[FFM-7006] - Add support for custom TLS CA certs (#89)

* [FFM-7006] - Add support for custom TLS CA certs

What
This change allows caller to programmatically configure a self-signed or custom bundle certs without the need to pre-install them on the system

Why
On-prem deployments may not have a hostname signed with a public CA

Testing
Manual testing with TLS proxy

Author: andybharness

examples/getting_started/getting_started.py

@@ -19,6 +19,7 @@ def main():
     log.info("Harness SDK Getting Started")
     # Create a Feature Flag Client
     client = CfClient(api_key)
+    client.wait_for_initialization()
 
 
     # Create a target (different targets can get different results based on rules)

featureflags/__init__.py

@@ -2,4 +2,4 @@
 
 __author__ = """Enver Bisevac"""
 __email__ = "[email protected]"
-__version__ = '1.5.0'
+__version__ = '1.6.0'

featureflags/analytics.py

@@ -34,7 +34,7 @@
 VARIATION_VALUE_ATTRIBUTE = 'variationValue'
 TARGET_ATTRIBUTE = 'target'
 SDK_VERSION_ATTRIBUTE = 'SDK_VERSION'
-SDK_VERSION = '1.5.0'
+SDK_VERSION = '1.6.0'
 SDK_TYPE_ATTRIBUTE = 'SDK_TYPE'
 SDK_TYPE = 'server'
 SDK_LANGUAGE_ATTRIBUTE = 'SDK_LANGUAGE'

featureflags/api/client.py

@@ -14,6 +14,7 @@ class Client:
     headers: Dict[str, str] = attr.ib(factory=dict, kw_only=True)
     timeout: float = attr.ib(30.0, kw_only=True)
     max_auth_retries: int
+    tls_trusted_cas_file: str
 
     def get_headers(self) -> Dict[str, str]:
         """Get headers to be used in all endpoints"""

featureflags/api/default/authenticate.py

@@ -34,14 +34,19 @@ def _get_kwargs(
 
     json_json_body = json_body.to_dict()
 
-    return {
+    args = {
         "url": url,
         "headers": headers,
         "cookies": cookies,
         "timeout": client.get_timeout(),
-        "json": json_json_body,
+        "json": json_json_body
     }
 
+    if client.tls_trusted_cas_file is not None:
+        args["verify"] = client.tls_trusted_cas_file
+
+    return args
+
 
 def _parse_response(
         *, response: httpx.Response

featureflags/api/default/get_all_segments.py

@@ -33,14 +33,19 @@ def _get_kwargs(
     headers: Dict[str, Any] = client.get_headers()
     cookies: Dict[str, Any] = client.get_cookies()
 
-    return {
+    args = {
         "url": url,
         "params": query_params,
         "headers": headers,
         "cookies": cookies,
         "timeout": client.get_timeout(),
     }
 
+    if client.tls_trusted_cas_file is not None:
+        args["verify"] = client.tls_trusted_cas_file
+
+    return args
+
 
 def _parse_response(*, response: httpx.Response) -> Optional[List[Segment]]:
     if response.status_code == 200:

featureflags/api/default/get_feature_config.py

@@ -34,14 +34,19 @@ def _get_kwargs(
     headers: Dict[str, Any] = client.get_headers()
     cookies: Dict[str, Any] = client.get_cookies()
 
-    return {
+    args = {
         "url": url,
         "params": query_params,
         "headers": headers,
         "cookies": cookies,
         "timeout": client.get_timeout(),
     }
 
+    if client.tls_trusted_cas_file is not None:
+        args["verify"] = client.tls_trusted_cas_file
+
+    return args
+
 
 def _parse_response(
         *,

featureflags/api/default/post_metrics.py

@@ -29,7 +29,7 @@ def _get_kwargs(
 
     json_json_body = json_body.to_dict()
 
-    return {
+    args = {
         "url": url,
         "params": query_params,
         "headers": headers,
@@ -38,6 +38,11 @@ def _get_kwargs(
         "json": json_json_body,
     }
 
+    if client.tls_trusted_cas_file is not None:
+        args["verify"] = client.tls_trusted_cas_file
+
+    return args
+
 
 def _build_response(*, response: httpx.Response) -> Response[None]:
     return Response(

featureflags/client.py

@@ -23,7 +23,7 @@
 import featureflags.sdk_logging_codes as sdk_codes
 from .util import log
 
-VERSION: str = "1.0"
+VERSION: str = "1.6.0"
 
 
 class MissingOrEmptyAPIKeyException(Exception):
@@ -175,7 +175,8 @@ def authenticate(self):
         client = Client(
             base_url=self._config.base_url,
             events_url=self._config.events_url,
-            max_auth_retries=self._config.max_auth_retries
+            max_auth_retries=self._config.max_auth_retries,
+            tls_trusted_cas_file=self._config.tls_trusted_cas_file
         )
         body = AuthenticationRequest(api_key=self._sdk_key)
         response = authenticate(client=client, json_body=body)
@@ -194,7 +195,8 @@ def authenticate(self):
             params={
                 'cluster': self._cluster
             },
-            max_auth_retries=self._config.max_auth_retries
+            max_auth_retries=self._config.max_auth_retries,
+            tls_trusted_cas_file=self._config.tls_trusted_cas_file
         )
         # Additional headers used to track usage
         additional_headers = {

featureflags/config.py

@@ -28,7 +28,8 @@ def __init__(
             store: object = None,
             enable_stream: bool = True,
             enable_analytics: bool = True,
-            max_auth_retries: int = 10
+            max_auth_retries: int = 10,
+            tls_trusted_cas_file: str = None
     ):
         self.base_url = base_url
         self.events_url = events_url
@@ -48,6 +49,7 @@ def __init__(
         self.enable_stream = enable_stream
         self.enable_analytics = enable_analytics
         self.max_auth_retries = max_auth_retries
+        self.tls_trusted_cas_file = tls_trusted_cas_file
 
 
 default_config = Config()
@@ -93,3 +95,15 @@ def func(config: Config) -> None:
         config.max_auth_retries = value
 
     return func
+
+
+def with_tls_trusted_cas_file(value: str) -> Callable:
+    """
+    This config item is for on-prem or proxy customers using custom TLS certs.
+    It takes a filename of a CA bundle. It should include all intermediate CAs
+    and the root CA (concatenated in PEM format).
+    """
+    def func(config: Config) -> None:
+        config.tls_trusted_cas_file = value
+
+    return func