Add mtls support

Author: thomas-samoht

app/config.py

@@ -267,6 +267,9 @@ class ConfigMcsd(BaseModel):
     )
     request_count: int = Field(default=20)
     strict_validation: bool = Field(default=False)
+    mtls_client_cert_path: str | None = Field(default=None)
+    mtls_client_key_path: str | None = Field(default=None)
+    mtls_server_ca_path: str | None = Field(default=None)
 
     @field_validator("request_count", mode="before")
     def validate_request_count(cls, v: Any) -> int:

app/container.py

@@ -47,6 +47,9 @@ def container_config(binder: inject.Binder) -> None:
         auth=auth,
         cache_provider=cache_provider,
         retries=config.directory_api.retries,
+        mtls_cert=config.mcsd.mtls_client_cert_path,
+        mtls_key=config.mcsd.mtls_client_key_path,
+        mtls_ca=config.mcsd.mtls_server_ca_path,
     )
     binder.bind(UpdateClientService, update_service)
 

app/services/directory_provider/factory.py

@@ -20,6 +20,7 @@ class DirectoryProviderFactory:
 
     def __init__(self, config: Config, database: Database, auth: Authenticator) -> None:
         self.__directory_config = config.directory_api
+        self.__mcsd_config = config.mcsd
         self.__db = database
         self.__auth = auth
 
@@ -46,6 +47,9 @@ def create(self) -> DirectoryProvider:
                     request_count=5,
                     strict_validation=False,
                     retries=10,
+                    mtls_cert=self.__mcsd_config.mtls_client_cert_path,
+                    mtls_key=self.__mcsd_config.mtls_client_key_path,
+                    mtls_ca=self.__mcsd_config.mtls_server_ca_path,
                 ),
                 ignored_directory_service=IgnoredDirectoryService(self.__db),
             )

app/services/update/update_client_service.py

@@ -64,15 +64,18 @@ def __init__(
         self.request_count = request_count
         self.auth = auth
         self.__resource_map_service = resource_map_service
+        self.mtls_cert = mtls_cert
+        self.mtls_key = mtls_key
+        self.mtls_ca = mtls_ca
         self.__update_client_fhir_api = FhirApi(
             base_url=update_client_url,
             auth=auth,
             timeout=timeout,
             retries=retries,
             backoff=backoff,
-            mtls_cert=mtls_cert,
-            mtls_key=mtls_key,
-            mtls_ca=mtls_ca,
+            mtls_cert=self.mtls_cert,
+            mtls_key=self.mtls_key,
+            mtls_ca=self.mtls_ca,
             request_count=request_count,
             strict_validation=strict_validation,
         )
@@ -157,6 +160,9 @@ def update_resource(
             strict_validation=self.strict_validation,
             base_url=directory.endpoint,
             retries=10,
+            mtls_cert=self.mtls_cert,
+            mtls_key=self.mtls_key,
+            mtls_ca=self.mtls_ca,
         )
 
         adjacency_map_service = AdjacencyMapService(

example-setup-with-hapi/app.conf

@@ -63,6 +63,9 @@ ssl_key_file = server.key
 [mcsd]
 update_client_url = http://hapi-update-client:8081/fhir
 authentication = off
+mtls_client_cert_path=
+mtls_client_key_path=
+mtls_server_ca_path_path=
 request_count = 20
 strict_validation = False
 

example-setup-with-hapi/app.conf.example

@@ -88,6 +88,13 @@ ssl_key_file = server.key
 update_client_url = http://addressing-app:8502
 # authentication can be either "off", or "azure_oauth2" in case of azure oauth2 authentication
 authentication = off
+# When configured, all connections to the supplier register and mCSD FHIR directories will use mTLS
+# Path to client certificate file for mTLS authentication
+mtls_client_cert_path = client.crt
+# Path to client private key file for mTLS authentication  
+mtls_client_key_path = client.key
+# Path to CA certificate file for server verification
+mtls_server_ca_path = ca.crt
 
 # query parameter for the number of entries in Bundle per request (limit)
 # This is usually used in the directory request service and not directory API (LRZa)

tests/services/api/conftest.py

@@ -1,6 +1,5 @@
 from typing import Any, Dict, Final
 import pytest
-from yarl import URL
 
 from app.config import Config
 from app.services.api.api_service import (
@@ -43,8 +42,8 @@ def mock_sub_route() -> str:
 
 
 @pytest.fixture()
-def mock_url() -> URL:
-    return URL("http://example.com")
+def mock_url() -> str:
+    return "http://example.com"
 
 
 @pytest.fixture()
@@ -70,6 +69,9 @@ def http_service(base_url: str) -> HttpService:
         timeout=config.directory_api.timeout,
         backoff=config.directory_api.backoff,
         retries=1,
+        mtls_cert=config.mcsd.mtls_client_cert_path,
+        mtls_key=config.mcsd.mtls_client_key_path,
+        mtls_ca=config.mcsd.mtls_server_ca_path,
     )
 
 

tests/services/api/test_api_service.py

@@ -78,6 +78,7 @@ def test_do_request_with_authenticator_should_succeed(
     mock_request.status_code = 200
     mock_request.headers = mock_authentication_headers
     mock_request.auth = mock_auth
+
     mock_get.return_value = mock_request
 
     actual = http_service.do_request("GET")
@@ -173,6 +174,7 @@ def test_make_target_url_should_succeed_with_only_base_url(
 def test_make_target_url_should_work_with_params(
     http_service: HttpService,
     base_url: str,
+    mock_url: str,
     mock_sub_route: str,
     mock_params: Dict[str, Any],
 ) -> None:
@@ -181,3 +183,85 @@ def test_make_target_url_should_work_with_params(
     actual = http_service.make_target_url(sub_route=mock_sub_route, params=mock_params)
 
     assert expected == actual
+
+
+@patch(PATCHED_MODULE)
+def test_do_request_should_use_mtls_cert_when_enabled(
+    mock_request: MagicMock,
+    mock_url: str,
+) -> None:
+    api_service = HttpService(
+        base_url=mock_url,
+        timeout=10,
+        backoff=0.1,
+        retries=1,
+        mtls_cert="test.crt",
+        mtls_key="test.key",
+        mtls_ca="test.ca"
+    )
+    
+    mock_response = MagicMock()
+    mock_response.status_code = 200
+    mock_request.return_value = mock_response
+
+    api_service.do_request("GET", mock_url)
+
+    mock_request.assert_called_once()
+    call_kwargs = mock_request.call_args[1]
+    assert call_kwargs["cert"] == ("test.crt", "test.key")
+    assert call_kwargs["verify"] == "test.ca"
+
+
+@patch(PATCHED_MODULE)
+def test_do_request_should_use_ca_file_for_verification_when_provided(
+    mock_request: MagicMock,
+    mock_url: str,
+) -> None:
+    api_service = HttpService(
+        base_url=mock_url,
+        timeout=10,
+        backoff=0.1,
+        retries=1,
+        mtls_cert="test.crt",
+        mtls_key="test.key",
+        mtls_ca="ca.crt"
+    )
+    
+    mock_response = MagicMock()
+    mock_response.status_code = 200
+    mock_request.return_value = mock_response
+
+    api_service.do_request("GET", mock_url)
+
+    mock_request.assert_called_once()
+    call_kwargs = mock_request.call_args[1]
+    assert call_kwargs["cert"] == ("test.crt", "test.key")
+    assert call_kwargs["verify"] == "ca.crt"
+
+
+@patch(PATCHED_MODULE)
+def test_do_request_should_not_use_cert_when_mtls_disabled(
+    mock_request: MagicMock,
+    mock_url: str,
+) -> None:
+    api_service = HttpService(
+        base_url=mock_url,
+        timeout=10,
+        backoff=0.1,
+        retries=1,
+        mtls_cert=None,
+        mtls_key=None,
+        mtls_ca=None
+    )
+    
+    mock_response = MagicMock()
+    mock_response.status_code = 200
+    mock_request.return_value = mock_response
+
+    api_service.do_request("GET", mock_url)
+
+    mock_request.assert_called_once()
+    call_kwargs = mock_request.call_args[1]
+    assert call_kwargs["cert"] is None
+    assert call_kwargs["verify"] is True
+

tests/services/api/test_fhir_api_service.py

@@ -1,5 +1,6 @@
 from datetime import datetime
 from typing import Any, Dict
+from urllib.parse import urlencode
 from requests.exceptions import ConnectionError
 from unittest.mock import patch, MagicMock
 
@@ -215,13 +216,13 @@ def test_search_resource_should_succeed(
     mock_org_history_bundle: Dict[str, Any],
     org_history_entry_1: Dict[str, Any],
     org_history_entry_2: Dict[str, Any],
-    mock_url: URL,
+    mock_url: str,
     mock_params: Dict[str, Any],
     fhir_api: FhirApi,
 ) -> None:
-    expected_url = mock_url.with_query(mock_params)
+    expected_url = f"{mock_url}?{urlencode(mock_params)}"
     mock_org_history_bundle["link"] = [
-        {"relation": "next", "url": mock_url.with_query(mock_params)}
+        {"relation": "next", "url": f"{mock_url}?{urlencode(mock_params)}"}
     ]
     mock_request = MagicMock()
     mock_request.status_code = 200
@@ -236,7 +237,7 @@ def test_search_resource_should_succeed(
         resource_type="Organization", params=mock_params
     )
 
-    assert (expected_url, expected_entries) == (actual_url, actual_entries)
+    assert (URL(expected_url), expected_entries) == (actual_url, actual_entries)
 
 
 @patch(PATCHED_MODULE)

tests/test_config.py

@@ -45,6 +45,9 @@ def get_test_config() -> Config:
             authentication="off",
             request_count=20,
             strict_validation=False,
+            mtls_client_cert_path=None,
+            mtls_client_key_path=None,
+            mtls_server_ca_path=None
         ),
         telemetry=ConfigTelemetry(
             enabled=False,