fix: Properly support mTLS

Author: vetsin

docs/user/authentication.rst

@@ -68,7 +68,37 @@ mTLS - Mutual TLS Authentication (Certificate-Based Authentication)
 
 The most ideal form of authentication for machine to machine communication. Follow `KB0993615 <https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0993615>`_ then:
 
-    >>> client = ServiceNowClient(instance, cert=('/path/to/client.cert', '/path/to/client.key'))
+    >>> client = ServiceNowClient(instance, cert=('/path/to/USER_x509.pem', '/path/to/USERPRIVATEKEY.key'))
+
+
+A quick example, using self-signed certificates:
+
+1. Setup the CA (root) key
+
+```bash
+# generate a root private key, if for some reason you don't have one already
+$ openssl genrsa -aes256 -out ca.key 2048
+# generate the CA certificate
+$ openssl req -x509 -new -nodes -key ca.key -out cert.pem -sha512 -days 365 -out cacert.pem
+```
+
+2. Upload cacert.pem via /sys_ca_certificate.do
+
+3. Setup the user key and CSR (we just generate them here for a POC example)
+
+```bash
+# note: python requests (the underlying library) does not directly support keys with passwords!
+$ openssl req -nodes -newkey rsa:2048 -keyout USERPRIVATEKEY.key -out USERCSR.csr
+```
+
+4. Sign the CSR with the root, creating a X.509 for the user
+
+```
+$ openssl x509 -req -days 365 -in USERCSR.csr -CA cacert.pem -CAkey ca.key -extfile <(printf "extendedKeyUsage=clientAuth") -out USER_x509.pem
+```
+
+5. Attach `USER_x509.pem` to a new `/sys_user_certificate.do` record
+
 
 Requests Authentication
 -----------------------

pysnc/client.py

@@ -29,7 +29,7 @@ class ServiceNowClient(object):
     :param bool verify: Verify the SSL/TLS certificate OR the certificate to use. Useful if you're using a self-signed HTTPS proxy.
     :param cert: if String, path to ssl client cert file (.pem). If Tuple, (‘cert’, ‘key’) pair.
     """
-    def __init__(self, instance, auth, proxy=None, verify=None, cert=None, auto_retry=True):
+    def __init__(self, instance, auth=None, proxy=None, verify=None, cert=None, auto_retry=True):
         self._log = logging.getLogger(__name__)
         self.__instance = get_instance(instance)
 
@@ -62,6 +62,7 @@ def __init__(self, instance, auth, proxy=None, verify=None, cert=None, auto_retr
         elif isinstance(auth, ServiceNowFlow):
             self.__session = auth.authenticate(self.__instance, proxies=self.__proxies, verify=verify)
         elif cert is not None:
+            self.__session = requests.session()
             self.__session.cert = cert
         else:
             raise AuthenticationException('No valid authentication method provided')

test/test_snc_auth.py

@@ -64,6 +64,19 @@ def nop_test_jwt(self):
         assert gr.get('6816f79cc0a8016401c5a33be04be441'), "did not jwt auth"
         '''
 
+    @skip("Requires keys and conf that makes automation hard")
+    def test_mtls(self):
+        # e.g. PYSNC_USER_KEY=x PYSNC_USER_CERT=y poetry run pytest test/test_snc_auth.py::TestAuth::test_mtls
+        path_key = self.c.get_value('USER_KEY')
+        assert path_key, 'Require user private key'
+        path_cert = self.c.get_value('USER_CERT')
+        assert path_cert, 'Require user x509 certificate'
+
+        client = ServiceNowClient(self.c.server, cert=(path_cert, path_key))
+        gr = client.GlideRecord('sys_user')
+        gr.fields = 'sys_id'
+        self.assertTrue(gr.get('6816f79cc0a8016401c5a33be04be441'))
+
 
 
 

test/test_snc_element.py

@@ -217,3 +217,6 @@ def test_changes(self):
         self.assertFalse(element.changes())
         element.set_value('4')
         self.assertTrue(element.changes())
+
+    def test_non_ref_string_field(self):
+        element = GlideElement('')