From 794139782ff56ab17fc92f9538b65fbf2d7dc017 Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Mon, 14 Mar 2022 11:35:14 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20JumpServer=E6=94=AF=E6=8C=81=E9=83=A8?=
 =?UTF-8?q?=E7=BD=B2=E5=9C=A8=E4=BD=BF=E7=94=A8=E4=BA=86ssl=E7=9A=84redis?=
 =?UTF-8?q?=E4=B8=8A=EF=BC=8C=E5=8F=AF=E4=BD=BF=E7=94=A8=E8=AF=81=E4=B9=A6?=
 =?UTF-8?q?=E8=BF=9E=E6=8E=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/utils/connection.py      | 1 +
 apps/jumpserver/rewriting/session.py | 1 +
 apps/jumpserver/settings/base.py     | 9 +++++++++
 apps/jumpserver/settings/libs.py     | 7 ++++---
 utils/start_celery_beat.py           | 9 +++++++++
 5 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/apps/common/utils/connection.py b/apps/common/utils/connection.py
index 22030c809..291d4516d 100644
--- a/apps/common/utils/connection.py
+++ b/apps/common/utils/connection.py
@@ -19,6 +19,7 @@ def get_redis_client(db=0):
         'password': CONFIG.REDIS_PASSWORD,
         'db': db,
         "ssl": is_true(CONFIG.REDIS_USE_SSL),
+        'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
         'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
         'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
         'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
diff --git a/apps/jumpserver/rewriting/session.py b/apps/jumpserver/rewriting/session.py
index 7b5ee150e..ff34caded 100644
--- a/apps/jumpserver/rewriting/session.py
+++ b/apps/jumpserver/rewriting/session.py
@@ -18,6 +18,7 @@ class RedisServer(RedisRedisServer):
         ssl_params = {}
         if CONFIG.REDIS_USE_SSL:
             ssl_params = {
+                'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
                 'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
                 'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
                 'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index cb77177ec..e5b382517 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -250,8 +250,16 @@ FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
 
 # Cache use redis
 REDIS_SSL_KEYFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.key')
+if not os.path.exists(REDIS_SSL_KEYFILE):
+    REDIS_SSL_KEYFILE = None
+
 REDIS_SSL_CERTFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.crt')
+if not os.path.exists(REDIS_SSL_CERTFILE):
+    REDIS_SSL_CERTFILE = None
+
 REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt')
+if not os.path.exists(REDIS_SSL_CA_CERTS):
+    REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.pem')
 
 CACHES = {
     'default': {
@@ -267,6 +275,7 @@ CACHES = {
         'OPTIONS': {
             "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
             "CONNECTION_POOL_KWARGS": {
+                'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
                 "ssl_keyfile": REDIS_SSL_KEYFILE,
                 "ssl_certfile": REDIS_SSL_CERTFILE,
                 "ssl_ca_certs": REDIS_SSL_CA_CERTS
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 9bd56122b..11aa0ba16 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -89,9 +89,10 @@ if not CONFIG.REDIS_USE_SSL:
     context = None
 else:
     context = ssl.SSLContext()
-    context.check_hostname = False
+    context.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
     context.load_verify_locations(REDIS_SSL_CA_CERTS)
-    context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
+    if REDIS_SSL_CERTFILE and REDIS_SSL_KEYFILE:
+        context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
 
 CHANNEL_LAYERS = {
     'default': {
@@ -139,7 +140,7 @@ CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
 if CONFIG.REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
-        'ssl_cert_reqs': 'required',
+        'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
         'ssl_ca_certs': REDIS_SSL_CA_CERTS,
         'ssl_certfile': REDIS_SSL_CERTFILE,
         'ssl_keyfile': REDIS_SSL_KEYFILE
diff --git a/utils/start_celery_beat.py b/utils/start_celery_beat.py
index 714dbd826..946fe9172 100644
--- a/utils/start_celery_beat.py
+++ b/utils/start_celery_beat.py
@@ -19,14 +19,23 @@ if os.getuid() == 0:
     os.environ.setdefault('C_FORCE_ROOT', '1')
 
 REDIS_SSL_KEYFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.key')
+if not os.path.exists(REDIS_SSL_KEYFILE):
+    REDIS_SSL_KEYFILE = None
+
 REDIS_SSL_CERTFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.crt')
+if not os.path.exists(REDIS_SSL_CERTFILE):
+    REDIS_SSL_CERTFILE = None
+
 REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.crt')
+if not os.path.exists(REDIS_SSL_CA_CERTS):
+    REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.pem')
 
 params = {
     'host': CONFIG.REDIS_HOST,
     'port': CONFIG.REDIS_PORT,
     'password': CONFIG.REDIS_PASSWORD,
     "ssl": CONFIG.REDIS_USE_SSL,
+    'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
     "ssl_keyfile": REDIS_SSL_KEYFILE,
     "ssl_certfile": REDIS_SSL_CERTFILE,
     "ssl_ca_certs": REDIS_SSL_CA_CERTS