mathworks
diff --git a/‎Advanced-Usage.md‎
Lines changed: 1 addition & 0 deletions b/‎Advanced-Usage.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SECURITY.md‎
Lines changed: 29 additions & 25 deletions b/‎SECURITY.md‎
Lines changed: 29 additions & 25 deletions
diff --git a/‎matlab_proxy/app_state.py‎
Lines changed: 1 addition & 1 deletion b/‎matlab_proxy/app_state.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎matlab_proxy/settings.py‎
Lines changed: 126 additions & 30 deletions b/‎matlab_proxy/settings.py‎
Lines changed: 126 additions & 30 deletions
@@ -23,6 +23,7 @@ The following table describes all the environment variables that you can set to
 | **MWI_ENABLE_WEB_LOGGING** | string | `"True"` | Set this value to `"True"` to see additional web server logs. |
 | **MWI_CUSTOM_HTTP_HEADERS** | string  |`'{"Content-Security-Policy": "frame-ancestors *.example.com:*"}'`<br /> OR <br />`"/path/to/your/custom/http-headers.json"` |Specify valid HTTP headers as JSON data in a string format. <br /> Alternatively, specify the full path to the JSON file containing valid HTTP headers instead. These headers are injected into the HTTP response sent to the browser. </br> For  more information, see the [Custom HTTP Headers](#custom-http-headers) section.|
 | **TMPDIR** or **TMP** | string | `"/path/for/MATLAB/to/use/as/tmp"` | Set either one of these variables to control the temporary folder used by MATLAB. `TMPDIR` takes precedence over `TMP` and if neither variable is set, `/tmp` is the default value used by MATLAB. |
+| **MWI_ENABLE_SSL** | string | `"False"` | When set to `True`, the values in `MWI_SSL_CERT_FILE & MWI_SSL_KEY_FILE` are used to configure matlab-proxy to use SSL. If you do not provide a CERT and KEY file using these variables, the software generates a self-signed certificate. Defaults to `False`.|
 | **MWI_SSL_CERT_FILE** | string | `"/path/to/certificate.pem"` | The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. See [SSL Support](./SECURITY.md#ssl-support) for more information.|
 | **MWI_SSL_KEY_FILE** | string | `"/path/to/keyfile.key"` | The keyfile string, if present, must point to a file containing the private key. Otherwise the private key will be taken from certfile as well. |
 | **MWI_ENABLE_TOKEN_AUTH** | string | `"True"` | When you set the variable to `True`, matlab-proxy requires users to provide the security token to access the proxy. Optionally, set the token using the environment variable `MWI_AUTH_TOKEN`. If you do not specify `MWI_AUTH_TOKEN`, the software generates a token for you. <br />For more information, see [Token-Based Authentication](./SECURITY.md#token-based-authentication) for more information.
 
@@ -93,7 +93,7 @@ Once the `matlab-proxy` package is installed.
 
   Running the above command will print text out on your terminal, which will contain the URL to access MATLAB. For example:
   ```
-  MATLAB can be accessed on 
+  Access MATLAB at 
   http://localhost:44549/matlab/index.html
   ```
 
 
@@ -30,36 +30,40 @@ The following features are available in `matlab-proxy` to provide secure access
 ----
 
 ## **SSL Support**
-Configure `matlab-proxy` to use SSL by providing the desired SSL certificates using the following environment variables at server launch:
-The following environment variables must be set to enable `matlab-proxy` to run on SSL:
-1. *MWI_SSL_CERT_FILE*
+
+1. *MWI_ENABLE_SSL*
+
+    Use the environment variable `MWI_ENABLE_SSL` to configure SSL/TLS support for `matlab-proxy`. To enable SSL/TLS, set `MWI_ENABLE_SSL` to `True`. By default, this uses a self-signed certificate. To use custom SSL certificates instead, specify these files using the following environment variables when you start `matlab-proxy`.
+
+2. *MWI_SSL_CERT_FILE*
 
     A string with the full path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate’s authenticity.
 
 2. *MWI_SSL_KEY_FILE*
 
-   A string with the full path to a file containing the private key. If absent, the private key must be present in the certfile provided with *MWI_SSL_CERT_FILE*.
+   A string with the full path to a file containing the private key. If absent, the private key must be present in the cert file provided using `MWI_SSL_CERT_FILE`.
 
 Example:
 ```bash
-# Launch matlab-proxy with SSL enabled
-$ env MWI_SSL_CERT_FILE="/path/to/certificate.pem" MWI_SSL_KEY_FILE="/path/to/keyfile.key" matlab-proxy-app
+# Start matlab-proxy with SSL enabled
+$ env MWI_ENABLE_SSL=True MWI_SSL_CERT_FILE="/path/to/certificate.pem" MWI_SSL_KEY_FILE="/path/to/keyfile.key" matlab-proxy-app
 
-# The access link is presented in the terminal upon startup like follows:
+# The access link appears in the terminal at startup:
 ==================================================================================================
-                                  MATLAB can be accessed at:                              
+                                       Access MATLAB at:                              
                                     https://127.0.0.1:37109   
 ==================================================================================================
 
 # NOTE: The server is running HTTP(S) ! 
 
 ```
 
+
 ----
 
 ## **Token-Based Authentication**
 
-`matlab-proxy` is a web server and that allows one to launch and access MATLAB on the machine the server is running on. Anyone with access to the server can access MATLAB and thereby the machine on which its running.
+`matlab-proxy` is a web server and that allows one to start and access MATLAB on the machine the server is running on. Anyone with access to the server can access MATLAB and thereby the machine on which its running.
 
 `Token-Based Authentication` is enabled by default and the server will require a token to authenticate access. This token can be provided to the server in a few ways:
 
@@ -89,12 +93,12 @@ Example:
 
 ```bash
 
-# Launch matlab-proxy with Token-Based Authentication enabled by default
+# Start matlab-proxy with Token-Based Authentication enabled by default
 $ matlab-proxy-app
 
 # The access link is presented in the terminal upon startup like follows:
 ==================================================================================================
-                                  MATLAB can be accessed at:                              
+                                  Access MATLAB at:                              
     http://127.0.0.1:37109?mwi_auth_token=SY78vUw5qyf0JTJzGK4mKJlk_exkzL_SMFJyilbGtNI   
 ==================================================================================================
 ```
@@ -114,12 +118,12 @@ See [URI Specification RFC3986](https://www.ietf.org/rfc/rfc3986.txt) for more i
 Example:
 ```bash
 
-# Launch matlab-proxy with Token-Based Authentication enabled, and with custom token with a value of "MyCustomSecretToken"
+# Start matlab-proxy with Token-Based Authentication enabled, and with custom token with a value of "MyCustomSecretToken"
 $ env MWI_ENABLE_TOKEN_AUTH=True MWI_AUTH_TOKEN=MyCustomSecretToken matlab-proxy-app
 
 # The access link is presented in the terminal upon startup like follows:
 ==================================================================================================
-                                  MATLAB can be accessed at:                              
+                                  Access MATLAB at:                              
                 http://127.0.0.1:37109?mwi_auth_token=MyCustomSecretToken   
 ==================================================================================================
 ```
@@ -128,14 +132,14 @@ $ env MWI_ENABLE_TOKEN_AUTH=True MWI_AUTH_TOKEN=MyCustomSecretToken matlab-proxy
 
 It is recommended to enable both `Token-Based Authentication` and `SSL` to secure your access to MATLAB via matlab-proxy. As an example, the following command enables access to MATLAB using HTTPS and token-based authentication
 
-For example, the following command launches the server to deliver content on `HTTPS` along with Token-Based Authentication enabled:
+For example, the following command starts the server to deliver content on `HTTPS` along with Token-Based Authentication enabled:
 ```bash
-# Launch matlab-proxy with Token-Based Authentication & SSL enabled with custom token with a value of "asdf"
+# Start matlab-proxy with Token-Based Authentication & SSL enabled with custom token with a value of "asdf"
 $ env MWI_SSL_CERT_FILE="/path/to/certificate.pem" MWI_SSL_KEY_FILE="/path/to/keyfile.key" MWI_ENABLE_TOKEN_AUTH=True MWI_AUTH_TOKEN=asdf matlab-proxy-app
 
 # The access link is presented in the terminal upon startup like follows:
 ==================================================================================================
-                                  MATLAB can be accessed at:                              
+                                  Access MATLAB at:                              
                         https://127.0.0.1:37109?mwi_auth_token=asdf   
 ==================================================================================================
 
@@ -145,16 +149,16 @@ $ env MWI_SSL_CERT_FILE="/path/to/certificate.pem" MWI_SSL_KEY_FILE="/path/to/ke
 
 ### **Token Recovery**
 
-To recover tokens for a previously launched server, you will need access to either:
+To recover tokens for a previously started server, you will need access to either:
 
-1. The machine on which the server was launched, while being logged in as the user that launched the server.
-2. An authenticated browser session launched for the same user.
+1. The machine on which the server was started, while being logged in as the user that started the server.
+2. An authenticated browser session started for the same user.
 
 #### **Recover tokens from the machine**
 
-1. Login to the machine on which the servers are running, as the user that launched matlab-proxy.
-1. Activate the python environment from which the server was launched.
-    * This should be the same environment from which the server was launched.
+1. Login to the machine on which the servers are running, as the user that started matlab-proxy.
+1. Activate the python environment from which the server was started.
+    * This should be the same environment from which the server was started.
     * Run the executable `matlab-proxy-app-list-servers`
 
 Example:
@@ -202,12 +206,12 @@ Example:
 
 ```bash
 
-# Launch matlab-proxy with Token-Based Authentication disabled
+# Start matlab-proxy with Token-Based Authentication disabled
 $ env MWI_ENABLE_TOKEN_AUTH="False" matlab-proxy-app
 
 # The access link is presented in the terminal upon startup like follows:
 ==================================================================================================
-                                  MATLAB can be accessed at:                              
+                                       Access MATLAB at:                              
                                     http://127.0.0.1:37110  
 ==================================================================================================
 ```
@@ -217,7 +221,7 @@ $ env MWI_ENABLE_TOKEN_AUTH="False" matlab-proxy-app
 * Never share access to your server
   Never share URLs from `matlab-proxy` with others. Doing so is equivalent to sharing your user account.
 
-* System administrators who launch `matlab-proxy` for other users, must launch the proxy as the user for whom the server is intended.
+* System administrators who start `matlab-proxy` for other users, must start the proxy as the user for whom the server is intended.
 
 ----
 
 
@@ -606,7 +606,7 @@ def create_server_info_file(self):
             util.prettify(
                 boundary_filler="=",
                 text_arr=[
-                    f"MATLAB can be accessed at:",
+                    f"Access MATLAB at:",
                     self.settings["mwi_server_url"].replace("0.0.0.0", "localhost")
                     + mwi_auth_token_str,
                 ],
 
@@ -1,5 +1,6 @@
 # Copyright 2020-2024 The MathWorks, Inc.
 
+import datetime
 import os
 import shutil
 import socket
@@ -9,6 +10,11 @@
 import xml.etree.ElementTree as ET
 from pathlib import Path
 
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
 import matlab_proxy
 from matlab_proxy import constants
 from matlab_proxy.util import mwi, system
@@ -289,10 +295,6 @@ def get_server_settings(config_name):
         mwi_auth_token_hash,
     ) = token_auth.generate_mwi_auth_token_and_hash().values()
     mwi_config_folder = get_mwi_config_folder()
-    ssl_key_file, ssl_cert_file = mwi.validators.validate_ssl_key_and_cert_file(
-        os.getenv(mwi_env.get_env_name_ssl_key_file(), None),
-        os.getenv(mwi_env.get_env_name_ssl_cert_file(), None),
-    )
 
     # log file validation check is already done in logger.py
     mwi_log_file = os.getenv(mwi_env.get_env_name_log_file(), None)
@@ -328,9 +330,7 @@ def get_server_settings(config_name):
         "mwi_use_existing_license": mwi.validators.validate_use_existing_licensing(
             os.getenv(mwi_env.get_env_name_mwi_use_existing_license(), "")
         ),
-        "ssl_context": get_ssl_context(
-            ssl_cert_file=ssl_cert_file, ssl_key_file=ssl_key_file
-        ),
+        "ssl_context": _validate_ssl_files_and_get_ssl_context(mwi_config_folder),
     }
 
 
@@ -478,31 +478,127 @@ def get_test_temp_dir():
     return test_temp_dir
 
 
-def get_ssl_context(ssl_cert_file, ssl_key_file):
-    """Creates an SSL CONTEXT for use with the TCP Site"""
+def _validate_ssl_files_and_get_ssl_context(mwi_config_folder):
+    """Creates an SSL CONTEXT for use with the TCP Site.
+    The certfile string must be the path to a single file in PEM format containing the
+    certificate as well as any number of CA certificates needed to establish the certificate’s authenticity.
+    The keyfile string, if present, must point to a file containing the private key in.
+    Otherwise the private key will be taken from certfile as well.
+    """
+    is_self_signed_certificates = False
+    env_name_enable_ssl = mwi_env.get_env_name_enable_ssl()
+    is_ssl_enabled = mwi_env._is_env_set_to_true(env_name_enable_ssl)
+    env_name_ssl_key_file = mwi_env.get_env_name_ssl_key_file()
+    env_name_ssl_cert_file = mwi_env.get_env_name_ssl_cert_file()
+
+    ssl_key_file, ssl_cert_file = (
+        os.getenv(env_name_ssl_key_file, None),
+        os.getenv(env_name_ssl_cert_file, None),
+    )
 
-    # The certfile string must be the path to a single file in PEM format containing the
-    # certificate as well as any number of CA certificates needed to establish the certificate’s authenticity.
-    # The keyfile string, if present, must point to a file containing the private key in.
-    # Otherwise the private key will be taken from certfile as well.
-    import traceback
+    # Don't use SSL if the user has explicitly disabled SSL communication or not set the respective env var
+    if not is_ssl_enabled:
+        if ssl_cert_file:
+            logger.warn(
+                f"Ignoring provided SSL files, as {env_name_enable_ssl} is either unset or set to false"
+            )
+        return None
 
-    if ssl_cert_file != None:
-        try:
-            ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-            ssl_context.load_cert_chain(ssl_cert_file, ssl_key_file)
-            logger.debug(f"Using SSL certification!")
-        except Exception as e:
-            # Something was wrong with the certificates provided
-            error_message = "SSL certificates provided are invalid. Aborting..."
-            logger.error(error_message)
-            traceback.print_exc()
-            logger.info("==== Fatal error : ===")
-            print(e)
-            # printing stack trace
-            logger.info("======================")
-            raise FatalError(error_message)
-    else:
+    # Validate that provided SSL files are valid files
+    ssl_key_file, ssl_cert_file = mwi.validators.validate_ssl_key_and_cert_file(
+        ssl_key_file, ssl_cert_file
+    )
+
+    if not ssl_cert_file and not ssl_key_file:
+        logger.debug("Using auto-generated self-signed certificates")
+
+        # certs dir under the MWI_CONFIG_FOLDER will hold the self-signed certificates
+        mwi_certs_dir = mwi_config_folder / "certs"
+        mwi_certs_dir.mkdir(parents=True, exist_ok=True)
+
+        # New certs are generated for every run leading to functionally reliable system, alternative is
+        # to check for existing certs and have error handling around expired/bad certs.
+        ssl_cert_file, ssl_key_file = generate_new_self_signed_certs(mwi_certs_dir)
+        is_self_signed_certificates = True
+    try:
+        ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        ssl_context.load_cert_chain(ssl_cert_file, ssl_key_file)
+        logger.debug("Certificate chain was correctly loaded")
+    except Exception as e:
+        logger.error(f"Unable to load certificates. Error: {e}")
+
+        # Setting to None to use http mode in the event of failing to setup self-signed certificates
         ssl_context = None
 
+        # Raise a fatal error only in the event of an exception while loading customer-supplied ssl files
+        if not is_self_signed_certificates:
+            raise FatalError(e)
+
     return ssl_context
+
+
+def generate_new_self_signed_certs(mwi_certs_dir):
+    """
+    Generates a new self-signed certificate and corresponding private key, saves them as PEM files in the specified directory.
+    The certificate is valid for 365 days from the time of creation.
+
+    Parameters:
+    - mwi_certs_dir (Path): A pathlib.Path object representing the directory where the certificate and key files will be saved.
+
+    Returns:
+    - tuple: A tuple containing the file paths (as strings) to the newly created certificate and private key PEM files.
+             The first element is the path to the certificate file (cert.pem), and the second is the path to the key file (key.pem).
+
+    Raises:
+    - FileNotFoundError: If the mwi_certs_dir does not exist.
+    - Any other exception that may occur during file writing or certificate generation.
+    """
+    cert_file = priv_key_file = None
+    try:
+        # Generate private key
+        private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+
+        # Self-signed certificate
+        subject = issuer = x509.Name(
+            [
+                x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+                x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Massachusetts"),
+                x509.NameAttribute(NameOID.LOCALITY_NAME, "Natick"),
+                x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MathWorks Inc."),
+                x509.NameAttribute(NameOID.COMMON_NAME, "mathworks.com"),
+            ]
+        )
+        cert = (
+            x509.CertificateBuilder()
+            .subject_name(subject)
+            .issuer_name(issuer)
+            .public_key(private_key.public_key())
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(datetime.datetime.utcnow())
+            .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))
+            .sign(private_key, hashes.SHA256())
+        )
+
+        # Write private key to file
+        priv_key_file = mwi_certs_dir / "key.pem"
+        with open(priv_key_file, "wb") as f:
+            f.write(
+                private_key.private_bytes(
+                    encoding=serialization.Encoding.PEM,
+                    format=serialization.PrivateFormat.TraditionalOpenSSL,
+                    encryption_algorithm=serialization.NoEncryption(),
+                )
+            )
+
+        # Write certificate to file
+        cert_file = mwi_certs_dir / "cert.pem"
+        with open(cert_file, "wb") as f:
+            f.write(cert.public_bytes(serialization.Encoding.PEM))
+
+    except Exception as ex:
+        logger.warn(
+            f"Failed to generate self-signed certificates, proceeding with non-secure mode! Error: {ex}"
+        )
+        cert_file = priv_key_file = None
+
+    return cert_file, priv_key_file