RDBC-788 Server certificate validation

poissoncorp · poissoncorp · commit c11c98ed1e16 · 2024-01-22T13:48:53.000+01:00
diff --git a/ravendb/changes/database_changes.py b/ravendb/changes/database_changes.py
@@ -1,6 +1,7 @@
+import base64
 import ssl
 from threading import Lock
-from typing import TYPE_CHECKING, Dict
+from typing import TYPE_CHECKING, Dict, Optional
 
 from websocket import WebSocket
 
@@ -13,6 +14,7 @@
     OperationStatusChange,
     TopologyChange,
 )
+from ravendb.serverwide.commands import GetTcpInfoCommand
 from ravendb.tools.parsers import IncrementalJsonParser
 import websocket
 from ravendb.exceptions.exceptions import NotSupportedException
@@ -57,6 +59,11 @@ def __init__(self, request_executor: "RequestExecutor", database_name, on_close,
         self._logger.addHandler(handler)
         self._logger.setLevel(logging.DEBUG)
 
+    def _get_server_certificate(self) -> Optional[str]:
+        cmd = GetTcpInfoCommand(self._request_executor.url)
+        self._request_executor.execute_command(cmd)
+        return cmd.result.certificate
+
     def do_work(self):
         preferred_node = self._request_executor.preferred_node.current_node  # todo: refactor, protected access
         url = (
@@ -69,13 +76,22 @@ def do_work(self):
         while not self._closed:
             try:
                 if not self.client_websocket.connected:
-                    # Get certificate and wrap socket into secured socket
                     if self._request_executor.certificate_path:
+                        # Get server certificate via HTTPS and prepare SSL context
+                        server_certificate = base64.b64decode(self._get_server_certificate())
                         ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
                         ssl_context.load_cert_chain(self._request_executor.certificate_path)
-                        self.client_websocket = WebSocket(sslopt={"context": ssl_context})
 
+                        # Connect WebSocket providing SSL
+                        self.client_websocket = WebSocket(sslopt={"context": ssl_context})
                         self.client_websocket.connect(url, suppress_origin=True)
+
+                        # Server certificate authentication
+                        server_certificate_from_tls = self.client_websocket.sock.getpeercert(True)
+                        if server_certificate != server_certificate_from_tls:
+                            raise ValueError("Certificates don't match")
+
+                        pass
                     else:
                         self.client_websocket.connect(url)
 
