e})'
         except DockerException as e:
             return f'Docker API url incorrect ({e})'
         try:

diff --git a/utils/docker.py b/utils/docker.py
@@ -12,11 +12,29 @@
 from .exceptions import WhaleError
 
 
+def get_docker_client():
+    if get_config("whale:docker_use_ssl", False):
+        tls_config = docker.tls.TLSConfig(
+            verify=True,
+            ca_cert=get_config("whale:docker_ssl_ca_cert") or None,
+            client_cert=(
+                get_config("whale:docker_ssl_client_cert"),
+                get_config("whale:docker_ssl_client_key")
+            ),
+        )
+        return docker.DockerClient(
+            base_url=get_config("whale:docker_api_url"),
+            tls=tls_config,
+        )
+    else:
+        return docker.DockerClient(base_url=get_config("whale:docker_api_url"))
+
+
 class DockerUtils:
     @staticmethod
     def init():
         try:
-            DockerUtils.client = docker.DockerClient(base_url=get_config("whale:docker_api_url"))
+            DockerUtils.client = get_docker_client()
             # docker-py is thread safe: https://github.com/docker/docker-py/issues/619
         except Exception:
             raise WhaleError(