[HWORKS-1624][APPEND] ca_chain.pem is needed when calling _get_credentials for internal clients (#337)

robzor92 · web-flow · commit c2184311ba63 · 2024-09-20T13:48:14.000+02:00
diff --git a/python/hopsworks_common/client/hopsworks.py b/python/hopsworks_common/client/hopsworks.py
@@ -21,6 +21,12 @@
 from hopsworks_common.client import auth, base
 
 
+try:
+    import jks
+except ImportError:
+    pass
+
+
 class Client(base.Client):
     HOPSWORKS_HOSTNAME_VERIFICATION = "HOPSWORKS_HOSTNAME_VERIFICATION"
     DOMAIN_CA_TRUSTSTORE_PEM = "DOMAIN_CA_TRUSTSTORE_PEM"
@@ -50,7 +56,7 @@ def __init__(self, hostname_verification):
         self._hostname_verification = os.environ.get(
             self.HOPSWORKS_HOSTNAME_VERIFICATION, "{}".format(hostname_verification)
         ).lower() in ("true", "1", "y", "yes")
-        self._hopsworks_ca_trust_store_path = self._get_ca_chain_path()
+        self._hopsworks_ca_trust_store_path = self._materialize_ca_chain()
 
         self._project_id = os.environ[self.PROJECT_ID]
         self._project_name = self._project_name()
@@ -67,10 +73,23 @@ def __init__(self, hostname_verification):
 
         credentials = self._get_credentials(self._project_id)
 
-        self._write_pem_file(credentials["caChain"], self._get_ca_chain_path())
         self._write_pem_file(credentials["clientCert"], self._get_client_cert_path())
         self._write_pem_file(credentials["clientKey"], self._get_client_key_path())
 
+    def _materialize_ca_chain(self):
+        """Convert truststore from jks to pem and return the location"""
+        ca_chain_path = Path(self._get_ca_chain_path())
+        if not ca_chain_path.exists():
+            keystore_pw = self._cert_key
+            ks = jks.KeyStore.load(
+                self._get_jks_key_store_path(), keystore_pw, try_decrypt_keys=True
+            )
+            ts = jks.KeyStore.load(
+                self._get_jks_trust_store_path(), keystore_pw, try_decrypt_keys=True
+            )
+            self._write_ca_chain(ks, ts, ca_chain_path)
+        return str(ca_chain_path)
+
     def _get_hopsworks_rest_endpoint(self):
         """Get the hopsworks REST endpoint for making requests to the REST API."""
         return os.environ[self.REST_ENDPOINT]
diff --git a/python/hopsworks_common/connection.py b/python/hopsworks_common/connection.py
@@ -38,7 +38,7 @@
 
 HOPSWORKS_PORT_DEFAULT = 443
 HOSTNAME_VERIFICATION_DEFAULT = os.environ.get(
-    "HOPSWORKS_HOSTNAME_VERIFICATION", "True"
+    "HOPSWORKS_HOSTNAME_VERIFICATION", "False"
 ).lower() in ("true", "1", "y", "yes")
 # alias for backwards compatibility:
 HOPSWORKS_HOSTNAME_VERIFICATION_DEFAULT = HOSTNAME_VERIFICATION_DEFAULT
diff --git a/python/tests/test_connection.py b/python/tests/test_connection.py
@@ -31,7 +31,7 @@ def test_constants(self):
         # adding / removing / updating tests, if necessary.
         assert HOSTS.APP_HOST == "c.app.hopsworks.ai"
         assert HOPSWORKS_PORT_DEFAULT == 443
-        assert HOSTNAME_VERIFICATION_DEFAULT
+        assert HOSTNAME_VERIFICATION_DEFAULT is False
 
     # constructor
 
