From 288b029ce71b33e2165bee48635946cf1d55b8d1 Mon Sep 17 00:00:00 2001
From: andugga <64044503+andugga@users.noreply.github.com>
Date: Tue, 9 Nov 2021 12:53:19 -0800
Subject: [PATCH] Allow specifying a keyfile with cert-based authentication
 (#398)

* Add cert based authentication

Add certificate based authentication

* Add certificate based authentication

* Addressed review comments

Addressed review comments

* Update messaging.py

redundant check on un verified context
---
 docs/user-guide/Authentication.md           | 10 ++++++++--
 docs/user-guide/SettingsFile.md             |  5 +++++
 restler/engine/transport_layer/messaging.py |  7 +++++--
 restler/restler_settings.py                 |  6 ++++++
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/docs/user-guide/Authentication.md b/docs/user-guide/Authentication.md
index 92b8612..827430c 100644
--- a/docs/user-guide/Authentication.md
+++ b/docs/user-guide/Authentication.md
@@ -1,6 +1,8 @@
 # Authentication
 
-RESTler supports token-based authentication.  
+RESTler supports token-based and certificate based authentication.
+
+**Token based authentication**
 
 The user must provide a separate program to generate tokens, which implements the authentication method required by the API.  This will be invoked in a separate process by RESTler to obtain and regularly refresh tokens.  When invoked, this program must print metadata about the tokens on the first line, followed by each token and the required token header on a separate line for each application.  For example:
 
@@ -30,4 +32,8 @@ Note: in the above example, there are two different applications.  This is only
 
 **Token values in logs**
 
-RESTler has logic to prevent token values from being written to the network logs.  It is recommended to check the RESTler network logs and make sure that the token values are, indeed,  successfully omitted from the logs. 
\ No newline at end of file
+RESTler has logic to prevent token values from being written to the network logs.  It is recommended to check the RESTler network logs and make sure that the token values are, indeed,  successfully omitted from the logs. 
+                
+**Certificate based authentication**
+                
+A Certificate and corresponding keys can be used as an authentication mechanism. See the SettingsFile.md for the settings that should be used to specify a certificate. If both the keyfile and certificate path are valid, RESTler will attempt to use it during the SSL handshake. 
\ No newline at end of file
diff --git a/docs/user-guide/SettingsFile.md b/docs/user-guide/SettingsFile.md
index c34f5d2..1ef8514 100644
--- a/docs/user-guide/SettingsFile.md
+++ b/docs/user-guide/SettingsFile.md
@@ -32,6 +32,11 @@ Path to your X.509 certificate file in PEM format.
 
 If provided and valid, RESTler will attempt to use it during the SSL handshake.
 
+### client_certificate_key_path: str (default None)
+Path to your key file in a txt file.
+
+If provided and valid, RESTler will attempt to use it during the SSL handshake.
+
 ### custom_bug_codes: list(str)
 List of status codes that will be flagged as bugs.
 
diff --git a/restler/engine/transport_layer/messaging.py b/restler/engine/transport_layer/messaging.py
index baff7ec..28aa283 100644
--- a/restler/engine/transport_layer/messaging.py
+++ b/restler/engine/transport_layer/messaging.py
@@ -55,10 +55,13 @@ class HttpSock(object):
                     context = ssl.create_default_context()
                 if Settings().client_certificate_path:
                     context.load_cert_chain(
-                        certfile=Settings().client_certificate_path
+                        certfile = Settings().client_certificate_path,
+                        keyfile = Settings().client_certificate_key_path,
                     )
-                with socket.create_connection((target_ip, target_port or 443)) as sock:
+                      
+                with socket.create_connection((target_ip, target_port or 443)) as sock:                  
                     self._sock = context.wrap_socket(sock, server_hostname=host)
+
             else:
                 self._sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                 self._sock.connect((target_ip, target_port or 80))
diff --git a/restler/restler_settings.py b/restler/restler_settings.py
index 338e4c3..a1d95fe 100644
--- a/restler/restler_settings.py
+++ b/restler/restler_settings.py
@@ -364,6 +364,8 @@ class RestlerSettings(object):
 
         ## Path to Client Cert for Certificate Based Authentication
         self._client_certificate_path = SettingsArg('client_certificate_path', str, None, user_args)
+        ## Path to Client Cert Key for Certificate Based Authentication
+        self._client_certificate_key_path = SettingsArg('client_certificate_key_path', str, None, user_args)
         ## List of endpoints whose resource is to be created only once - Will be set with other per_resource settings
         self._create_once_endpoints = SettingsListArg('create_once', str, None, val_convert=str_to_hex_def)
         ## List of status codes that will be flagged as bugs
@@ -469,6 +471,10 @@ class RestlerSettings(object):
     @property
     def client_certificate_path(self):
         return self._client_certificate_path.val
+    
+    @property
+    def client_certificate_key_path(self):
+        return self._client_certificate_key_path.val
 
     @property
     def connection_settings(self):