Add python example to App Service - Configure TLS mutual authentication article

JimacoMS4 · JimacoMS4 · commit a7c6cc73b45f · 2024-06-18T14:28:41.000-07:00
diff --git a/articles/app-service/app-service-web-configure-tls-mutual-auth.md b/articles/app-service/app-service-web-configure-tls-mutual-auth.md
@@ -6,9 +6,9 @@ author: msangapu-msft
 ms.author: msangapu
 ms.assetid: cd1d15d3-2d9e-4502-9f11-a306dac4453a
 ms.topic: article
-ms.date: 12/11/2020
+ms.date: 06/18/2024
 ms.devlang: csharp
-ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js
+ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-track-python
 ---
 # Configure TLS mutual authentication for Azure App Service
 
@@ -438,4 +438,67 @@ public class ClientCertValidator {
 }
 ```
 
+## Python sample
+
+The following Python code implements a decorator named `authorize_certificate` that can be used on a Django view function to permit access only to callers that present a valid client certificate. It expects a PEM formatted certificate in the `X-ARR-ClientCert` header and uses the Python [cryptography](https://pypi.org/project/cryptography/) package to validate the certificate based on its fingerprint (thumbprint), subject common name, issuer common name, and beginning and expiration dates. If validation fails, the decorator raises the Django `PermissionDenied` exception.
+
+```python
+from functools import wraps
+from datetime import datetime, timezone
+from django.core.exceptions import PermissionDenied
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes
+
+
+def validate_cert(request):
+
+    cert_value =  request.headers.get('X-ARR-ClientCert')
+    if cert_value is None:
+        return False
+    
+    cert_data = ''.join(['-----BEGIN CERTIFICATE-----\n', cert_value, '\n-----END CERTIFICATE-----\n',])
+    cert = x509.load_pem_x509_certificate(cert_data.encode('utf-8'))
+
+    fingerprint = cert.fingerprint(hashes.SHA1())
+    if fingerprint != b'12345678901234567890':
+        return False
+    
+    subject = cert.subject
+    subject_cn = subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    if subject_cn != "contoso.com":
+        return False
+    
+    issuer = cert.issuer
+    issuer_cn = issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    if issuer_cn != "contosoauthority.com":
+        return False
+
+    current_time = datetime.now(timezone.utc)
+
+    if current_time < cert.not_valid_before_utc:
+        return False
+    
+    if current_time > cert.not_valid_after_utc:
+        return False
+    
+    return True
+
+def authorize_certificate(view):
+    @wraps(view)
+    def _wrapped_view(request, *args, **kwargs):
+        if not validate_cert(request):
+            raise PermissionDenied
+        return view(request, *args, **kwargs)
+    return _wrapped_view
+```
+
+The following code snippet shows how to use the decorator on a Django view function.
+
+```python
+@authorize_certificate
+def hellocert(request):
+    #Code omitted
+```
+
 [exclusion-paths]: ./media/app-service-web-configure-tls-mutual-auth/exclusion-paths.png
