From a1b5315296388a3f18a52b2b31dbb1913e18d671 Mon Sep 17 00:00:00 2001
From: Frank <frankli0324@hotmail.com>
Date: Tue, 25 May 2021 21:21:37 +0800
Subject: [PATCH] add support for connecting docker api with tls

---
 templates/config/docker.config.html | 53 +++++++++++++++++++++++++++--
 utils/cache.py                      |  4 +--
 utils/checks.py                     |  9 +++--
 utils/docker.py                     | 20 ++++++++++-
 4 files changed, 77 insertions(+), 9 deletions(-)

diff --git a/templates/config/docker.config.html b/templates/config/docker.config.html
index 9c6c2a5..a46bf1b 100644
--- a/templates/config/docker.config.html
+++ b/templates/config/docker.config.html
@@ -12,15 +12,62 @@ <h5>Common</h5>
         <div class="form-group">
             <label for="{{ val[0].replace('_', '-') }}">
                 {{ config }}
-                <small class="form-text text-muted">
-                    {{ val[1] }}
-                </small>
+                <small class="form-text text-muted">{{ val[1] }}</small>
             </label>
             <input type="text" class="form-control"
                    id="{{ val[0].replace('_', '-') }}" name="{{ 'whale:' + val[0] }}"
                    {% if value != None %}value="{{ value }}"{% endif %}>
         </div>
     {% endfor %}
+        {% set use_ssl = get_config('whale:docker_use_ssl') %}
+        <div class="form-check">
+            <input type="checkbox" id="docker-use-ssl" name="whale:docker_use_ssl"
+                   {% if use_ssl == True %}checked{% endif %}>
+            <label for="docker-use-ssl">Use SSL</label>
+        </div>
+        <div class="container" id="docker-ssl-config">
+            <div class="form-group">
+                <label for="docker-ssl-ca-cert">
+                    SSL CA Certificate
+                    <small class="form-text text-muted">
+                        the location of the CA certificate file used in ssl connection
+                    </small>
+                </label>
+                <input type="text" class="form-control"
+                       id="docker-ssl-ca-cert" name="whale:docker_ssl_ca_cert"
+                       value="{{ get_config('whale:docker_ssl_ca_cert') }}">
+            </div>
+            <div class="form-group">
+                <label for="docker-ssl-client-cert">
+                    SSL Client Certificate
+                    <small class="form-text text-muted">
+                        the location of the client certificate file used in ssl connection
+                    </small>
+                </label>
+                <input type="text" class="form-control"
+                       id="docker-ssl-client-cert" name="whale:docker_ssl_client_cert"
+                       value="{{ get_config('whale:docker_ssl_client_cert') }}">
+            </div>
+            <div class="form-group">
+                <label for="docker-ssl-client-key">
+                    SSL Client Key
+                    <small class="form-text text-muted">
+                        the location of the client key file used in ssl connection
+                    </small>
+                </label>
+                <input type="text" class="form-control"
+                       id="docker-ssl-client-key" name="whale:docker_ssl_client_key"
+                       value="{{ get_config('whale:docker_ssl_client_key') }}">
+            </div>
+        </div>
+        <script>
+            (function () {
+                let config = document.getElementById('docker-ssl-config');
+                let option = document.getElementById('docker-use-ssl');
+                config.hidden = !option.checked;
+                option.onclick = () => (config.hidden = !option.checked) || true;
+            }) ()
+        </script>
     <hr>
     <h5>Standalone Containers</h5>
     <small class="form-text text-muted">
diff --git a/utils/cache.py b/utils/cache.py
index 3b3f164..cd24700 100644
--- a/utils/cache.py
+++ b/utils/cache.py
@@ -1,4 +1,3 @@
-import docker
 import ipaddress
 import warnings
 from CTFd.cache import cache
@@ -32,7 +31,8 @@ def init_port_sets(self):
             if port not in used_port_list:
                 self.add_available_port(port)
 
-        client = docker.DockerClient(base_url=get_config("whale:docker_api_url"))
+        from .docker import get_docker_client
+        client = get_docker_client()
 
         docker_subnet = get_config("whale:docker_subnet", "174.1.0.0/16")
         docker_subnet_new_prefix = int(
diff --git a/utils/checks.py b/utils/checks.py
index 1922cd6..6e46376 100644
--- a/utils/checks.py
+++ b/utils/checks.py
@@ -1,14 +1,17 @@
-from docker import DockerClient
-from docker.errors import DockerException, APIError, requests
+from docker.errors import DockerException, TLSParameterError, APIError, requests
 
 from CTFd.utils import get_config
 
+from .docker import get_docker_client
+
 
 class WhaleChecks:
     @staticmethod
     def check_docker_api():
         try:
-            client = DockerClient(base_url=get_config("whale:docker_api_url"))
+            client = get_docker_client()
+        except TLSParameterError as e:
+            return f'Docker TLS Parameters incorrect ({e})'
         except DockerException as e:
             return f'Docker API url incorrect ({e})'
         try:
diff --git a/utils/docker.py b/utils/docker.py
index 736179d..2fe1b42 100644
--- a/utils/docker.py
+++ b/utils/docker.py
@@ -12,11 +12,29 @@
 from .exceptions import WhaleError
 
 
+def get_docker_client():
+    if get_config("whale:docker_use_ssl", False):
+        tls_config = docker.tls.TLSConfig(
+            verify=True,
+            ca_cert=get_config("whale:docker_ssl_ca_cert") or None,
+            client_cert=(
+                get_config("whale:docker_ssl_client_cert"),
+                get_config("whale:docker_ssl_client_key")
+            ),
+        )
+        return docker.DockerClient(
+            base_url=get_config("whale:docker_api_url"),
+            tls=tls_config,
+        )
+    else:
+        return docker.DockerClient(base_url=get_config("whale:docker_api_url"))
+
+
 class DockerUtils:
     @staticmethod
     def init():
         try:
-            DockerUtils.client = docker.DockerClient(base_url=get_config("whale:docker_api_url"))
+            DockerUtils.client = get_docker_client()
             # docker-py is thread safe: https://github.com/docker/docker-py/issues/619
         except Exception:
             raise WhaleError(