commit bc11f495542a7aefbc905f9103ef75725c95df2b · anil.recoil.org/zulip-netdata-bot

.gitignore

···

       204
        
       

     

       205
        
       thicket.yaml

     

       206
        
       bot-config/zuliprc

     

       0
        
       
     

       0

···

       204
        
       

     

       205
        
       thicket.yaml

     

       206
        
       bot-config/zuliprc

     

       207
       +
       certs

     

       208
       +
       .zuliprc

-5

.zuliprc.sample

···

       1
       -
       [api]

     

       2
       -
       site=https://yourorg.zulipchat.com

     

       3
       -
       email=netdata-bot@yourorg.zulipchat.com

     

       4
       -
       key=your-api-key-here

     

       5
       -
       stream=netdata-alerts

+44 -17

README.md

···

       6
        
       

     

       7
        
       ## Features

     

       8
        
       

     

       9
       -
       - 🔐 **HTTPS with Let's Encrypt**: Automatic SSL certificate management

     

       10
        
       - 🤝 **Mutual TLS**: Secure authentication with Netdata Cloud

     

       11
        
       - 📊 **Rich Formatting**: Beautiful Zulip messages with emojis and markdown

     

       12
        
       - 🏷️ **Topic Organization**: Automatic topic routing by severity level

     

       13
        
       - 📝 **Structured Logging**: JSON-structured logs for monitoring

     

       14
        
       - ⚡ **High Performance**: FastAPI-based webhook endpoint

     

       0
        
       
     

       15
        
       

     

       16
        
       ## Quick Start

     

       17
        
       

     
···

       53
        
       export SERVER_DOMAIN=your-webhook-domain.com

     

       54
        
       export SERVER_PORT=8443

     

       55
        
       export SERVER_ENABLE_MTLS=true

     

       56
       -
       ```

     

       57
        
       

     

       58
       -
       ### 5. Setup SSL Certificate

     

       59
       -
       

     

       60
       -
       ```bash

     

       61
       -
       # Install certbot and obtain certificate

     

       62
       -
       sudo certbot certonly --standalone -d your-webhook-domain.com

     

       63
       -
       

     

       64
       -
       # Ensure certificate files are accessible

     

       65
       -
       sudo chown -R $USER:$USER /etc/letsencrypt/live/your-webhook-domain.com/

     

       66
        
       ```

     

       67
        
       

     

       68
       -
       ### 6. Run the Service

     

       69
        
       

     

       70
        
       ```bash

     

       0
        
       
     

       71
        
       netdata-zulip-bot

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       72
        
       ```

     

       73
        
       

     

       74
        
       ## Configuration

     
···

       104
        
       

     

       105
        
       Set these environment variables:

     

       106
        
       

     

       107
       -
       - `SERVER_DOMAIN`: Your public domain (required for Let's Encrypt)

     

       108
        
       - `SERVER_HOST`: Bind address (default: `0.0.0.0`)

     

       109
        
       - `SERVER_PORT`: HTTPS port (default: `8443`)

     

       110
       -
       - `SERVER_CERT_PATH`: Certificate path (default: `/etc/letsencrypt/live`)

     

       111
        
       - `SERVER_ENABLE_MTLS`: Enable mutual TLS (default: `true`)

     

       112
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       113
        
       ## Message Format

     

       114
        
       

     

       115
        
       ### Alert Notifications

     
···

       197
        
       

     

       198
        
       ## Security

     

       199
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       200
        
       ### Mutual TLS Authentication

     

       201
        
       

     

       202
        
       The service supports mutual TLS to authenticate Netdata Cloud webhooks:

     

       203
        
       

     

       204
       -
       1. **Server Certificate**: Automatically managed by Let's Encrypt

     

       205
        
       2. **Client Verification**: Validates Netdata's client certificate

     

       206
        
       3. **CA Certificate**: Built-in Netdata CA certificate for client validation

     

       207
        
       

     
···

       269
        
       

     

       270
        
       ### Common Issues

     

       271
        
       

     

       272
       -
       1. **Certificate Not Found**

     

       273
       -
          - Ensure Let's Encrypt certificates exist at `/etc/letsencrypt/live/your-domain.com/`

     

       274
       -
          - Check file permissions

     

       0
        
       
     

       0
        
       
     

       275
        
       

     

       276
        
       2. **Zulip Connection Failed**

     

       277
        
          - Verify API credentials in zuliprc

···

       6
        
       

     

       7
        
       ## Features

     

       8
        
       

     

       9
       +
       - 🔐 **Automated SSL Certificates**: Built-in Let's Encrypt integration with automatic renewal

     

       10
        
       - 🤝 **Mutual TLS**: Secure authentication with Netdata Cloud

     

       11
        
       - 📊 **Rich Formatting**: Beautiful Zulip messages with emojis and markdown

     

       12
        
       - 🏷️ **Topic Organization**: Automatic topic routing by severity level

     

       13
        
       - 📝 **Structured Logging**: JSON-structured logs for monitoring

     

       14
        
       - ⚡ **High Performance**: FastAPI-based webhook endpoint

     

       15
       +
       - 🚀 **Standalone**: No external dependencies like certbot required

     

       16
        
       

     

       17
        
       ## Quick Start

     

       18
        
       

     
···

       54
        
       export SERVER_DOMAIN=your-webhook-domain.com

     

       55
        
       export SERVER_PORT=8443

     

       56
        
       export SERVER_ENABLE_MTLS=true

     

       0
        
       
     

       57
        
       

     

       58
       +
       # For automated SSL certificates (recommended)

     

       59
       +
       export SERVER_AUTO_CERT=true

     

       60
       +
       export SERVER_CERT_EMAIL=admin@example.com

     

       61
       +
       # Use staging for testing (optional)

     

       62
       +
       export SERVER_CERT_STAGING=false

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       63
        
       ```

     

       64
        
       

     

       65
       +
       ### 5. Run the Service

     

       66
        
       

     

       67
        
       ```bash

     

       68
       +
       # With automated SSL certificates

     

       69
        
       netdata-zulip-bot

     

       70
       +
       

     

       71
       +
       # The bot will automatically:

     

       72
       +
       # 1. Obtain SSL certificates from Let's Encrypt

     

       73
       +
       # 2. Start the HTTPS server

     

       74
       +
       # 3. Renew certificates before expiration

     

       75
        
       ```

     

       76
        
       

     

       77
        
       ## Configuration

     
···

       107
        
       

     

       108
        
       Set these environment variables:

     

       109
        
       

     

       110
       +
       - `SERVER_DOMAIN`: Your public domain (required)

     

       111
        
       - `SERVER_HOST`: Bind address (default: `0.0.0.0`)

     

       112
        
       - `SERVER_PORT`: HTTPS port (default: `8443`)

     

       0
        
       
     

       113
        
       - `SERVER_ENABLE_MTLS`: Enable mutual TLS (default: `true`)

     

       114
        
       

     

       115
       +
       #### Automated SSL Configuration (Recommended)

     

       116
       +
       

     

       117
       +
       - `SERVER_AUTO_CERT`: Enable automatic certificate management (default: `false`)

     

       118
       +
       - `SERVER_CERT_EMAIL`: Email for Let's Encrypt account (required when auto_cert is true)

     

       119
       +
       - `SERVER_CERT_PATH`: Directory for storing certificates (default: `./certs`)

     

       120
       +
       - `SERVER_CERT_STAGING`: Use Let's Encrypt staging server for testing (default: `false`)

     

       121
       +
       - `SERVER_ACME_PORT`: Port for ACME HTTP-01 challenge (default: `80`)

     

       122
       +
       

     

       123
       +
       #### Manual SSL Configuration

     

       124
       +
       

     

       125
       +
       If not using automated certificates:

     

       126
       +
       - `SERVER_CERT_PATH`: Path to certificate directory

     

       127
       +
       - Place `fullchain.pem` and `privkey.pem` in `{SERVER_CERT_PATH}/{SERVER_DOMAIN}/`

     

       128
       +
       

     

       129
        
       ## Message Format

     

       130
        
       

     

       131
        
       ### Alert Notifications

     
···

       213
        
       

     

       214
        
       ## Security

     

       215
        
       

     

       216
       +
       ### SSL Certificate Management

     

       217
       +
       

     

       218
       +
       The bot includes fully automated SSL certificate management:

     

       219
       +
       

     

       220
       +
       1. **Automatic Provisioning**: Obtains certificates from Let's Encrypt on first run

     

       221
       +
       2. **Automatic Renewal**: Checks daily and renews certificates 30 days before expiration

     

       222
       +
       3. **Zero Downtime**: Certificate renewal happens in the background

     

       223
       +
       4. **ACME HTTP-01 Challenge**: Built-in challenge server (requires port 80 access)

     

       224
       +
       

     

       225
        
       ### Mutual TLS Authentication

     

       226
        
       

     

       227
        
       The service supports mutual TLS to authenticate Netdata Cloud webhooks:

     

       228
        
       

     

       229
       +
       1. **Server Certificate**: Automatically managed via built-in ACME client

     

       230
        
       2. **Client Verification**: Validates Netdata's client certificate

     

       231
        
       3. **CA Certificate**: Built-in Netdata CA certificate for client validation

     

       232
        
       

     
···

       294
        
       

     

       295
        
       ### Common Issues

     

       296
        
       

     

       297
       +
       1. **Certificate Issues**

     

       298
       +
          - For automated certs: Ensure port 80 is accessible for ACME challenges

     

       299
       +
          - Domain must point to your server's IP address

     

       300
       +
          - Check `SERVER_CERT_EMAIL` is set for auto-cert mode

     

       301
       +
          - Use `SERVER_CERT_STAGING=true` for testing to avoid rate limits

     

       302
        
       

     

       303
        
       2. **Zulip Connection Failed**

     

       304
        
          - Verify API credentials in zuliprc

+355

netdata_zulip_bot/cert_manager.py

···

       1
       +
       """Automated SSL certificate management using ACME protocol."""

     

       2
       +
       

     

       3
       +
       import asyncio

     

       4
       +
       import json

     

       5
       +
       import os

     

       6
       +
       import socket

     

       7
       +
       import threading

     

       8
       +
       import time

     

       9
       +
       from datetime import datetime, timezone

     

       10
       +
       from pathlib import Path

     

       11
       +
       from typing import Optional, Tuple

     

       12
       +
       

     

       13
       +
       import structlog

     

       14
       +
       from acme import challenges, client, errors, messages

     

       15
       +
       from cryptography import x509

     

       16
       +
       from cryptography.hazmat.backends import default_backend

     

       17
       +
       from cryptography.hazmat.primitives import hashes, serialization

     

       18
       +
       from cryptography.hazmat.primitives.asymmetric import rsa

     

       19
       +
       from cryptography.x509.oid import NameOID

     

       20
       +
       from fastapi import FastAPI

     

       21
       +
       from fastapi.responses import PlainTextResponse

     

       22
       +
       import uvicorn

     

       23
       +
       import josepy as jose

     

       24
       +
       

     

       25
       +
       logger = structlog.get_logger()

     

       26
       +
       

     

       27
       +
       LETSENCRYPT_DIRECTORY_URL = "https://acme-v02.api.letsencrypt.org/directory"

     

       28
       +
       LETSENCRYPT_STAGING_URL = "https://acme-staging-v02.api.letsencrypt.org/directory"

     

       29
       +
       

     

       30
       +
       

     

       31
       +
       class CertificateManager:

     

       32
       +
           """Manages SSL certificates using ACME protocol."""

     

       33
       +
           

     

       34
       +
           def __init__(

     

       35
       +
               self,

     

       36
       +
               domain: str,

     

       37
       +
               email: str,

     

       38
       +
               cert_dir: Path,

     

       39
       +
               staging: bool = False,

     

       40
       +
               port: int = 80

     

       41
       +
           ):

     

       42
       +
               """Initialize certificate manager.

     

       43
       +
               

     

       44
       +
               Args:

     

       45
       +
                   domain: Domain name for the certificate

     

       46
       +
                   email: Email for Let's Encrypt account

     

       47
       +
                   cert_dir: Directory to store certificates

     

       48
       +
                   staging: Use Let's Encrypt staging server

     

       49
       +
                   port: Port for HTTP-01 challenge server

     

       50
       +
               """

     

       51
       +
               self.domain = domain

     

       52
       +
               self.email = email

     

       53
       +
               self.cert_dir = Path(cert_dir)

     

       54
       +
               self.cert_dir.mkdir(parents=True, exist_ok=True)

     

       55
       +
               self.staging = staging

     

       56
       +
               self.challenge_port = port

     

       57
       +
               

     

       58
       +
               self.directory_url = LETSENCRYPT_STAGING_URL if staging else LETSENCRYPT_DIRECTORY_URL

     

       59
       +
               self.account_key_path = self.cert_dir / "account_key.pem"

     

       60
       +
               self.cert_path = self.cert_dir / f"{domain}_cert.pem"

     

       61
       +
               self.key_path = self.cert_dir / f"{domain}_key.pem"

     

       62
       +
               self.fullchain_path = self.cert_dir / f"{domain}_fullchain.pem"

     

       63
       +
               

     

       64
       +
               # For HTTP-01 challenge

     

       65
       +
               self.challenge_tokens = {}

     

       66
       +
               self.challenge_server = None

     

       67
       +
               self.challenge_thread = None

     

       68
       +
           

     

       69
       +
           def _generate_private_key(self) -> rsa.RSAPrivateKey:

     

       70
       +
               """Generate a new RSA private key."""

     

       71
       +
               return rsa.generate_private_key(

     

       72
       +
                   public_exponent=65537,

     

       73
       +
                   key_size=2048,

     

       74
       +
                   backend=default_backend()

     

       75
       +
               )

     

       76
       +
           

     

       77
       +
           def _get_or_create_account_key(self) -> jose.JWK:

     

       78
       +
               """Get existing account key or create a new one."""

     

       79
       +
               if self.account_key_path.exists():

     

       80
       +
                   with open(self.account_key_path, 'rb') as f:

     

       81
       +
                       key_data = f.read()

     

       82
       +
                       private_key = serialization.load_pem_private_key(

     

       83
       +
                           key_data, password=None, backend=default_backend()

     

       84
       +
                       )

     

       85
       +
               else:

     

       86
       +
                   private_key = self._generate_private_key()

     

       87
       +
                   key_pem = private_key.private_bytes(

     

       88
       +
                       encoding=serialization.Encoding.PEM,

     

       89
       +
                       format=serialization.PrivateFormat.TraditionalOpenSSL,

     

       90
       +
                       encryption_algorithm=serialization.NoEncryption()

     

       91
       +
                   )

     

       92
       +
                   with open(self.account_key_path, 'wb') as f:

     

       93
       +
                       f.write(key_pem)

     

       94
       +
                   logger.info("Created new account key", path=str(self.account_key_path))

     

       95
       +
               

     

       96
       +
               return jose.JWK.load(private_key.private_bytes(

     

       97
       +
                   encoding=serialization.Encoding.PEM,

     

       98
       +
                   format=serialization.PrivateFormat.TraditionalOpenSSL,

     

       99
       +
                   encryption_algorithm=serialization.NoEncryption()

     

       100
       +
               ))

     

       101
       +
           

     

       102
       +
           def _create_csr(self, private_key: rsa.RSAPrivateKey) -> bytes:

     

       103
       +
               """Create a Certificate Signing Request."""

     

       104
       +
               csr = x509.CertificateSigningRequestBuilder().subject_name(

     

       105
       +
                   x509.Name([

     

       106
       +
                       x509.NameAttribute(NameOID.COMMON_NAME, self.domain),

     

       107
       +
                   ])

     

       108
       +
               ).sign(private_key, hashes.SHA256(), backend=default_backend())

     

       109
       +
               

     

       110
       +
               return csr.public_bytes(serialization.Encoding.DER)

     

       111
       +
           

     

       112
       +
           def _start_challenge_server(self):

     

       113
       +
               """Start HTTP server for ACME challenges."""

     

       114
       +
               app = FastAPI()

     

       115
       +
               

     

       116
       +
               @app.get("/.well-known/acme-challenge/{token}")

     

       117
       +
               async def acme_challenge(token: str):

     

       118
       +
                   """Serve ACME challenge responses."""

     

       119
       +
                   if token in self.challenge_tokens:

     

       120
       +
                       logger.info("Serving ACME challenge", token=token)

     

       121
       +
                       return PlainTextResponse(self.challenge_tokens[token])

     

       122
       +
                   logger.warning("Unknown ACME challenge token", token=token)

     

       123
       +
                   return PlainTextResponse("Not found", status_code=404)

     

       124
       +
               

     

       125
       +
               def run_server():

     

       126
       +
                   """Run the challenge server in a thread."""

     

       127
       +
                   try:

     

       128
       +
                       uvicorn.run(

     

       129
       +
                           app,

     

       130
       +
                           host="0.0.0.0",

     

       131
       +
                           port=self.challenge_port,

     

       132
       +
                           log_level="error"

     

       133
       +
                       )

     

       134
       +
                   except Exception as e:

     

       135
       +
                       logger.error("Challenge server error", error=str(e))

     

       136
       +
               

     

       137
       +
               self.challenge_thread = threading.Thread(target=run_server, daemon=True)

     

       138
       +
               self.challenge_thread.start()

     

       139
       +
               

     

       140
       +
               # Give the server time to start

     

       141
       +
               time.sleep(2)

     

       142
       +
               logger.info("Started ACME challenge server", port=self.challenge_port)

     

       143
       +
           

     

       144
       +
           def _stop_challenge_server(self):

     

       145
       +
               """Stop the challenge server."""

     

       146
       +
               if self.challenge_thread and self.challenge_thread.is_alive():

     

       147
       +
                   # The thread is daemon, so it will stop when the main process exits

     

       148
       +
                   logger.info("Challenge server will stop with main process")

     

       149
       +
           

     

       150
       +
           def _perform_http01_challenge(

     

       151
       +
               self,

     

       152
       +
               acme_client: client.ClientV2,

     

       153
       +
               authz: messages.Authorization

     

       154
       +
           ) -> bool:

     

       155
       +
               """Perform HTTP-01 challenge."""

     

       156
       +
               # Find HTTP-01 challenge

     

       157
       +
               http_challenge = None

     

       158
       +
               for challenge in authz.body.challenges:

     

       159
       +
                   if isinstance(challenge.chall, challenges.HTTP01):

     

       160
       +
                       http_challenge = challenge

     

       161
       +
                       break

     

       162
       +
               

     

       163
       +
               if not http_challenge:

     

       164
       +
                   logger.error("No HTTP-01 challenge found")

     

       165
       +
                   return False

     

       166
       +
               

     

       167
       +
               # Prepare challenge response

     

       168
       +
               response, validation = http_challenge.chall.response_and_validation(

     

       169
       +
                   acme_client.net.key

     

       170
       +
               )

     

       171
       +
               

     

       172
       +
               # Store challenge token and response

     

       173
       +
               self.challenge_tokens[http_challenge.chall.token.decode('utf-8')] = validation

     

       174
       +
               

     

       175
       +
               logger.info(

     

       176
       +
                   "Prepared HTTP-01 challenge",

     

       177
       +
                   token=http_challenge.chall.token.decode('utf-8'),

     

       178
       +
                   domain=self.domain

     

       179
       +
               )

     

       180
       +
               

     

       181
       +
               # Notify ACME server that we're ready

     

       182
       +
               acme_client.answer_challenge(http_challenge, response)

     

       183
       +
               

     

       184
       +
               # Wait for challenge validation

     

       185
       +
               max_attempts = 30

     

       186
       +
               for attempt in range(max_attempts):

     

       187
       +
                   time.sleep(2)

     

       188
       +
                   try:

     

       189
       +
                       authz, _ = acme_client.poll(authz)

     

       190
       +
                       if authz.body.status == messages.STATUS_VALID:

     

       191
       +
                           logger.info("Challenge validated successfully")

     

       192
       +
                           return True

     

       193
       +
                       elif authz.body.status == messages.STATUS_INVALID:

     

       194
       +
                           logger.error("Challenge validation failed")

     

       195
       +
                           return False

     

       196
       +
                   except errors.TimeoutError:

     

       197
       +
                       if attempt == max_attempts - 1:

     

       198
       +
                           logger.error("Challenge validation timeout")

     

       199
       +
                           return False

     

       200
       +
                       continue

     

       201
       +
               

     

       202
       +
               return False

     

       203
       +
           

     

       204
       +
           def needs_renewal(self) -> bool:

     

       205
       +
               """Check if certificate needs renewal."""

     

       206
       +
               if not self.cert_path.exists():

     

       207
       +
                   return True

     

       208
       +
               

     

       209
       +
               try:

     

       210
       +
                   with open(self.cert_path, 'rb') as f:

     

       211
       +
                       cert_data = f.read()

     

       212
       +
                       cert = x509.load_pem_x509_certificate(cert_data, default_backend())

     

       213
       +
                   

     

       214
       +
                   # Renew if less than 30 days remaining

     

       215
       +
                   days_remaining = (cert.not_valid_after_utc - 

     

       216
       +
                                   datetime.now(timezone.utc)).days

     

       217
       +
                   

     

       218
       +
                   if days_remaining < 30:

     

       219
       +
                       logger.info("Certificate needs renewal", days_remaining=days_remaining)

     

       220
       +
                       return True

     

       221
       +
                   

     

       222
       +
                   logger.info("Certificate still valid", days_remaining=days_remaining)

     

       223
       +
                   return False

     

       224
       +
                   

     

       225
       +
               except Exception as e:

     

       226
       +
                   logger.error("Error checking certificate", error=str(e))

     

       227
       +
                   return True

     

       228
       +
           

     

       229
       +
           def obtain_certificate(self) -> Tuple[Path, Path, Path]:

     

       230
       +
               """Obtain or renew SSL certificate.

     

       231
       +
               

     

       232
       +
               Returns:

     

       233
       +
                   Tuple of (cert_path, key_path, fullchain_path)

     

       234
       +
               """

     

       235
       +
               if not self.needs_renewal():

     

       236
       +
                   logger.info("Certificate is still valid, skipping renewal")

     

       237
       +
                   return self.cert_path, self.key_path, self.fullchain_path

     

       238
       +
               

     

       239
       +
               logger.info(

     

       240
       +
                   "Obtaining SSL certificate",

     

       241
       +
                   domain=self.domain,

     

       242
       +
                   staging=self.staging

     

       243
       +
               )

     

       244
       +
               

     

       245
       +
               try:

     

       246
       +
                   # Start challenge server

     

       247
       +
                   self._start_challenge_server()

     

       248
       +
                   

     

       249
       +
                   # Get or create account key

     

       250
       +
                   account_key = self._get_or_create_account_key()

     

       251
       +
                   

     

       252
       +
                   # Create ACME client

     

       253
       +
                   net = client.ClientNetwork(account_key)

     

       254
       +
                   directory = messages.Directory.from_json(

     

       255
       +
                       net.get(self.directory_url).json()

     

       256
       +
                   )

     

       257
       +
                   acme_client = client.ClientV2(directory, net=net)

     

       258
       +
                   

     

       259
       +
                   # Register or get existing account

     

       260
       +
                   try:

     

       261
       +
                       account = acme_client.new_account(

     

       262
       +
                           messages.NewRegistration.from_data(

     

       263
       +
                               email=self.email,

     

       264
       +
                               terms_of_service_agreed=True

     

       265
       +
                           )

     

       266
       +
                       )

     

       267
       +
                       logger.info("Created new ACME account")

     

       268
       +
                   except errors.ConflictError:

     

       269
       +
                       # Account already exists

     

       270
       +
                       account = acme_client.query_registration(

     

       271
       +
                           messages.Registration(key=account_key.public_key())

     

       272
       +
                       )

     

       273
       +
                       logger.info("Using existing ACME account")

     

       274
       +
                   

     

       275
       +
                   # Generate certificate private key

     

       276
       +
                   cert_key = self._generate_private_key()

     

       277
       +
                   

     

       278
       +
                   # Create CSR

     

       279
       +
                   csr = self._create_csr(cert_key)

     

       280
       +
                   

     

       281
       +
                   # Request certificate

     

       282
       +
                   order = acme_client.new_order(csr)

     

       283
       +
                   

     

       284
       +
                   # Complete challenges

     

       285
       +
                   for authz in order.authorizations:

     

       286
       +
                       if not self._perform_http01_challenge(acme_client, authz):

     

       287
       +
                           raise Exception(f"Failed to complete challenge for {authz.body.identifier.value}")

     

       288
       +
                   

     

       289
       +
                   # Finalize order

     

       290
       +
                   order = acme_client.poll_and_finalize(order)

     

       291
       +
                   

     

       292
       +
                   if order.fullchain_pem:

     

       293
       +
                       # Save certificate and key

     

       294
       +
                       with open(self.cert_path, 'w') as f:

     

       295
       +
                           f.write(order.fullchain_pem.split('\n\n')[0] + '\n')

     

       296
       +
                       

     

       297
       +
                       with open(self.fullchain_path, 'w') as f:

     

       298
       +
                           f.write(order.fullchain_pem)

     

       299
       +
                       

     

       300
       +
                       key_pem = cert_key.private_bytes(

     

       301
       +
                           encoding=serialization.Encoding.PEM,

     

       302
       +
                           format=serialization.PrivateFormat.TraditionalOpenSSL,

     

       303
       +
                           encryption_algorithm=serialization.NoEncryption()

     

       304
       +
                       ).decode('utf-8')

     

       305
       +
                       

     

       306
       +
                       with open(self.key_path, 'w') as f:

     

       307
       +
                           f.write(key_pem)

     

       308
       +
                       

     

       309
       +
                       # Set proper permissions

     

       310
       +
                       os.chmod(self.key_path, 0o600)

     

       311
       +
                       os.chmod(self.cert_path, 0o644)

     

       312
       +
                       os.chmod(self.fullchain_path, 0o644)

     

       313
       +
                       

     

       314
       +
                       logger.info(

     

       315
       +
                           "Certificate obtained successfully",

     

       316
       +
                           cert_path=str(self.cert_path),

     

       317
       +
                           key_path=str(self.key_path),

     

       318
       +
                           fullchain_path=str(self.fullchain_path)

     

       319
       +
                       )

     

       320
       +
                       

     

       321
       +
                       return self.cert_path, self.key_path, self.fullchain_path

     

       322
       +
                   else:

     

       323
       +
                       raise Exception("Failed to obtain certificate")

     

       324
       +
                       

     

       325
       +
               except Exception as e:

     

       326
       +
                   logger.error("Failed to obtain certificate", error=str(e))

     

       327
       +
                   raise

     

       328
       +
               finally:

     

       329
       +
                   # Clean up challenge tokens and stop server

     

       330
       +
                   self.challenge_tokens.clear()

     

       331
       +
                   self._stop_challenge_server()

     

       332
       +
           

     

       333
       +
           def setup_auto_renewal(self, check_interval: int = 86400):

     

       334
       +
               """Setup automatic certificate renewal.

     

       335
       +
               

     

       336
       +
               Args:

     

       337
       +
                   check_interval: Interval in seconds to check for renewal (default: 24 hours)

     

       338
       +
               """

     

       339
       +
               def renewal_loop():

     

       340
       +
                   """Background renewal loop."""

     

       341
       +
                   while True:

     

       342
       +
                       try:

     

       343
       +
                           if self.needs_renewal():

     

       344
       +
                               logger.info("Certificate renewal needed")

     

       345
       +
                               self.obtain_certificate()

     

       346
       +
                           else:

     

       347
       +
                               logger.debug("Certificate renewal not needed")

     

       348
       +
                       except Exception as e:

     

       349
       +
                           logger.error("Certificate renewal check failed", error=str(e))

     

       350
       +
                       

     

       351
       +
                       time.sleep(check_interval)

     

       352
       +
               

     

       353
       +
               renewal_thread = threading.Thread(target=renewal_loop, daemon=True)

     

       354
       +
               renewal_thread.start()

     

       355
       +
               logger.info("Started automatic certificate renewal", interval_hours=check_interval/3600)

+14 -1

netdata_zulip_bot/config.py

···

       41
        
               host=os.getenv("SERVER_HOST", "0.0.0.0"),

     

       42
        
               port=int(os.getenv("SERVER_PORT", "8443")),

     

       43
        
               domain=os.getenv("SERVER_DOMAIN", ""),

     

       44
       -
               cert_path=os.getenv("SERVER_CERT_PATH", "/etc/letsencrypt/live"),

     

       45
        
               enable_mtls=os.getenv("SERVER_ENABLE_MTLS", "true").lower() == "true",

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
           )

     

       47
        
           

     

       48
        
           # Validate required server settings

     
···

       52
        
                   "environment variable."

     

       53
        
               )

     

       54
        
           

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       55
        
           logger.info(

     

       56
        
               "Configuration loaded",

     

       57
        
               zulip_site=zulip_config.site,

     
···

       61
        
               server_port=server_config.port,

     

       62
        
               server_domain=server_config.domain,

     

       63
        
               mtls_enabled=server_config.enable_mtls,

     

       0
        
       
     

       0
        
       
     

       64
        
           )

     

       65
        
           

     

       66
        
           return zulip_config, server_config

···

       41
        
               host=os.getenv("SERVER_HOST", "0.0.0.0"),

     

       42
        
               port=int(os.getenv("SERVER_PORT", "8443")),

     

       43
        
               domain=os.getenv("SERVER_DOMAIN", ""),

     

       44
       +
               cert_path=os.getenv("SERVER_CERT_PATH", "./certs"),

     

       45
        
               enable_mtls=os.getenv("SERVER_ENABLE_MTLS", "true").lower() == "true",

     

       46
       +
               auto_cert=os.getenv("SERVER_AUTO_CERT", "false").lower() == "true",

     

       47
       +
               cert_email=os.getenv("SERVER_CERT_EMAIL", ""),

     

       48
       +
               cert_staging=os.getenv("SERVER_CERT_STAGING", "false").lower() == "true",

     

       49
       +
               acme_port=int(os.getenv("SERVER_ACME_PORT", "80")),

     

       50
        
           )

     

       51
        
           

     

       52
        
           # Validate required server settings

     
···

       56
        
                   "environment variable."

     

       57
        
               )

     

       58
        
           

     

       59
       +
           # Validate auto-cert specific settings

     

       60
       +
           if server_config.auto_cert and not server_config.cert_email:

     

       61
       +
               raise ValueError(

     

       62
       +
                   "When SERVER_AUTO_CERT is enabled, SERVER_CERT_EMAIL must be set "

     

       63
       +
                   "for Let's Encrypt account registration."

     

       64
       +
               )

     

       65
       +
           

     

       66
        
           logger.info(

     

       67
        
               "Configuration loaded",

     

       68
        
               zulip_site=zulip_config.site,

     
···

       72
        
               server_port=server_config.port,

     

       73
        
               server_domain=server_config.domain,

     

       74
        
               mtls_enabled=server_config.enable_mtls,

     

       75
       +
               auto_cert=server_config.auto_cert,

     

       76
       +
               cert_staging=server_config.cert_staging,

     

       77
        
           )

     

       78
        
           

     

       79
        
           return zulip_config, server_config

+13 -1

netdata_zulip_bot/main.py

···

       46
        
       SERVER_HOST=0.0.0.0

     

       47
        
       SERVER_PORT=8443

     

       48
        
       SERVER_DOMAIN=your-domain.com

     

       49
       -
       SERVER_CERT_PATH=/etc/letsencrypt/live

     

       50
        
       SERVER_ENABLE_MTLS=true

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       51
        
       """

     

       52
        
           

     

       53
        
           with open(".env.sample", 'w') as f:

···

       46
        
       SERVER_HOST=0.0.0.0

     

       47
        
       SERVER_PORT=8443

     

       48
        
       SERVER_DOMAIN=your-domain.com

     

       0
        
       
     

       49
        
       SERVER_ENABLE_MTLS=true

     

       50
       +
       

     

       51
       +
       # Automated SSL Certificate Configuration (Recommended)

     

       52
       +
       SERVER_AUTO_CERT=true

     

       53
       +
       SERVER_CERT_EMAIL=admin@example.com

     

       54
       +
       SERVER_CERT_PATH=./certs

     

       55
       +
       # Use Let's Encrypt staging server for testing

     

       56
       +
       SERVER_CERT_STAGING=false

     

       57
       +
       # Port for ACME HTTP-01 challenge (must be accessible from internet)

     

       58
       +
       SERVER_ACME_PORT=80

     

       59
       +
       

     

       60
       +
       # Manual SSL Certificate Configuration (if not using auto-cert)

     

       61
       +
       # SERVER_AUTO_CERT=false

     

       62
       +
       # SERVER_CERT_PATH=/etc/letsencrypt/live

     

       63
        
       """

     

       64
        
           

     

       65
        
           with open(".env.sample", 'w') as f:

+5 -1

netdata_zulip_bot/models.py

···

       84
        
           host: str = "0.0.0.0"

     

       85
        
           port: int = 8443

     

       86
        
           domain: str  # Required for Let's Encrypt

     

       87
       -
           cert_path: str = "/etc/letsencrypt/live"

     

       88
        
           enable_mtls: bool = True

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       89
        
           

     

       90
        
           model_config = ConfigDict(env_prefix="SERVER_")

···

       84
        
           host: str = "0.0.0.0"

     

       85
        
           port: int = 8443

     

       86
        
           domain: str  # Required for Let's Encrypt

     

       87
       +
           cert_path: str = "./certs"  # Directory for storing certificates

     

       88
        
           enable_mtls: bool = True

     

       89
       +
           auto_cert: bool = False  # Enable automatic certificate management

     

       90
       +
           cert_email: str = ""  # Email for Let's Encrypt account

     

       91
       +
           cert_staging: bool = False  # Use Let's Encrypt staging server

     

       92
       +
           acme_port: int = 80  # Port for ACME HTTP-01 challenge

     

       93
        
           

     

       94
        
           model_config = ConfigDict(env_prefix="SERVER_")

+46 -14

netdata_zulip_bot/server.py

···

       10
        
       from fastapi import FastAPI, HTTPException, Request, status

     

       11
        
       from fastapi.responses import JSONResponse

     

       12
        
       

     

       0
        
       
     

       13
        
       from .formatter import ZulipMessageFormatter

     

       14
        
       from .models import WebhookPayload, ZulipConfig, ServerConfig

     

       15
        
       from .netdata_ca import NETDATA_CA_CERT

     
···

       31
        
               self.zulip_config = zulip_config

     

       32
        
               self.server_config = server_config

     

       33
        
               self.formatter = ZulipMessageFormatter()

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
               

     

       35
        
               # Initialize Zulip client

     

       36
        
               try:

     
···

       126
        
               """Create SSL context for HTTPS and mutual TLS."""

     

       127
        
               context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

     

       128
        
               

     

       129
       -
               # Load server certificate and key

     

       130
       -
               cert_path = Path(self.server_config.cert_path) / self.server_config.domain

     

       131
       -
               cert_file = cert_path / "fullchain.pem"

     

       132
       -
               key_file = cert_path / "privkey.pem"

     

       133
       -
               

     

       134
       -
               if not cert_file.exists() or not key_file.exists():

     

       135
       -
                   logger.error(

     

       136
       -
                       "SSL certificate files not found",

     

       137
       -
                       cert_file=str(cert_file),

     

       138
       -
                       key_file=str(key_file)

     

       139
       -
                   )

     

       140
       -
                   raise FileNotFoundError(f"SSL certificate files not found at {cert_path}")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       141
        
               

     

       142
       -
               context.load_cert_chain(str(cert_file), str(key_file))

     

       143
        
               

     

       144
        
               # Configure mutual TLS if enabled

     

       145
        
               if self.server_config.enable_mtls:

     
···

       164
        
           def run(self):

     

       165
        
               """Run the webhook server with HTTPS and optional mutual TLS."""

     

       166
        
               try:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       167
        
                   ssl_context = self.get_ssl_context()

     

       168
        
                   

     

       169
        
                   logger.info(

     
···

       171
        
                       host=self.server_config.host,

     

       172
        
                       port=self.server_config.port,

     

       173
        
                       domain=self.server_config.domain,

     

       174
       -
                       mtls_enabled=self.server_config.enable_mtls

     

       0
        
       
     

       175
        
                   )

     

       176
        
                   

     

       177
        
                   uvicorn.run(

···

       10
        
       from fastapi import FastAPI, HTTPException, Request, status

     

       11
        
       from fastapi.responses import JSONResponse

     

       12
        
       

     

       13
       +
       from .cert_manager import CertificateManager

     

       14
        
       from .formatter import ZulipMessageFormatter

     

       15
        
       from .models import WebhookPayload, ZulipConfig, ServerConfig

     

       16
        
       from .netdata_ca import NETDATA_CA_CERT

     
···

       32
        
               self.zulip_config = zulip_config

     

       33
        
               self.server_config = server_config

     

       34
        
               self.formatter = ZulipMessageFormatter()

     

       35
       +
               self.cert_manager = None

     

       36
       +
               

     

       37
       +
               # Initialize certificate manager if auto-cert is enabled

     

       38
       +
               if self.server_config.auto_cert:

     

       39
       +
                   self.cert_manager = CertificateManager(

     

       40
       +
                       domain=self.server_config.domain,

     

       41
       +
                       email=self.server_config.cert_email,

     

       42
       +
                       cert_dir=Path(self.server_config.cert_path),

     

       43
       +
                       staging=self.server_config.cert_staging,

     

       44
       +
                       port=self.server_config.acme_port

     

       45
       +
                   )

     

       46
        
               

     

       47
        
               # Initialize Zulip client

     

       48
        
               try:

     
···

       138
        
               """Create SSL context for HTTPS and mutual TLS."""

     

       139
        
               context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

     

       140
        
               

     

       141
       +
               # Get certificate paths

     

       142
       +
               if self.cert_manager and self.server_config.auto_cert:

     

       143
       +
                   # Use automated certificates

     

       144
       +
                   try:

     

       145
       +
                       cert_file, key_file, fullchain_file = self.cert_manager.obtain_certificate()

     

       146
       +
                       logger.info(

     

       147
       +
                           "Using automated SSL certificate",

     

       148
       +
                           cert_file=str(cert_file),

     

       149
       +
                           key_file=str(key_file)

     

       150
       +
                       )

     

       151
       +
                   except Exception as e:

     

       152
       +
                       logger.error("Failed to obtain automated certificate", error=str(e))

     

       153
       +
                       raise

     

       154
       +
               else:

     

       155
       +
                   # Use manually provided certificates

     

       156
       +
                   cert_path = Path(self.server_config.cert_path) / self.server_config.domain

     

       157
       +
                   fullchain_file = cert_path / "fullchain.pem"

     

       158
       +
                   key_file = cert_path / "privkey.pem"

     

       159
       +
                   

     

       160
       +
                   if not fullchain_file.exists() or not key_file.exists():

     

       161
       +
                       logger.error(

     

       162
       +
                           "SSL certificate files not found",

     

       163
       +
                           cert_file=str(fullchain_file),

     

       164
       +
                           key_file=str(key_file)

     

       165
       +
                       )

     

       166
       +
                       raise FileNotFoundError(f"SSL certificate files not found at {cert_path}")

     

       167
        
               

     

       168
       +
               context.load_cert_chain(str(fullchain_file), str(key_file))

     

       169
        
               

     

       170
        
               # Configure mutual TLS if enabled

     

       171
        
               if self.server_config.enable_mtls:

     
···

       190
        
           def run(self):

     

       191
        
               """Run the webhook server with HTTPS and optional mutual TLS."""

     

       192
        
               try:

     

       193
       +
                   # Setup automatic certificate renewal if enabled

     

       194
       +
                   if self.cert_manager and self.server_config.auto_cert:

     

       195
       +
                       self.cert_manager.setup_auto_renewal()

     

       196
       +
                       logger.info("Automatic certificate renewal enabled")

     

       197
       +
                   

     

       198
        
                   ssl_context = self.get_ssl_context()

     

       199
        
                   

     

       200
        
                   logger.info(

     
···

       202
        
                       host=self.server_config.host,

     

       203
        
                       port=self.server_config.port,

     

       204
        
                       domain=self.server_config.domain,

     

       205
       +
                       mtls_enabled=self.server_config.enable_mtls,

     

       206
       +
                       auto_cert=self.server_config.auto_cert

     

       207
        
                   )

     

       208
        
                   

     

       209
        
                   uvicorn.run(

+2 -1

pyproject.toml

···

       13
        
           "zulip>=0.9.0",

     

       14
        
           "pydantic>=2.5.0",

     

       15
        
           "python-multipart>=0.0.6",

     

       16
       -
           "certbot>=2.8.0",

     

       0
        
       
     

       17
        
           "cryptography>=41.0.0",

     

       18
        
           "python-dotenv>=1.0.0",

     

       19
        
           "structlog>=23.2.0",

···

       13
        
           "zulip>=0.9.0",

     

       14
        
           "pydantic>=2.5.0",

     

       15
        
           "python-multipart>=0.0.6",

     

       16
       +
           "acme>=2.8.0",

     

       17
       +
           "josepy>=1.14.0",

     

       18
        
           "cryptography>=41.0.0",

     

       19
        
           "python-dotenv>=1.0.0",

     

       20
        
           "structlog>=23.2.0",

+129

tests/test_cert_manager.py

···

       1
       +
       """Tests for the certificate manager module."""

     

       2
       +
       

     

       3
       +
       import tempfile

     

       4
       +
       from pathlib import Path

     

       5
       +
       from unittest.mock import Mock, patch, MagicMock

     

       6
       +
       

     

       7
       +
       import pytest

     

       8
       +
       

     

       9
       +
       from netdata_zulip_bot.cert_manager import CertificateManager

     

       10
       +
       

     

       11
       +
       

     

       12
       +
       class TestCertificateManager:

     

       13
       +
           """Test certificate manager functionality."""

     

       14
       +
           

     

       15
       +
           @pytest.fixture

     

       16
       +
           def temp_cert_dir(self):

     

       17
       +
               """Create a temporary directory for certificates."""

     

       18
       +
               with tempfile.TemporaryDirectory() as tmpdir:

     

       19
       +
                   yield Path(tmpdir)

     

       20
       +
           

     

       21
       +
           @pytest.fixture

     

       22
       +
           def cert_manager(self, temp_cert_dir):

     

       23
       +
               """Create a certificate manager instance."""

     

       24
       +
               return CertificateManager(

     

       25
       +
                   domain="test.example.com",

     

       26
       +
                   email="test@example.com",

     

       27
       +
                   cert_dir=temp_cert_dir,

     

       28
       +
                   staging=True,  # Always use staging for tests

     

       29
       +
                   port=8080

     

       30
       +
               )

     

       31
       +
           

     

       32
       +
           def test_initialization(self, cert_manager, temp_cert_dir):

     

       33
       +
               """Test certificate manager initialization."""

     

       34
       +
               assert cert_manager.domain == "test.example.com"

     

       35
       +
               assert cert_manager.email == "test@example.com"

     

       36
       +
               assert cert_manager.cert_dir == temp_cert_dir

     

       37
       +
               assert cert_manager.staging is True

     

       38
       +
               assert cert_manager.challenge_port == 8080

     

       39
       +
               

     

       40
       +
               # Check that paths are created correctly

     

       41
       +
               assert cert_manager.account_key_path == temp_cert_dir / "account_key.pem"

     

       42
       +
               assert cert_manager.cert_path == temp_cert_dir / "test.example.com_cert.pem"

     

       43
       +
               assert cert_manager.key_path == temp_cert_dir / "test.example.com_key.pem"

     

       44
       +
               assert cert_manager.fullchain_path == temp_cert_dir / "test.example.com_fullchain.pem"

     

       45
       +
           

     

       46
       +
           def test_cert_dir_creation(self, temp_cert_dir):

     

       47
       +
               """Test that certificate directory is created if it doesn't exist."""

     

       48
       +
               new_dir = temp_cert_dir / "nested" / "certs"

     

       49
       +
               cert_manager = CertificateManager(

     

       50
       +
                   domain="test.example.com",

     

       51
       +
                   email="test@example.com",

     

       52
       +
                   cert_dir=new_dir,

     

       53
       +
                   staging=True

     

       54
       +
               )

     

       55
       +
               assert new_dir.exists()

     

       56
       +
               assert new_dir.is_dir()

     

       57
       +
           

     

       58
       +
           @patch('netdata_zulip_bot.cert_manager.x509')

     

       59
       +
           def test_needs_renewal_no_cert(self, mock_x509, cert_manager):

     

       60
       +
               """Test that renewal is needed when certificate doesn't exist."""

     

       61
       +
               assert cert_manager.needs_renewal() is True

     

       62
       +
           

     

       63
       +
           @patch('netdata_zulip_bot.cert_manager.datetime')

     

       64
       +
           @patch('netdata_zulip_bot.cert_manager.x509')

     

       65
       +
           def test_needs_renewal_expired(self, mock_x509, mock_datetime, cert_manager):

     

       66
       +
               """Test that renewal is needed when certificate is expiring soon."""

     

       67
       +
               from datetime import datetime, timezone, timedelta

     

       68
       +
               

     

       69
       +
               # Create a mock certificate file

     

       70
       +
               cert_manager.cert_path.touch()

     

       71
       +
               

     

       72
       +
               # Mock certificate with 20 days remaining

     

       73
       +
               mock_cert = Mock()

     

       74
       +
               now = datetime(2024, 1, 1, tzinfo=timezone.utc)

     

       75
       +
               mock_cert.not_valid_after_utc = now + timedelta(days=20)

     

       76
       +
               mock_x509.load_pem_x509_certificate.return_value = mock_cert

     

       77
       +
               mock_datetime.now.return_value = now

     

       78
       +
               

     

       79
       +
               assert cert_manager.needs_renewal() is True

     

       80
       +
           

     

       81
       +
           @patch('netdata_zulip_bot.cert_manager.datetime')

     

       82
       +
           @patch('netdata_zulip_bot.cert_manager.x509')

     

       83
       +
           def test_needs_renewal_valid(self, mock_x509, mock_datetime, cert_manager):

     

       84
       +
               """Test that renewal is not needed when certificate is still valid."""

     

       85
       +
               from datetime import datetime, timezone, timedelta

     

       86
       +
               

     

       87
       +
               # Create a mock certificate file

     

       88
       +
               cert_manager.cert_path.touch()

     

       89
       +
               

     

       90
       +
               # Mock certificate with 60 days remaining

     

       91
       +
               mock_cert = Mock()

     

       92
       +
               now = datetime(2024, 1, 1, tzinfo=timezone.utc)

     

       93
       +
               mock_cert.not_valid_after_utc = now + timedelta(days=60)

     

       94
       +
               mock_x509.load_pem_x509_certificate.return_value = mock_cert

     

       95
       +
               mock_datetime.now.return_value = now

     

       96
       +
               

     

       97
       +
               assert cert_manager.needs_renewal() is False

     

       98
       +
           

     

       99
       +
           def test_generate_private_key(self, cert_manager):

     

       100
       +
               """Test private key generation."""

     

       101
       +
               key = cert_manager._generate_private_key()

     

       102
       +
               assert key is not None

     

       103
       +
               assert key.key_size == 2048

     

       104
       +
           

     

       105
       +
           @patch('netdata_zulip_bot.cert_manager.threading.Thread')

     

       106
       +
           def test_challenge_server_start(self, mock_thread, cert_manager):

     

       107
       +
               """Test that challenge server starts correctly."""

     

       108
       +
               cert_manager._start_challenge_server()

     

       109
       +
               

     

       110
       +
               # Verify thread was created and started

     

       111
       +
               mock_thread.assert_called_once()

     

       112
       +
               mock_thread.return_value.start.assert_called_once()

     

       113
       +
           

     

       114
       +
           def test_challenge_tokens_storage(self, cert_manager):

     

       115
       +
               """Test that challenge tokens are stored correctly."""

     

       116
       +
               cert_manager.challenge_tokens["test_token"] = "test_response"

     

       117
       +
               assert cert_manager.challenge_tokens["test_token"] == "test_response"

     

       118
       +
           

     

       119
       +
           @patch('netdata_zulip_bot.cert_manager.client.ClientV2')

     

       120
       +
           @patch('netdata_zulip_bot.cert_manager.client.ClientNetwork')

     

       121
       +
           def test_obtain_certificate_mock(self, mock_network, mock_client, cert_manager):

     

       122
       +
               """Test certificate obtaining with mocked ACME client."""

     

       123
       +
               # This is a simplified test that mocks the ACME interaction

     

       124
       +
               # In production, this would interact with Let's Encrypt staging server

     

       125
       +
               

     

       126
       +
               # Mock that certificate doesn't need renewal

     

       127
       +
               with patch.object(cert_manager, 'needs_renewal', return_value=False):

     

       128
       +
                   paths = cert_manager.obtain_certificate()

     

       129
       +
                   assert paths == (cert_manager.cert_path, cert_manager.key_path, cert_manager.fullchain_path)

+4 -68

uv.lock

···

       70
        
       ]

     

       71
        
       

     

       72
        
       [[package]]

     

       73
       -
       name = "certbot"

     

       74
       -
       version = "4.2.0"

     

       75
       -
       source = { registry = "https://pypi.org/simple" }

     

       76
       -
       dependencies = [

     

       77
       -
           { name = "acme" },

     

       78
       -
           { name = "configargparse" },

     

       79
       -
           { name = "configobj" },

     

       80
       -
           { name = "cryptography" },

     

       81
       -
           { name = "distro" },

     

       82
       -
           { name = "josepy" },

     

       83
       -
           { name = "parsedatetime" },

     

       84
       -
           { name = "pyrfc3339" },

     

       85
       -
           { name = "pywin32", marker = "sys_platform == 'win32'" },

     

       86
       -
       ]

     

       87
       -
       sdist = { url = "https://files.pythonhosted.org/packages/f2/e3/199262bf00c9bd5dfccfe0a64c26c2fb132b92511bee416c3408a54b4cf1/certbot-4.2.0.tar.gz", hash = "sha256:fb1e56ca8a072bec49ac0c7b5390a29cbf68c2c05f712259a9b3491de041c27b", size = 442984, upload-time = "2025-08-05T19:19:22.495Z" }

     

       88
       -
       wheels = [

     

       89
       -
           { url = "https://files.pythonhosted.org/packages/fa/e4/5176fcd1195ffd358bb1129baa0f411da7eede3d47eb39e05062b5f22105/certbot-4.2.0-py3-none-any.whl", hash = "sha256:8fcca0c1a06df9ce39e89b7d13c70506e1372823e8b5993633d21adb77581950", size = 409215, upload-time = "2025-08-05T19:19:06.803Z" },

     

       90
       -
       ]

     

       91
       -
       

     

       92
       -
       [[package]]

     

       93
        
       name = "certifi"

     

       94
        
       version = "2025.8.3"

     

       95
        
       source = { registry = "https://pypi.org/simple" }

     
···

       218
        
       ]

     

       219
        
       

     

       220
        
       [[package]]

     

       221
       -
       name = "configargparse"

     

       222
       -
       version = "1.7.1"

     

       223
       -
       source = { registry = "https://pypi.org/simple" }

     

       224
       -
       sdist = { url = "https://files.pythonhosted.org/packages/85/4d/6c9ef746dfcc2a32e26f3860bb4a011c008c392b83eabdfb598d1a8bbe5d/configargparse-1.7.1.tar.gz", hash = "sha256:79c2ddae836a1e5914b71d58e4b9adbd9f7779d4e6351a637b7d2d9b6c46d3d9", size = 43958, upload-time = "2025-05-23T14:26:17.369Z" }

     

       225
       -
       wheels = [

     

       226
       -
           { url = "https://files.pythonhosted.org/packages/31/28/d28211d29bcc3620b1fece85a65ce5bb22f18670a03cd28ea4b75ede270c/configargparse-1.7.1-py3-none-any.whl", hash = "sha256:8b586a31f9d873abd1ca527ffbe58863c99f36d896e2829779803125e83be4b6", size = 25607, upload-time = "2025-05-23T14:26:15.923Z" },

     

       227
       -
       ]

     

       228
       -
       

     

       229
       -
       [[package]]

     

       230
       -
       name = "configobj"

     

       231
       -
       version = "5.0.9"

     

       232
       -
       source = { registry = "https://pypi.org/simple" }

     

       233
       -
       sdist = { url = "https://files.pythonhosted.org/packages/f5/c4/c7f9e41bc2e5f8eeae4a08a01c91b2aea3dfab40a3e14b25e87e7db8d501/configobj-5.0.9.tar.gz", hash = "sha256:03c881bbf23aa07bccf1b837005975993c4ab4427ba57f959afdd9d1a2386848", size = 101518, upload-time = "2024-09-21T12:47:46.315Z" }

     

       234
       -
       wheels = [

     

       235
       -
           { url = "https://files.pythonhosted.org/packages/a6/c4/0679472c60052c27efa612b4cd3ddd2a23e885dcdc73461781d2c802d39e/configobj-5.0.9-py2.py3-none-any.whl", hash = "sha256:1ba10c5b6ee16229c79a05047aeda2b55eb4e80d7c7d8ecf17ec1ca600c79882", size = 35615, upload-time = "2024-11-26T14:03:32.972Z" },

     

       236
       -
       ]

     

       237
       -
       

     

       238
       -
       [[package]]

     

       239
        
       name = "cryptography"

     

       240
        
       version = "45.0.6"

     

       241
        
       source = { registry = "https://pypi.org/simple" }

     
···

       409
        
       version = "0.1.0"

     

       410
        
       source = { editable = "." }

     

       411
        
       dependencies = [

     

       412
       -
           { name = "certbot" },

     

       413
        
           { name = "cryptography" },

     

       414
        
           { name = "fastapi" },

     

       0
        
       
     

       415
        
           { name = "pydantic" },

     

       416
        
           { name = "python-dotenv" },

     

       417
        
           { name = "python-multipart" },

     
···

       438
        
       

     

       439
        
       [package.metadata]

     

       440
        
       requires-dist = [

     

       0
        
       
     

       441
        
           { name = "black", marker = "extra == 'dev'", specifier = ">=23.0.0" },

     

       442
       -
           { name = "certbot", specifier = ">=2.8.0" },

     

       443
        
           { name = "cryptography", specifier = ">=41.0.0" },

     

       444
        
           { name = "fastapi", specifier = ">=0.104.0" },

     

       445
        
           { name = "httpx", marker = "extra == 'dev'", specifier = ">=0.25.0" },

     

       0
        
       
     

       446
        
           { name = "pydantic", specifier = ">=2.5.0" },

     

       447
        
           { name = "pytest", marker = "extra == 'dev'", specifier = ">=7.4.0" },

     

       448
        
           { name = "pytest-asyncio", marker = "extra == 'dev'", specifier = ">=0.21.0" },

     
···

       472
        
       ]

     

       473
        
       

     

       474
        
       [[package]]

     

       475
       -
       name = "parsedatetime"

     

       476
       -
       version = "2.6"

     

       477
       -
       source = { registry = "https://pypi.org/simple" }

     

       478
       -
       sdist = { url = "https://files.pythonhosted.org/packages/a8/20/cb587f6672dbe585d101f590c3871d16e7aec5a576a1694997a3777312ac/parsedatetime-2.6.tar.gz", hash = "sha256:4cb368fbb18a0b7231f4d76119165451c8d2e35951455dfee97c62a87b04d455", size = 60114, upload-time = "2020-05-31T23:50:57.443Z" }

     

       479
       -
       wheels = [

     

       480
       -
           { url = "https://files.pythonhosted.org/packages/9d/a4/3dd804926a42537bf69fb3ebb9fd72a50ba84f807d95df5ae016606c976c/parsedatetime-2.6-py3-none-any.whl", hash = "sha256:cb96edd7016872f58479e35879294258c71437195760746faffedb692aef000b", size = 42548, upload-time = "2020-05-31T23:50:56.315Z" },

     

       481
       -
       ]

     

       482
       -
       

     

       483
       -
       [[package]]

     

       484
        
       name = "pathspec"

     

       485
        
       version = "0.12.1"

     

       486
        
       source = { registry = "https://pypi.org/simple" }

     
···

       671
        
       sdist = { url = "https://files.pythonhosted.org/packages/f3/87/f44d7c9f274c7ee665a29b885ec97089ec5dc034c7f3fafa03da9e39a09e/python_multipart-0.0.20.tar.gz", hash = "sha256:8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13", size = 37158, upload-time = "2024-12-16T19:45:46.972Z" }

     

       672
        
       wheels = [

     

       673
        
           { url = "https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl", hash = "sha256:8a62d3a8335e06589fe01f2a3e178cdcc632f3fbe0d492ad9ee0ec35aab1f104", size = 24546, upload-time = "2024-12-16T19:45:44.423Z" },

     

       674
       -
       ]

     

       675
       -
       

     

       676
       -
       [[package]]

     

       677
       -
       name = "pywin32"

     

       678
       -
       version = "311"

     

       679
       -
       source = { registry = "https://pypi.org/simple" }

     

       680
       -
       wheels = [

     

       681
       -
           { url = "https://files.pythonhosted.org/packages/7c/af/449a6a91e5d6db51420875c54f6aff7c97a86a3b13a0b4f1a5c13b988de3/pywin32-311-cp311-cp311-win32.whl", hash = "sha256:184eb5e436dea364dcd3d2316d577d625c0351bf237c4e9a5fabbcfa5a58b151", size = 8697031, upload-time = "2025-07-14T20:13:13.266Z" },

     

       682
       -
           { url = "https://files.pythonhosted.org/packages/51/8f/9bb81dd5bb77d22243d33c8397f09377056d5c687aa6d4042bea7fbf8364/pywin32-311-cp311-cp311-win_amd64.whl", hash = "sha256:3ce80b34b22b17ccbd937a6e78e7225d80c52f5ab9940fe0506a1a16f3dab503", size = 9508308, upload-time = "2025-07-14T20:13:15.147Z" },

     

       683
       -
           { url = "https://files.pythonhosted.org/packages/44/7b/9c2ab54f74a138c491aba1b1cd0795ba61f144c711daea84a88b63dc0f6c/pywin32-311-cp311-cp311-win_arm64.whl", hash = "sha256:a733f1388e1a842abb67ffa8e7aad0e70ac519e09b0f6a784e65a136ec7cefd2", size = 8703930, upload-time = "2025-07-14T20:13:16.945Z" },

     

       684
       -
           { url = "https://files.pythonhosted.org/packages/e7/ab/01ea1943d4eba0f850c3c61e78e8dd59757ff815ff3ccd0a84de5f541f42/pywin32-311-cp312-cp312-win32.whl", hash = "sha256:750ec6e621af2b948540032557b10a2d43b0cee2ae9758c54154d711cc852d31", size = 8706543, upload-time = "2025-07-14T20:13:20.765Z" },

     

       685
       -
           { url = "https://files.pythonhosted.org/packages/d1/a8/a0e8d07d4d051ec7502cd58b291ec98dcc0c3fff027caad0470b72cfcc2f/pywin32-311-cp312-cp312-win_amd64.whl", hash = "sha256:b8c095edad5c211ff31c05223658e71bf7116daa0ecf3ad85f3201ea3190d067", size = 9495040, upload-time = "2025-07-14T20:13:22.543Z" },

     

       686
       -
           { url = "https://files.pythonhosted.org/packages/ba/3a/2ae996277b4b50f17d61f0603efd8253cb2d79cc7ae159468007b586396d/pywin32-311-cp312-cp312-win_arm64.whl", hash = "sha256:e286f46a9a39c4a18b319c28f59b61de793654af2f395c102b4f819e584b5852", size = 8710102, upload-time = "2025-07-14T20:13:24.682Z" },

     

       687
       -
           { url = "https://files.pythonhosted.org/packages/a5/be/3fd5de0979fcb3994bfee0d65ed8ca9506a8a1260651b86174f6a86f52b3/pywin32-311-cp313-cp313-win32.whl", hash = "sha256:f95ba5a847cba10dd8c4d8fefa9f2a6cf283b8b88ed6178fa8a6c1ab16054d0d", size = 8705700, upload-time = "2025-07-14T20:13:26.471Z" },

     

       688
       -
           { url = "https://files.pythonhosted.org/packages/e3/28/e0a1909523c6890208295a29e05c2adb2126364e289826c0a8bc7297bd5c/pywin32-311-cp313-cp313-win_amd64.whl", hash = "sha256:718a38f7e5b058e76aee1c56ddd06908116d35147e133427e59a3983f703a20d", size = 9494700, upload-time = "2025-07-14T20:13:28.243Z" },

     

       689
       -
           { url = "https://files.pythonhosted.org/packages/04/bf/90339ac0f55726dce7d794e6d79a18a91265bdf3aa70b6b9ca52f35e022a/pywin32-311-cp313-cp313-win_arm64.whl", hash = "sha256:7b4075d959648406202d92a2310cb990fea19b535c7f4a78d3f5e10b926eeb8a", size = 8709318, upload-time = "2025-07-14T20:13:30.348Z" },

     

       690
       -
           { url = "https://files.pythonhosted.org/packages/c9/31/097f2e132c4f16d99a22bfb777e0fd88bd8e1c634304e102f313af69ace5/pywin32-311-cp314-cp314-win32.whl", hash = "sha256:b7a2c10b93f8986666d0c803ee19b5990885872a7de910fc460f9b0c2fbf92ee", size = 8840714, upload-time = "2025-07-14T20:13:32.449Z" },

     

       691
       -
           { url = "https://files.pythonhosted.org/packages/90/4b/07c77d8ba0e01349358082713400435347df8426208171ce297da32c313d/pywin32-311-cp314-cp314-win_amd64.whl", hash = "sha256:3aca44c046bd2ed8c90de9cb8427f581c479e594e99b5c0bb19b29c10fd6cb87", size = 9656800, upload-time = "2025-07-14T20:13:34.312Z" },

     

       692
       -
           { url = "https://files.pythonhosted.org/packages/c0/d2/21af5c535501a7233e734b8af901574572da66fcc254cb35d0609c9080dd/pywin32-311-cp314-cp314-win_arm64.whl", hash = "sha256:a508e2d9025764a8270f93111a970e1d0fbfc33f4153b388bb649b7eec4f9b42", size = 8932540, upload-time = "2025-07-14T20:13:36.379Z" },

     

       693
        
       ]

     

       694
        
       

     

       695
        
       [[package]]

···

       70
        
       ]

     

       71
        
       

     

       72
        
       [[package]]

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       73
        
       name = "certifi"

     

       74
        
       version = "2025.8.3"

     

       75
        
       source = { registry = "https://pypi.org/simple" }

     
···

       198
        
       ]

     

       199
        
       

     

       200
        
       [[package]]

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       201
        
       name = "cryptography"

     

       202
        
       version = "45.0.6"

     

       203
        
       source = { registry = "https://pypi.org/simple" }

     
···

       371
        
       version = "0.1.0"

     

       372
        
       source = { editable = "." }

     

       373
        
       dependencies = [

     

       374
       +
           { name = "acme" },

     

       375
        
           { name = "cryptography" },

     

       376
        
           { name = "fastapi" },

     

       377
       +
           { name = "josepy" },

     

       378
        
           { name = "pydantic" },

     

       379
        
           { name = "python-dotenv" },

     

       380
        
           { name = "python-multipart" },

     
···

       401
        
       

     

       402
        
       [package.metadata]

     

       403
        
       requires-dist = [

     

       404
       +
           { name = "acme", specifier = ">=2.8.0" },

     

       405
        
           { name = "black", marker = "extra == 'dev'", specifier = ">=23.0.0" },

     

       0
        
       
     

       406
        
           { name = "cryptography", specifier = ">=41.0.0" },

     

       407
        
           { name = "fastapi", specifier = ">=0.104.0" },

     

       408
        
           { name = "httpx", marker = "extra == 'dev'", specifier = ">=0.25.0" },

     

       409
       +
           { name = "josepy", specifier = ">=1.14.0" },

     

       410
        
           { name = "pydantic", specifier = ">=2.5.0" },

     

       411
        
           { name = "pytest", marker = "extra == 'dev'", specifier = ">=7.4.0" },

     

       412
        
           { name = "pytest-asyncio", marker = "extra == 'dev'", specifier = ">=0.21.0" },

     
···

       436
        
       ]

     

       437
        
       

     

       438
        
       [[package]]

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       439
        
       name = "pathspec"

     

       440
        
       version = "0.12.1"

     

       441
        
       source = { registry = "https://pypi.org/simple" }

     
···

       626
        
       sdist = { url = "https://files.pythonhosted.org/packages/f3/87/f44d7c9f274c7ee665a29b885ec97089ec5dc034c7f3fafa03da9e39a09e/python_multipart-0.0.20.tar.gz", hash = "sha256:8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13", size = 37158, upload-time = "2024-12-16T19:45:46.972Z" }

     

       627
        
       wheels = [

     

       628
        
           { url = "https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl", hash = "sha256:8a62d3a8335e06589fe01f2a3e178cdcc632f3fbe0d492ad9ee0ec35aab1f104", size = 24546, upload-time = "2024-12-16T19:45:44.423Z" },

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       629
        
       ]

     

       630
        
       

     

       631
        
       [[package]]