Unable to get the transport ssl context from the request. This prevents checking the Client provided certificate and matching up the provided CN against allowed users/server.

[desean1625]

Initial Checks

• I confirm this was discussed, and the maintainers suggest I open an issue.
• I'm aware that if I created this issue without a discussion, it may be closed without a response.

Discussion Link

https://github.com/encode/uvicorn/issues/745

Description

Many applications in finance/banking require two way certificate verification. Currently the way we have handled this is by proxying the request and extracting out the client information at nginx or traefik and stuffing it into the headers.

Example Code

From the request we cannot get the transport information and unable to getgetpeercert preventing application-level validation of client certificates.

A possible solution is to pass the transport in the request scope.
In the protocol h11_impl.py we could simply add

"transport":self.transport

after

uvicorn/uvicorn/protocols/http/h11_impl.py

Line 203 in 0efd383

"type": "http",

Then at a route level or fastapi middleware we could pull the client certificates to check against an authorization service.

@app.get("/admin")
async def getAdminPage(request:Request):
  client_cert = request.scope['transport'].get_extra_info("ssl_object").getpeercert()
  #Verify user common name is an admin

Python, Uvicorn & OS Version

All

Important

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.

[lschneidpro]

any update ?

[frobnitzem]

I agree, and suggest another issue name:

Pass underlying transport via Scope["extensions"]

In order for an API function to look into properties of the socket/transport that called it, the preferred method is via scope extensions.
This is needed, for example, to get the client TLS certificate using transport.get_extra_info('peercert') ref.

The basic ASGI call sends scope, along with receive and send callbacks:

uvicorn/uvicorn/protocols/http/httptools_impl.py

Lines 397 to 401 in 5bf788f

	async def run_asgi(self, app: ASGI3Application) -> None:
	try:
	result = await app( # type: ignore[func-returns-value]
	self.scope, self.receive, self.send
	)

Scope, defined in the ASGI spec, allows "extensions" to be defined by implementations.

So, I also agree we should set scope["extensions"]["transport"] = self.transport
here:

uvicorn/uvicorn/protocols/http/httptools_impl.py

Lines 213 to 223 in 5bf788f

	self.scope = { # type: ignore[typeddict-item]
	"type": "http",
	"asgi": {"version": self.config.asgi_version, "spec_version": "2.4"},
	"http_version": "1.1",
	"server": self.server,
	"client": self.client,
	"scheme": self.scheme, # type: ignore[typeddict-item]
	"root_path": self.root_path,
	"headers": self.headers,
	"state": self.app_state.copy(),
	}

[frobnitzem]

Note - a "tls" extension has been implemented and is in need of a final review here:
#1119. nonecorn and hypercorn are also mentioned in that thread.

Sending the transport through is still useful, since there is still more information on the socket -- for example with AF_UNIX sockets, this allows reading the username:
peer = transport.get_extra_info('socket').getsockopt(socket.SOL_SOCKET, socket.SO_PEERCRED, struct.calcsize("3I"))

[desean1625]

This is great. It looks like it should work.

Currently I have just been monkey patching the RequestResponseCycle

from uvicorn.protocols.http.h11_impl import RequestResponseCycle
responseCycleInit = RequestResponseCycle.__init__
def monkey_patch_response_cycle(self,*k,**kw):
  responseCycleInit(self,*k,**kw)
  self.scope['transport'] = self.transport

RequestResponseCycle.__init__ = monkey_patch_response_cycle