feat(api): added support for tls client authentication against reverse proxies

mgrechukh · mgrechukh · commit b0e9374c0142 · 2025-01-30T17:05:44.000+02:00
diff --git a/gitlab/client.py b/gitlab/client.py
@@ -75,6 +75,8 @@ class Gitlab:
             or 52x responses. Defaults to False.
         keep_base_url: keep user-provided base URL for pagination if it
             differs from response headers
+        tls_client_cert: provide client TLS certificate
+        tls_client_key: provide client TLS key
 
     Keyword Args:
         requests.Session session: HTTP Requests Session
@@ -98,6 +100,8 @@ def __init__(
         user_agent: str = gitlab.const.USER_AGENT,
         retry_transient_errors: bool = False,
         keep_base_url: bool = False,
+        tls_client_cert: Optional[str] = None,
+        tls_client_key: Optional[str] = None,
         **kwargs: Any,
     ) -> None:
         self._api_version = str(api_version)
@@ -109,6 +113,7 @@ def __init__(
         self.timeout = timeout
         self.retry_transient_errors = retry_transient_errors
         self.keep_base_url = keep_base_url
+
         #: Headers that will be used in request to GitLab
         self.headers = {"User-Agent": user_agent}
 
@@ -129,6 +134,13 @@ def __init__(
         self._backend = _backend(**kwargs)
         self.session = self._backend.client
 
+        if tls_client_cert and tls_client_key:
+            self.session.cert = (tls_client_cert, tls_client_key)
+        elif tls_client_cert or tls_client_key:
+            raise ValueError(
+                "tls_client_cert and tls_client_key must be provided together"
+            )
+
         self.per_page = per_page
         self.pagination = pagination
         self.order_by = order_by
@@ -304,6 +316,8 @@ def from_config(
             user_agent=config.user_agent,
             retry_transient_errors=config.retry_transient_errors,
             keep_base_url=config.keep_base_url,
+            tls_client_cert=config.tls_client_cert,
+            tls_client_key=config.tls_client_key,
             **kwargs,
         )
 
@@ -360,6 +374,9 @@ def merge_config(
             pagination=options.get("pagination") or config.pagination,
             order_by=options.get("order_by") or config.order_by,
             user_agent=options.get("user_agent") or config.user_agent,
+            keep_base_url=config.keep_base_url,
+            tls_client_cert=config.tls_client_cert,
+            tls_client_key=config.tls_client_key,
         )
 
     @staticmethod
diff --git a/gitlab/config.py b/gitlab/config.py
@@ -109,6 +109,8 @@ def __init__(
         self.url: Optional[str] = None
         self.user_agent: str = USER_AGENT
         self.keep_base_url: bool = False
+        self.tls_client_cert: Optional[str] = None
+        self.tls_client_key: Optional[str] = None
 
         self._files = _get_config_files(config_files)
         if self._files:
@@ -245,6 +247,24 @@ def _parse_config(self) -> None:
         except _CONFIG_PARSER_ERRORS:
             pass
 
+        try:
+            self.tls_client_cert = _config.get("global", "tls_client_cert")
+        except _CONFIG_PARSER_ERRORS:
+            pass
+        try:
+            self.tls_client_cert = _config.get(self.gitlab_id, "tls_client_cert")
+        except _CONFIG_PARSER_ERRORS:
+            pass
+
+        try:
+            self.tls_client_key = _config.get("global", "tls_client_key")
+        except _CONFIG_PARSER_ERRORS:
+            pass
+        try:
+            self.tls_client_key = _config.get(self.gitlab_id, "tls_client_key")
+        except _CONFIG_PARSER_ERRORS:
+            pass
+
         try:
             self.retry_transient_errors = _config.getboolean(
                 "global", "retry_transient_errors"
