Merge branch 'master' into spigotmc

2 files changed, 64 insertions, 3 deletions

diff --git a/python.d/python_modules/bases/FrameworkServices/SocketService.py b/python.d/python_modules/bases/FrameworkServices/SocketService.py
index 8d27ae660e..b1afaa9ce0 100644
--- a/python.d/python_modules/bases/FrameworkServices/SocketService.py
+++ b/python.d/python_modules/bases/FrameworkServices/SocketService.py
@@ -4,6 +4,13 @@
 
 import socket
 
+try:
+    import ssl
+except ImportError:
+    _TLS_SUPPORT = False
+else:
+    _TLS_SUPPORT = True
+
 from bases.FrameworkServices.SimpleService import SimpleService
 
 
@@ -16,6 +23,9 @@ class SocketService(SimpleService):
         self.unix_socket = None
         self.dgram_socket = False
         self.request = ''
+        self.tls = False
+        self.cert = None
+        self.key = None
         self.__socket_config = None
         self.__empty_request = "".encode()
         SimpleService.__init__(self, configuration=configuration, name=name)
@@ -56,10 +66,24 @@ class SocketService(SimpleService):
             self.__socket_config = None
             return False
 
+        if self.tls:
+            try:
+                self.debug('Encapsulating socket with TLS')
+                self._sock = ssl.wrap_socket(self._sock,
+                                             keyfile=self.key,
+                                             certfile=self.cert,
+                                             server_side=False,
+                                             cert_reqs=ssl.CERT_NONE)
+            except (socket.error, ssl.SSLError) as error:
+                self.error('Failed to wrap socket.')
+                self._disconnect()
+                self.__socket_config = None
+                return False
+
         try:
             self.debug('connecting socket to "{address}", port {port}'.format(address=sa[0], port=sa[1]))
             self._sock.connect(sa)
-        except socket.error as error:
+        except (socket.error, ssl.SSLError) as error:
             self.error('Failed to connect to "{address}", port {port}, error: {error}'.format(address=sa[0],
                                                                                               port=sa[1],
                                                                                               error=error))
@@ -249,6 +273,28 @@ class SocketService(SimpleService):
             except (KeyError, TypeError):
                 self.debug('No port specified. Using: "{0}"'.format(self.port))
 
+            self.tls = bool(self.configuration.get('tls', self.tls))
+            if self.tls and not _TLS_SUPPORT:
+                self.warning('TLS requested but no TLS module found, disabling TLS support.')
+                self.tls = False
+            if _TLS_SUPPORT and not self.tls:
+                self.debug('No TLS preference specified, not using TLS.')
+
+            if self.tls and _TLS_SUPPORT:
+                self.key = self.configuration.get('tls_key_file')
+                self.cert = self.configuration.get('tls_cert_file')
+                if not self.cert:
+                    # If there's not a valid certificate, clear the key too.
+                    self.debug('No valid TLS client certificate configuration found.')
+                    self.key = None
+                    self.cert = None
+                elif not self.key:
+                    # If a key isn't listed, the config may still be
+                    # valid, because there may be a key attached to the
+                    # certificate.
+                    self.info('No TLS client key specified, assuming it\'s attached to the certificate.')
+                    self.key = None
+
         try:
             self.request = str(self.configuration['request'])
         except (KeyError, TypeError):
diff --git a/python.d/python_modules/bases/FrameworkServices/UrlService.py b/python.d/python_modules/bases/FrameworkServices/UrlService.py
index 3f4fcf6f7a..74262df16e 100644
--- a/python.d/python_modules/bases/FrameworkServices/UrlService.py
+++ b/python.d/python_modules/bases/FrameworkServices/UrlService.py
@@ -25,6 +25,9 @@ class UrlService(SimpleService):
         self.header = self.configuration.get('header')
         self.request_timeout = self.configuration.get('timeout', 1)
         self.tls_verify = self.configuration.get('tls_verify')
+        self.tls_ca_file = self.configuration.get('tls_ca_file')
+        self.tls_key_file = self.configuration.get('tls_key_file')
+        self.tls_cert_file = self.configuration.get('tls_cert_file')
         self._manager = None
 
     def __make_headers(self, **header_kw):
@@ -61,10 +64,22 @@ class UrlService(SimpleService):
         else:
             manager = urllib3.PoolManager
             params = dict(headers=header)
+        tls_cert_file = self.tls_cert_file
+        if tls_cert_file:
+            params['cert_file'] = tls_cert_file
+            # NOTE: key_file is useless without cert_file, but
+            #       cert_file may include the key as well.
+            tls_key_file = self.tls_key_file
+            if tls_key_file:
+                params['key_file'] = tls_key_file
+        tls_ca_file = self.tls_ca_file
+        if tls_ca_file:
+            params['ca_certs'] = tls_ca_file
         try:
             url = header_kw.get('url') or self.url
-            if url.startswith('https') and not self.tls_verify:
-                return manager(assert_hostname=False, cert_reqs='CERT_NONE', ca_certs=None, **params)
+            if url.startswith('https') and not self.tls_verify and not tls_ca_file:
+                params['ca_certs'] = None
+                return manager(assert_hostname=False, cert_reqs='CERT_NONE', **params)
             return manager(**params)
         except (urllib3.exceptions.ProxySchemeUnknown, TypeError) as error:
             self.error('build_manager() error:', str(error))