Fixed cert auth issues (#836)

* Fixed cert auth issues * Updated docs and removed commented lines and assertions
tenable · Sep 17, 2024 · d2cc88f · d2cc88f
1 parent b9b6aed
commit d2cc88f
Showing 1 changed file with 29 additions and 14 deletions.
diff --git a/tenable/sc/__init__.py b/tenable/sc/__init__.py
@@ -104,6 +104,10 @@ class TenableSC(APIPlatform):  # noqa PLR0904
             format could be either a tuple or a string pointing to the
             certificate.  For more details, please refer to the
             `Requests Client-Side Certificates`_ documentation.
+        p12_cert (str, optional):
+            The client-side PKCS12 certificate to use for certificate-based
+            authentication.  A password must be provided to descrypt the password
+            along with the certificate file (see password).
         password (str, optional):
             The password to use for session authentication.
         port (int, optional):
@@ -144,9 +148,8 @@ class TenableSC(APIPlatform):  # noqa PLR0904
         A connection to Tenable Security Center using SSL certificates:
 
         >>> sc = TenableSC(url='https://sc.company.tld',
-        ...                cert_file='/path/client.cert',
-        ...                cert_key='/path/client.key',
-        ...                )
+        ...                cert=('/path/client.cert', '/path/client.key')
+                           )
 
         Using a PKCS12 Certificate:
 
@@ -185,12 +188,11 @@ class TenableSC(APIPlatform):  # noqa PLR0904
     _version = None
     _client_cert: tempfile.NamedTemporaryFile
     _client_key: tempfile.NamedTemporaryFile
-    _allowed_auth_mech_priority = ['key', 'cert', 'p12', 'session']
+    _allowed_auth_mech_priority = ['key', 'cert', 'session']
     _allowed_auth_mech_params = {
         'session': ['username', 'password'],
         'key': ['access_key', 'secret_key'],
-        'p12': ['p12_cert', 'password'],
-        'cert': ['cert_file', 'cert_key'],
+        'cert': ['_cert'],
     }
 
     def __init__(self,  # noqa: PLR0913
@@ -206,14 +208,27 @@ def __init__(self,  # noqa: PLR0913
             warnings.warn('The "host", "port", and "scheme" parameters are '
                           'deprecated and will be removed from the TenableSC '
                           'class in version 2.0.',
-                          DeprecationWarning
+                          DeprecationWarning,
+                          stacklevel=2
                           )
             kwargs['url'] = (f'{kwargs.get("scheme", "https")}://'
                              f'{host}:{kwargs.get("port", 443)}'
                              )
 
         kwargs['access_key'] = access_key
         kwargs['secret_key'] = secret_key
+
+        # Check to see if there is a p12_cert and password specified, if so, then
+        # convert the cert into an unencrypted PEM format and construct the cert
+        # tuple from the _p12_auth response.
+        if 'p12_cert' in kwargs and 'password' in kwargs:
+            cert = self._p12_auth(kwargs['p12_cert'], kwargs['password'])
+            kwargs['cert'] = cert
+
+        # If the cert argument exists, then set _cert to True in order to pass the
+        # cert auth checks.
+        if 'cert' in kwargs:
+            kwargs['_cert'] = True
         # Now lets pass the relevant parts off to the APISession's constructor
         # to make sure we have everything lined up as we expect.
         super().__init__(**kwargs)
@@ -260,7 +275,8 @@ def _session_auth(self, username, password):
         warnings.warn('Session based authentication to Security Center will be removed'
                       'in later iterations of the library as it\'s no longer an'
                       'oficially recommended method of authentication to SC.',
-                      DeprecationWarning
+                      DeprecationWarning,
+                      stacklevel=2
                       )
         resp = self.post('token', json={
             'username': username,
@@ -291,15 +307,13 @@ def _p12_auth(self, p12_cert, password):
         self._client_cert = tempfile.NamedTemporaryFile()   # noqa: PLR1732
         self._client_cert.write(cert.public_bytes(serialization.Encoding.PEM))
         self._client_cert.flush()
-        self._cert_auth(self._client_cert.name, self._client_key.name)
+        return self._client_cert.name, self._client_key.name
 
-    def _cert_auth(self, cert_file, cert_key):
+    def _cert_auth(self, _cert):
         """
         PEM Cert Authentication
         """
-        self._session.cert = (cert_file, cert_key)
-
-        resp = self.get('system')
+        resp = self.get('system', box=False)
         self._session.headers.update({
             'X-SecurityCenter': str(resp.json()['response']['token']),
             'TNS_SESSIONID': str(resp.headers['Set-Cookie'])[14:46]
@@ -338,7 +352,8 @@ def login(self, username=None, password=None,
         '''
         warnings.warn('Use of the login method is deprecated and will be removed in'
                       'later versions of the library',
-                      DeprecationWarning
+                      DeprecationWarning,
+                      stacklevel=2
                       )
         self._authenticate(**{
             'username': username,