TLS support

Signed-off-by: Scott R. Shinn <scott@atomicorp.com>

Author: atomicturtle

Makefile

@@ -47,4 +47,4 @@ deps:
 test-local:
 	@echo "Starting Chelon service locally on port 5050..."
 	@echo "Make sure GPG keys are imported first!"
-	cd server && python3 oracle-service.py
+	cd server && python3 chelon-service.py

chelon.spec

@@ -46,7 +46,7 @@ install -d %{buildroot}%{_unitdir}
 install -d %{buildroot}%{_localstatedir}/lib/%{name}
 
 # Install server files
-install -m 755 server/oracle-service.py %{buildroot}%{_datadir}/%{name}/server/
+install -m 755 server/chelon-service.py %{buildroot}%{_datadir}/%{name}/server/
 install -m 644 server/signing_engine.py %{buildroot}%{_datadir}/%{name}/server/
 install -m 644 server/auth.py %{buildroot}%{_datadir}/%{name}/server/
 install -m 644 server/audit.py %{buildroot}%{_datadir}/%{name}/server/

server/auth.py

@@ -121,7 +121,7 @@ def validate_token(self, token: str) -> Dict:
 
         # Verify secret
         secret_hash = hashlib.sha256(secret.encode()).hexdigest()
-        if secret_hash != token_info['secret_hash']:
+        if not secrets.compare_digest(secret_hash, token_info['secret_hash']):
             raise ValueError("Invalid token secret")
 
         # Check rate limit (Fixed Window)

server/chelon-service.py

@@ -20,7 +20,7 @@
 app = Flask(__name__)
 
 # Configuration
-CONFIG_FILE = os.environ.get('ORACLE_CONFIG', '/etc/chelon/chelon.conf')
+CONFIG_FILE = os.environ.get('CHELON_CONFIG', '/etc/chelon/chelon.conf')
 DATA_DIR = '/var/lib/chelon'
 
 def load_config(path):
@@ -184,8 +184,38 @@ def sign_repodata():
 
 if __name__ == '__main__':
     # Run the Flask app
-    host = os.environ.get('ORACLE_HOST', '127.0.0.1')
-    port = int(os.environ.get('ORACLE_PORT', 5050))
+    host = os.environ.get('CHELON_HOST', '127.0.0.1')
+    port = int(os.environ.get('CHELON_PORT', 5050))
 
     logger.info(f"Starting Chelon service on {host}:{port}")
-    app.run(host=host, port=port, debug=False)
+
+    # SSL Configuration
+    ssl_cert = os.environ.get('CHELON_SSL_CERT', config.get('CHELON_SSL_CERT'))
+    ssl_key = os.environ.get('CHELON_SSL_KEY', config.get('CHELON_SSL_KEY'))
+    ssl_ca = os.environ.get('CHELON_SSL_CA', config.get('CHELON_SSL_CA'))
+    verify_client = os.environ.get('CHELON_SSL_VERIFY_CLIENT', config.get('CHELON_SSL_VERIFY_CLIENT', 'false')).lower() == 'true'
+
+    ssl_context = None
+    if ssl_cert and ssl_key:
+        if not os.path.exists(ssl_cert) or not os.path.exists(ssl_key):
+            logger.error(f"SSL cert or key not found: {ssl_cert}, {ssl_key}")
+            sys.exit(1)
+            
+        import ssl
+        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        ssl_context.load_cert_chain(ssl_cert, ssl_key)
+        
+        if ssl_ca:
+            if not os.path.exists(ssl_ca):
+                logger.error(f"SSL CA not found: {ssl_ca}")
+                sys.exit(1)
+            ssl_context.load_verify_locations(ssl_ca)
+            
+            if verify_client:
+                ssl_context.verify_mode = ssl.CERT_REQUIRED
+            else:
+                ssl_context.verify_mode = ssl.CERT_OPTIONAL
+        
+        logger.info(f"SSL Enabled. Client Verify: {verify_client}")
+    
+    app.run(host=host, port=port, debug=False, ssl_context=ssl_context)

systemd/chelon.service

@@ -7,10 +7,10 @@ Type=simple
 User=chelon
 Group=chelon
 WorkingDirectory=/usr/share/chelon/server
-Environment="ORACLE_HOST=0.0.0.0"
-Environment="ORACLE_PORT=5050"
-Environment="ORACLE_CONFIG=/etc/chelon/chelon.conf"
-ExecStart=/usr/bin/python3 /usr/share/chelon/server/oracle-service.py
+Environment="CHELON_HOST=0.0.0.0"
+Environment="CHELON_PORT=5050"
+Environment="CHELON_CONFIG=/etc/chelon/chelon.conf"
+ExecStart=/usr/bin/python3 /usr/share/chelon/server/chelon-service.py
 Restart=always
 RestartSec=10