From 9fe53a8d54e946c20614199baeb5da9567bed93d Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 12 Mar 2026 19:06:28 +0100 Subject: [PATCH 01/14] removing mtls from recipe and connector --- custom-recipes/api-connect/recipe.json | 21 ------------------- .../api-connect_dataset/connector.json | 21 ------------------- 2 files changed, 42 deletions(-) diff --git a/custom-recipes/api-connect/recipe.json b/custom-recipes/api-connect/recipe.json index d590d92..cc0fac3 100644 --- a/custom-recipes/api-connect/recipe.json +++ b/custom-recipes/api-connect/recipe.json @@ -291,27 +291,6 @@ "visibilityCondition": "model.auth_type!='secure_oauth' && model.auth_type!='secure_basic'", "defaultValue": false }, - { - "name": "use_mtls", - "label": "Use mTLS", - "description": "", - "type": "BOOLEAN", - "defaultValue": false - }, - { - "name": "mtls_certificate_path", - "label": "Path to certificate", - "description": "", - "type": "STRING", - "visibilityCondition": "model.use_mtls==true" - }, - { - "name": "mtls_key_path", - "label": "Path to key", - "description": "", - "type": "STRING", - "visibilityCondition": "model.use_mtls==true" - }, { "name": "force_csv_parameters", "label": "Force CSV parameters", diff --git a/python-connectors/api-connect_dataset/connector.json b/python-connectors/api-connect_dataset/connector.json index 0dac288..2f34370 100644 --- a/python-connectors/api-connect_dataset/connector.json +++ b/python-connectors/api-connect_dataset/connector.json @@ -238,27 +238,6 @@ "visibilityCondition": "model.auth_type!='secure_oauth' && model.auth_type!='secure_basic'", "defaultValue": false }, - { - "name": "use_mtls", - "label": " ", - "description": "Use mTLS", - "type": "BOOLEAN", - "defaultValue": false - }, - { - "name": "mtls_certificate_path", - "label": "Path to certificate", - "description": "", - "type": "STRING", - "visibilityCondition": "model.use_mtls==true" - }, - { - "name": "mtls_key_path", - "label": "Path to key", - "description": "", - "type": "STRING", - "visibilityCondition": "model.use_mtls==true" - }, { "name": "force_csv_parameters", "label": " ", From 3bf56eaeed9d42a993fea49bec565d67d447c264 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 12 Mar 2026 19:06:59 +0100 Subject: [PATCH 02/14] Moving mtls to secure and normal presets --- parameter-sets/credential/parameter-set.json | 21 +++++++++++++++++++ .../secure-basic/parameter-set.json | 21 +++++++++++++++++++ .../secure-oauth/parameter-set.json | 21 +++++++++++++++++++ python-lib/rest_api_client.py | 14 ++++++++++--- tests/python/integration/test_scenario.py | 4 ++++ 5 files changed, 78 insertions(+), 3 deletions(-) diff --git a/parameter-sets/credential/parameter-set.json b/parameter-sets/credential/parameter-set.json index 4196159..63f0e15 100644 --- a/parameter-sets/credential/parameter-set.json +++ b/parameter-sets/credential/parameter-set.json @@ -119,6 +119,27 @@ "label": "User key/values", "description": "User defined keys/values that can be used later in url, query string...", "type": "KEY_VALUE_LIST" + }, + { + "name": "use_mtls", + "label": " ", + "description": "Use mTLS", + "type": "BOOLEAN", + "defaultValue": false + }, + { + "name": "mtls_certificate_path", + "label": "Path to certificate", + "description": "", + "type": "STRING", + "visibilityCondition": "model.use_mtls==true" + }, + { + "name": "mtls_key_path", + "label": "Path to key", + "description": "", + "type": "STRING", + "visibilityCondition": "model.use_mtls==true" } ] } diff --git a/parameter-sets/secure-basic/parameter-set.json b/parameter-sets/secure-basic/parameter-set.json index 623d24d..e3181da 100644 --- a/parameter-sets/secure-basic/parameter-set.json +++ b/parameter-sets/secure-basic/parameter-set.json @@ -38,6 +38,27 @@ "label": "NTLM" } ] + }, + { + "name": "use_mtls", + "label": " ", + "description": "Use mTLS", + "type": "BOOLEAN", + "defaultValue": false + }, + { + "name": "mtls_certificate_path", + "label": "Path to certificate", + "description": "", + "type": "STRING", + "visibilityCondition": "model.use_mtls==true" + }, + { + "name": "mtls_key_path", + "label": "Path to key", + "description": "", + "type": "STRING", + "visibilityCondition": "model.use_mtls==true" } ] } diff --git a/parameter-sets/secure-oauth/parameter-set.json b/parameter-sets/secure-oauth/parameter-set.json index 464f9ac..5be17e7 100644 --- a/parameter-sets/secure-oauth/parameter-set.json +++ b/parameter-sets/secure-oauth/parameter-set.json @@ -47,6 +47,27 @@ "label": "Domain", "description": "", "type": "STRING" + }, + { + "name": "use_mtls", + "label": " ", + "description": "Use mTLS", + "type": "BOOLEAN", + "defaultValue": false + }, + { + "name": "mtls_certificate_path", + "label": "Path to certificate", + "description": "", + "type": "STRING", + "visibilityCondition": "model.use_mtls==true" + }, + { + "name": "mtls_key_path", + "label": "Path to key", + "description": "", + "type": "STRING", + "visibilityCondition": "model.use_mtls==true" } ] } diff --git a/python-lib/rest_api_client.py b/python-lib/rest_api_client.py index 57a542e..1ee4519 100644 --- a/python-lib/rest_api_client.py +++ b/python-lib/rest_api_client.py @@ -59,9 +59,17 @@ def __init__(self, credential, secure_credentials, endpoint, custom_key_values={ self.requests_kwargs.update({"verify": False}) else: self.requests_kwargs.update({"verify": True}) - if endpoint.get("use_mtls", False): - mtls_certificate_path = endpoint.get("mtls_certificate_path") - mtls_key_path = endpoint.get("mtls_key_path") + if credential.get("use_mtls", False): + mtls_certificate_path = credential.get("mtls_certificate_path") + mtls_key_path = credential.get("mtls_key_path") + self.requests_kwargs.update( + { + "cert": (mtls_certificate_path, mtls_key_path) + } + ) + if secure_credentials.get("use_mtls", False): + mtls_certificate_path = secure_credentials.get("mtls_certificate_path") + mtls_key_path = secure_credentials.get("mtls_key_path") self.requests_kwargs.update( { "cert": (mtls_certificate_path, mtls_key_path) diff --git a/tests/python/integration/test_scenario.py b/tests/python/integration/test_scenario.py index 63c41af..315b6fc 100644 --- a/tests/python/integration/test_scenario.py +++ b/tests/python/integration/test_scenario.py @@ -57,3 +57,7 @@ def test_run_api_connect_xml_handling(user_dss_clients): def test_run_api_connect_parameters_renaming(user_dss_clients): dss_scenario.run(user_dss_clients, project_key=TEST_PROJECT_KEY, scenario_id="COLUMNPARAMETERRENAMING") + + +def test_run_api_connect_mtls(user_dss_clients): + dss_scenario.run(user_dss_clients, project_key=TEST_PROJECT_KEY, scenario_id="MTLS") From 1875efa601e47c793e5490147554e84ac27c6b5d Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Fri, 13 Mar 2026 14:48:47 +0100 Subject: [PATCH 03/14] adding warnings --- parameter-sets/credential/parameter-set.json | 4 ++-- parameter-sets/secure-basic/parameter-set.json | 10 ++++++++-- parameter-sets/secure-oauth/parameter-set.json | 10 ++++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/parameter-sets/credential/parameter-set.json b/parameter-sets/credential/parameter-set.json index 63f0e15..3035645 100644 --- a/parameter-sets/credential/parameter-set.json +++ b/parameter-sets/credential/parameter-set.json @@ -122,8 +122,8 @@ }, { "name": "use_mtls", - "label": " ", - "description": "Use mTLS", + "label": "Use mTLS", + "description": "", "type": "BOOLEAN", "defaultValue": false }, diff --git a/parameter-sets/secure-basic/parameter-set.json b/parameter-sets/secure-basic/parameter-set.json index e3181da..d54f19d 100644 --- a/parameter-sets/secure-basic/parameter-set.json +++ b/parameter-sets/secure-basic/parameter-set.json @@ -41,11 +41,17 @@ }, { "name": "use_mtls", - "label": " ", - "description": "Use mTLS", + "label": "Use mTLS", + "description": "", "type": "BOOLEAN", "defaultValue": false }, + { + "type": "SEPARATOR", + "label": "Warning", + "description": "Restricting access to this presset will not restrict access to the certificate and key files. This has to be done by setting the appropriate access rights on these two files.", + "visibilityCondition": "model.use_mtls==true" + }, { "name": "mtls_certificate_path", "label": "Path to certificate", diff --git a/parameter-sets/secure-oauth/parameter-set.json b/parameter-sets/secure-oauth/parameter-set.json index 5be17e7..79da6d0 100644 --- a/parameter-sets/secure-oauth/parameter-set.json +++ b/parameter-sets/secure-oauth/parameter-set.json @@ -50,11 +50,17 @@ }, { "name": "use_mtls", - "label": " ", - "description": "Use mTLS", + "label": "Use mTLS", + "description": "", "type": "BOOLEAN", "defaultValue": false }, + { + "type": "SEPARATOR", + "label": "Warning", + "description": "1 - Restricting access to this presset will not restrict access to the certificate and key files. This has to be done by setting the appropriate access rights on these two files.\n2 - Because the OAuth flow is not controled by the plugin, mTLS cannot be used for the retrieving the access token itself.", + "visibilityCondition": "model.use_mtls==true" + }, { "name": "mtls_certificate_path", "label": "Path to certificate", From bd623021c9406070101b9ff728dc991293c0da0d Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Fri, 13 Mar 2026 16:14:50 +0100 Subject: [PATCH 04/14] beta.4 --- python-lib/dku_constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-lib/dku_constants.py b/python-lib/dku_constants.py index 8bf962b..b20ccde 100644 --- a/python-lib/dku_constants.py +++ b/python-lib/dku_constants.py @@ -2,6 +2,6 @@ class DKUConstants(object): API_RESPONSE_KEY = "api_response" FORBIDDEN_KEYS = ["token", "password", "api_key_value", "secure_token"] FORM_DATA_BODY_FORMAT = "FORM_DATA" - PLUGIN_VERSION = "1.2.7-beta.3" + PLUGIN_VERSION = "1.2.7-beta.4" RAW_BODY_FORMAT = "RAW" REPONSE_ERROR_KEY = "dku_error" From 4cf349067e2cb627474611bfc521973d2cdbf95f Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Mon, 16 Mar 2026 17:12:45 +0100 Subject: [PATCH 05/14] update tags and category --- plugin.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/plugin.json b/plugin.json index afb4273..88ad213 100644 --- a/plugin.json +++ b/plugin.json @@ -6,8 +6,7 @@ "description": "Retrieve data from any REST API", "author": "Dataiku (Alex Bourret)", "icon": "icon-rocket", - "category": "Connect", - "tags": ["API", "Recipe", "Dataset"], + "tags": ["Connector"], "url": "https://www.dataiku.com/product/plugins/api-connect/", "licenseInfo": "Apache Software License", "recipesCategory": "visual" From c5a0c20662b8bc3a7ca61301fe8b72f41bfdb3ed Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Tue, 24 Mar 2026 16:21:57 +0100 Subject: [PATCH 06/14] removing beta tag --- python-lib/dku_constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-lib/dku_constants.py b/python-lib/dku_constants.py index b20ccde..3736450 100644 --- a/python-lib/dku_constants.py +++ b/python-lib/dku_constants.py @@ -2,6 +2,6 @@ class DKUConstants(object): API_RESPONSE_KEY = "api_response" FORBIDDEN_KEYS = ["token", "password", "api_key_value", "secure_token"] FORM_DATA_BODY_FORMAT = "FORM_DATA" - PLUGIN_VERSION = "1.2.7-beta.4" + PLUGIN_VERSION = "1.2.7" RAW_BODY_FORMAT = "RAW" REPONSE_ERROR_KEY = "dku_error" From 38af12d03dcbcd39cf02acf41d9adb0382df6c00 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 2 Apr 2026 12:20:20 +0200 Subject: [PATCH 07/14] storing key+certificats as passwords --- parameter-sets/credential/parameter-set.json | 8 ++++---- parameter-sets/secure-basic/parameter-set.json | 8 ++++---- parameter-sets/secure-oauth/parameter-set.json | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/parameter-sets/credential/parameter-set.json b/parameter-sets/credential/parameter-set.json index 3035645..b5202c1 100644 --- a/parameter-sets/credential/parameter-set.json +++ b/parameter-sets/credential/parameter-set.json @@ -130,15 +130,15 @@ { "name": "mtls_certificate_path", "label": "Path to certificate", - "description": "", - "type": "STRING", + "description": "or full certificate from -----BEGIN to END CERTIFICATE-----", + "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" }, { "name": "mtls_key_path", "label": "Path to key", - "description": "", - "type": "STRING", + "description": "or full key from -----BEGIN to END PRIVATE KEY-----", + "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" } ] diff --git a/parameter-sets/secure-basic/parameter-set.json b/parameter-sets/secure-basic/parameter-set.json index d54f19d..6c1fb58 100644 --- a/parameter-sets/secure-basic/parameter-set.json +++ b/parameter-sets/secure-basic/parameter-set.json @@ -55,15 +55,15 @@ { "name": "mtls_certificate_path", "label": "Path to certificate", - "description": "", - "type": "STRING", + "description": "or full certificate from -----BEGIN to END CERTIFICATE-----", + "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" }, { "name": "mtls_key_path", "label": "Path to key", - "description": "", - "type": "STRING", + "description": "or full key from -----BEGIN to END PRIVATE KEY-----", + "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" } ] diff --git a/parameter-sets/secure-oauth/parameter-set.json b/parameter-sets/secure-oauth/parameter-set.json index 79da6d0..947f096 100644 --- a/parameter-sets/secure-oauth/parameter-set.json +++ b/parameter-sets/secure-oauth/parameter-set.json @@ -64,15 +64,15 @@ { "name": "mtls_certificate_path", "label": "Path to certificate", - "description": "", - "type": "STRING", + "description": "or full certificate from -----BEGIN to END CERTIFICATE-----", + "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" }, { "name": "mtls_key_path", "label": "Path to key", - "description": "", - "type": "STRING", + "description": "or full key from -----BEGIN to END PRIVATE KEY-----", + "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" } ] From 6252b88cd2594758fc87340ec2d5caba72d40f04 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 2 Apr 2026 12:20:54 +0200 Subject: [PATCH 08/14] using temp file for using key+certificats stored in presets --- python-lib/rest_api_client.py | 40 +++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/python-lib/rest_api_client.py b/python-lib/rest_api_client.py index 1ee4519..49ffd08 100644 --- a/python-lib/rest_api_client.py +++ b/python-lib/rest_api_client.py @@ -1,6 +1,7 @@ import requests import time import copy +import tempfile from pagination import Pagination from safe_logger import SafeLogger from loop_detector import LoopDetector @@ -184,14 +185,35 @@ def request(self, method, url, can_raise_exeption=True, **kwargs): def request_with_redirect_retry(self, method, url, **kwargs): # In case of redirection to another domain, the authorization header is not kept # If redirect_auth_header is true, another attempt is made with initial headers to the redirected url - response = self.session.request(method, url, **kwargs) + response = self.request_with_cert(method, url, **kwargs) if self.redirect_auth_header and not response.url.startswith(url): redirection_kwargs = copy.deepcopy(kwargs) redirection_kwargs.pop("params", None) # params are contained in the redirected url logger.warning("Redirection ! Accessing endpoint {} with initial authorization headers".format(response.url)) - response = self.session.request(method, response.url, **redirection_kwargs) + response = self.request_with_cert(method, response.url, **redirection_kwargs) return response + def request_with_cert(self, method, url, **kwargs): + cert = kwargs.get("cert", None) + if cert and len(cert) == 2: + if cert[0].startswith("-----BEGIN CERTIFICATE") and cert[1].startswith("-----BEGIN PRIVATE KEY"): + logger.info("mTLS certificate and key are strings") + response = None + with tempfile.NamedTemporaryFile(mode="w", suffix=".crt") as tmp_certificate: + with tempfile.NamedTemporaryFile(mode="w", suffix=".key") as tmp_key: + tmp_certificate.write( + normalize_key(cert[0]) + ) + tmp_certificate.seek(0) + tmp_key.write( + normalize_key(cert[1]) + ) + tmp_key.seek(0) + kwargs["cert"] = (tmp_certificate.name, tmp_key.name) + response = self.session.request(method, url, **kwargs) + return response + return self.session.request(method, url, **kwargs) + def paginated_api_call(self, can_raise_exeption=True): if self.pagination.params_must_be_blanked: self.requests_kwargs["params"] = {} @@ -278,3 +300,17 @@ def get_headers(response): if isinstance(response, requests.Response): return response.headers return None + + +def normalize_key(key): + tempo_text = str(key) + tempo_text = tempo_text.replace("BEGIN CERTIFICATE", "BEGINCERTIFICATE") + tempo_text = tempo_text.replace("END CERTIFICATE", "ENDCERTIFICATE") + tempo_text = tempo_text.replace("-----BEGIN PRIVATE KEY-----", "-----BEGINPRIVATEKEY-----") + tempo_text = tempo_text.replace("-----END PRIVATE KEY-----", "-----ENDPRIVATEKEY-----") + tempo_text = tempo_text.replace(" ", "\n") + tempo_text = tempo_text.replace("BEGINCERTIFICATE", "BEGIN CERTIFICATE") + tempo_text = tempo_text.replace("ENDCERTIFICATE", "END CERTIFICATE") + tempo_text = tempo_text.replace("-----BEGINPRIVATEKEY-----", "-----BEGIN PRIVATE KEY-----") + tempo_text = tempo_text.replace("-----ENDPRIVATEKEY-----", "-----END PRIVATE KEY-----") + return tempo_text From 734dd6c041e734092c9060bbc80294253f276ba7 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 2 Apr 2026 12:21:29 +0200 Subject: [PATCH 09/14] adding mtls keys to data that should not be displayed --- python-lib/dku_constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-lib/dku_constants.py b/python-lib/dku_constants.py index 3736450..ffab18d 100644 --- a/python-lib/dku_constants.py +++ b/python-lib/dku_constants.py @@ -1,6 +1,6 @@ class DKUConstants(object): API_RESPONSE_KEY = "api_response" - FORBIDDEN_KEYS = ["token", "password", "api_key_value", "secure_token"] + FORBIDDEN_KEYS = ["token", "password", "api_key_value", "secure_token", "mtls_key_path", "mtls_certificate_path"] FORM_DATA_BODY_FORMAT = "FORM_DATA" PLUGIN_VERSION = "1.2.7" RAW_BODY_FORMAT = "RAW" From 987c597f1620e453a40e8d3fc1e05d66777c6839 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 2 Apr 2026 13:56:47 +0200 Subject: [PATCH 10/14] beta.5 --- python-lib/dku_constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-lib/dku_constants.py b/python-lib/dku_constants.py index ffab18d..7e007f8 100644 --- a/python-lib/dku_constants.py +++ b/python-lib/dku_constants.py @@ -2,6 +2,6 @@ class DKUConstants(object): API_RESPONSE_KEY = "api_response" FORBIDDEN_KEYS = ["token", "password", "api_key_value", "secure_token", "mtls_key_path", "mtls_certificate_path"] FORM_DATA_BODY_FORMAT = "FORM_DATA" - PLUGIN_VERSION = "1.2.7" + PLUGIN_VERSION = "1.2.7-beta.5" RAW_BODY_FORMAT = "RAW" REPONSE_ERROR_KEY = "dku_error" From 581a267a0dc3f936b096bbff2bdc2544fd164c08 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 16 Apr 2026 13:38:35 +0200 Subject: [PATCH 11/14] Clarify the UI --- parameter-sets/credential/parameter-set.json | 4 ++-- parameter-sets/secure-basic/parameter-set.json | 4 ++-- parameter-sets/secure-oauth/parameter-set.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/parameter-sets/credential/parameter-set.json b/parameter-sets/credential/parameter-set.json index b5202c1..0c027f6 100644 --- a/parameter-sets/credential/parameter-set.json +++ b/parameter-sets/credential/parameter-set.json @@ -130,14 +130,14 @@ { "name": "mtls_certificate_path", "label": "Path to certificate", - "description": "or full certificate from -----BEGIN to END CERTIFICATE-----", + "description": "or full certificate starting with -----BEGIN and ending with END CERTIFICATE-----", "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" }, { "name": "mtls_key_path", "label": "Path to key", - "description": "or full key from -----BEGIN to END PRIVATE KEY-----", + "description": "or full key starting with -----BEGIN and ending with END PRIVATE KEY-----", "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" } diff --git a/parameter-sets/secure-basic/parameter-set.json b/parameter-sets/secure-basic/parameter-set.json index 6c1fb58..a6b6809 100644 --- a/parameter-sets/secure-basic/parameter-set.json +++ b/parameter-sets/secure-basic/parameter-set.json @@ -55,14 +55,14 @@ { "name": "mtls_certificate_path", "label": "Path to certificate", - "description": "or full certificate from -----BEGIN to END CERTIFICATE-----", + "description": "or full certificate starting with -----BEGIN and ending with END CERTIFICATE-----", "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" }, { "name": "mtls_key_path", "label": "Path to key", - "description": "or full key from -----BEGIN to END PRIVATE KEY-----", + "description": "or full key starting with -----BEGIN and ending with END PRIVATE KEY-----", "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" } diff --git a/parameter-sets/secure-oauth/parameter-set.json b/parameter-sets/secure-oauth/parameter-set.json index 947f096..72c6437 100644 --- a/parameter-sets/secure-oauth/parameter-set.json +++ b/parameter-sets/secure-oauth/parameter-set.json @@ -64,14 +64,14 @@ { "name": "mtls_certificate_path", "label": "Path to certificate", - "description": "or full certificate from -----BEGIN to END CERTIFICATE-----", + "description": "or full certificate starting with -----BEGIN and ending with END CERTIFICATE-----", "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" }, { "name": "mtls_key_path", "label": "Path to key", - "description": "or full key from -----BEGIN to END PRIVATE KEY-----", + "description": "or full key starting with -----BEGIN and ending with END PRIVATE KEY-----", "type": "PASSWORD", "visibilityCondition": "model.use_mtls==true" } From 1cfed4416c356fbd379b65d9f28b480f48ec5912 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 16 Apr 2026 13:38:53 +0200 Subject: [PATCH 12/14] Add normalization for RSA keys --- python-lib/rest_api_client.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/python-lib/rest_api_client.py b/python-lib/rest_api_client.py index 49ffd08..9609151 100644 --- a/python-lib/rest_api_client.py +++ b/python-lib/rest_api_client.py @@ -308,7 +308,11 @@ def normalize_key(key): tempo_text = tempo_text.replace("END CERTIFICATE", "ENDCERTIFICATE") tempo_text = tempo_text.replace("-----BEGIN PRIVATE KEY-----", "-----BEGINPRIVATEKEY-----") tempo_text = tempo_text.replace("-----END PRIVATE KEY-----", "-----ENDPRIVATEKEY-----") + tempo_text = tempo_text.replace("BEGIN RSA PRIVATE KEY", "BEGINRSAPRIVATEKEY") + tempo_text = tempo_text.replace("END RSA PRIVATE KEY", "ENDRSAPRIVATEKEY") tempo_text = tempo_text.replace(" ", "\n") + tempo_text = tempo_text.replace("BEGINRSAPRIVATEKEY", "BEGIN RSA PRIVATE KEY") + tempo_text = tempo_text.replace("ENDRSAPRIVATEKEY", "END RSA PRIVATE KEY") tempo_text = tempo_text.replace("BEGINCERTIFICATE", "BEGIN CERTIFICATE") tempo_text = tempo_text.replace("ENDCERTIFICATE", "END CERTIFICATE") tempo_text = tempo_text.replace("-----BEGINPRIVATEKEY-----", "-----BEGIN PRIVATE KEY-----") From 59597ce669c0c8cbb66c5281196942cbea77f9f0 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 16 Apr 2026 14:00:27 +0200 Subject: [PATCH 13/14] fix to accept RSA keys --- python-lib/rest_api_client.py | 38 +++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/python-lib/rest_api_client.py b/python-lib/rest_api_client.py index 9609151..12ff0a2 100644 --- a/python-lib/rest_api_client.py +++ b/python-lib/rest_api_client.py @@ -196,7 +196,7 @@ def request_with_redirect_retry(self, method, url, **kwargs): def request_with_cert(self, method, url, **kwargs): cert = kwargs.get("cert", None) if cert and len(cert) == 2: - if cert[0].startswith("-----BEGIN CERTIFICATE") and cert[1].startswith("-----BEGIN PRIVATE KEY"): + if cert[0].startswith("-----BEGIN CERTIFICATE") and cert[1].startswith("-----BEGIN "): logger.info("mTLS certificate and key are strings") response = None with tempfile.NamedTemporaryFile(mode="w", suffix=".crt") as tmp_certificate: @@ -303,18 +303,30 @@ def get_headers(response): def normalize_key(key): + PROTECTED_EXPRESSIONS = [ + "BEGIN CERTIFICATE", "END CERTIFICATE", + "BEGIN PRIVATE KEY", "END PRIVATE KEY", + "BEGIN RSA PRIVATE KEY", "END RSA PRIVATE KEY" + ] tempo_text = str(key) - tempo_text = tempo_text.replace("BEGIN CERTIFICATE", "BEGINCERTIFICATE") - tempo_text = tempo_text.replace("END CERTIFICATE", "ENDCERTIFICATE") - tempo_text = tempo_text.replace("-----BEGIN PRIVATE KEY-----", "-----BEGINPRIVATEKEY-----") - tempo_text = tempo_text.replace("-----END PRIVATE KEY-----", "-----ENDPRIVATEKEY-----") - tempo_text = tempo_text.replace("BEGIN RSA PRIVATE KEY", "BEGINRSAPRIVATEKEY") - tempo_text = tempo_text.replace("END RSA PRIVATE KEY", "ENDRSAPRIVATEKEY") + for expression_to_protect in PROTECTED_EXPRESSIONS: + protected_form = expression_to_protect.replace(" ", "") + tempo_text = tempo_text.replace(expression_to_protect, protected_form) tempo_text = tempo_text.replace(" ", "\n") - tempo_text = tempo_text.replace("BEGINRSAPRIVATEKEY", "BEGIN RSA PRIVATE KEY") - tempo_text = tempo_text.replace("ENDRSAPRIVATEKEY", "END RSA PRIVATE KEY") - tempo_text = tempo_text.replace("BEGINCERTIFICATE", "BEGIN CERTIFICATE") - tempo_text = tempo_text.replace("ENDCERTIFICATE", "END CERTIFICATE") - tempo_text = tempo_text.replace("-----BEGINPRIVATEKEY-----", "-----BEGIN PRIVATE KEY-----") - tempo_text = tempo_text.replace("-----ENDPRIVATEKEY-----", "-----END PRIVATE KEY-----") + for expression_to_protect in PROTECTED_EXPRESSIONS: + protected_form = expression_to_protect.replace(" ", "") + tempo_text = tempo_text.replace(protected_form, expression_to_protect) + # tempo_text = tempo_text.replace("BEGIN CERTIFICATE", "BEGINCERTIFICATE") + # tempo_text = tempo_text.replace("END CERTIFICATE", "ENDCERTIFICATE") + # tempo_text = tempo_text.replace("-----BEGIN PRIVATE KEY-----", "-----BEGINPRIVATEKEY-----") + # tempo_text = tempo_text.replace("-----END PRIVATE KEY-----", "-----ENDPRIVATEKEY-----") + # tempo_text = tempo_text.replace("BEGIN RSA PRIVATE KEY", "BEGINRSAPRIVATEKEY") + # tempo_text = tempo_text.replace("END RSA PRIVATE KEY", "ENDRSAPRIVATEKEY") + # tempo_text = tempo_text.replace(" ", "\n") + # tempo_text = tempo_text.replace("BEGINRSAPRIVATEKEY", "BEGIN RSA PRIVATE KEY") + # tempo_text = tempo_text.replace("ENDRSAPRIVATEKEY", "END RSA PRIVATE KEY") + # tempo_text = tempo_text.replace("BEGINCERTIFICATE", "BEGIN CERTIFICATE") + # tempo_text = tempo_text.replace("ENDCERTIFICATE", "END CERTIFICATE") + # tempo_text = tempo_text.replace("-----BEGINPRIVATEKEY-----", "-----BEGIN PRIVATE KEY-----") + # tempo_text = tempo_text.replace("-----ENDPRIVATEKEY-----", "-----END PRIVATE KEY-----") return tempo_text From b807d8573bbfd2684f6a7f0916dea91720704bc3 Mon Sep 17 00:00:00 2001 From: Alex Bourret Date: Thu, 16 Apr 2026 14:01:18 +0200 Subject: [PATCH 14/14] removing comments --- python-lib/rest_api_client.py | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/python-lib/rest_api_client.py b/python-lib/rest_api_client.py index 12ff0a2..cb4e824 100644 --- a/python-lib/rest_api_client.py +++ b/python-lib/rest_api_client.py @@ -316,17 +316,4 @@ def normalize_key(key): for expression_to_protect in PROTECTED_EXPRESSIONS: protected_form = expression_to_protect.replace(" ", "") tempo_text = tempo_text.replace(protected_form, expression_to_protect) - # tempo_text = tempo_text.replace("BEGIN CERTIFICATE", "BEGINCERTIFICATE") - # tempo_text = tempo_text.replace("END CERTIFICATE", "ENDCERTIFICATE") - # tempo_text = tempo_text.replace("-----BEGIN PRIVATE KEY-----", "-----BEGINPRIVATEKEY-----") - # tempo_text = tempo_text.replace("-----END PRIVATE KEY-----", "-----ENDPRIVATEKEY-----") - # tempo_text = tempo_text.replace("BEGIN RSA PRIVATE KEY", "BEGINRSAPRIVATEKEY") - # tempo_text = tempo_text.replace("END RSA PRIVATE KEY", "ENDRSAPRIVATEKEY") - # tempo_text = tempo_text.replace(" ", "\n") - # tempo_text = tempo_text.replace("BEGINRSAPRIVATEKEY", "BEGIN RSA PRIVATE KEY") - # tempo_text = tempo_text.replace("ENDRSAPRIVATEKEY", "END RSA PRIVATE KEY") - # tempo_text = tempo_text.replace("BEGINCERTIFICATE", "BEGIN CERTIFICATE") - # tempo_text = tempo_text.replace("ENDCERTIFICATE", "END CERTIFICATE") - # tempo_text = tempo_text.replace("-----BEGINPRIVATEKEY-----", "-----BEGIN PRIVATE KEY-----") - # tempo_text = tempo_text.replace("-----ENDPRIVATEKEY-----", "-----END PRIVATE KEY-----") return tempo_text