Support SSL/TLS directly

[simonw]

This should be pretty easy because Uvicorn supports them already. Need a good mechanism for testing it - https://pypi.org/project/trustme/ looks ideal.

[simonw]

Uvicorn supports these options: https://www.uvicorn.org/#command-line-options

  --ssl-keyfile TEXT              SSL key file
  --ssl-certfile TEXT             SSL certificate file
  --ssl-keyfile-password TEXT     SSL keyfile password
  --ssl-version INTEGER           SSL version to use (see stdlib ssl module's)
                                  [default: 2]

  --ssl-cert-reqs INTEGER         Whether client certificate is required (see
                                  stdlib ssl module's)  [default: 0]

  --ssl-ca-certs TEXT             CA certificates file
  --ssl-ciphers TEXT              Ciphers to use (see stdlib ssl module's)
                                  [default: TLSv1]

For the moment I'm going to support just --ssl-keyfile and --ssl-certfile as arguments to datasette serve. I'll add other options if people ask for them.

[simonw]

I can use this recipe to start a datasette server in a sub-process during the pytest run and exercise it with real HTTP requests: https://til.simonwillison.net/pytest/subprocess-server

[simonw]

I also tested this manually. I generated certificate files like so:

cd /tmp
python -m trustme

This created /tmp/server.pem, /tmp/client.pem and /tmp/server.key

Then I started Datasette like this:

datasette --memory --ssl-keyfile=/tmp/server.key --ssl-certfile=/tmp/server.pem

And exercise it using curl like so:

/tmp % curl --cacert /tmp/client.pem 'https://localhost:8001/_memory.json'
{"database": "_memory", "path": "/_memory", "size": 0, "tables": [], "hidden_count": 0, "views": [], "queries": [],
"private": false, "allow_execute_sql": true, "query_ms": 0.8843200000114848}

Note that without the --cacert option I get an error:

/tmp % curl 'https://localhost:8001/_memory.json' 
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[simonw]

I ended up moving this test out of Python and into a bash script here: d1d3694