Validate Engine TLS material before starting Socket.IO

2025-10-26 15:41:58 -06:00 · 2025-10-26 03:11:57 -06:00
parent b3fdd63d2b
commit 3edb20d21b
1 changed files with 46 additions and 3 deletions
--- a/Data/Engine/bootstrapper.py
+++ b/Data/Engine/bootstrapper.py
@@ -9,9 +9,10 @@ legacy server defaults by binding to ``0.0.0.0:5001`` and honouring the
 from __future__ import annotations

 import os
+from pathlib import Path
 from typing import Any, Dict

-from .server import create_app
+from .server import EngineContext, create_app


 DEFAULT_HOST = "0.0.0.0"
@@ -28,6 +29,41 @@ def _build_runtime_config() -> Dict[str, Any]:
    }


+def _prepare_tls_run_kwargs(context: EngineContext) -> Dict[str, Any]:
+    """Validate and return TLS arguments for the Socket.IO runner."""
+
+    run_kwargs: Dict[str, Any] = {}
+
+    key_path_value = context.tls_key_path
+    if not key_path_value:
+        return run_kwargs
+
+    key_path = Path(key_path_value)
+    if not key_path.is_file():
+        raise RuntimeError(f"Engine TLS key file not found: {key_path}")
+
+    cert_candidates = []
+    if context.tls_bundle_path:
+        cert_candidates.append(context.tls_bundle_path)
+    if context.tls_cert_path and context.tls_cert_path not in cert_candidates:
+        cert_candidates.append(context.tls_cert_path)
+
+    if not cert_candidates:
+        raise RuntimeError("Engine TLS certificate path not configured; ensure certificates are provisioned.")
+
+    missing_candidates = []
+    for candidate in cert_candidates:
+        candidate_path = Path(candidate)
+        if candidate_path.is_file():
+            run_kwargs["certfile"] = str(candidate_path)
+            run_kwargs["keyfile"] = str(key_path)
+            return run_kwargs
+        missing_candidates.append(str(candidate_path))
+
+    checked = ", ".join(missing_candidates)
+    raise RuntimeError(f"Engine TLS certificate file not found. Checked: {checked}")
+
+
 def main() -> None:
    config = _build_runtime_config()
    app, socketio, context = create_app(config)
@@ -36,8 +72,15 @@ def main() -> None:
    port = int(config.get("PORT", DEFAULT_PORT))

    run_kwargs: Dict[str, Any] = {"host": host, "port": port}
-    if context.tls_bundle_path and context.tls_key_path:
-        run_kwargs.update({"certfile": context.tls_bundle_path, "keyfile": context.tls_key_path})
+    try:
+        tls_kwargs = _prepare_tls_run_kwargs(context)
+    except RuntimeError as exc:
+        context.logger.error("TLS configuration error: %s", exc)
+        raise
+    else:
+        if tls_kwargs:
+            run_kwargs.update(tls_kwargs)
+            context.logger.info("Engine TLS enabled using certificate %s", tls_kwargs["certfile"])

    socketio.run(app, **run_kwargs)