# TODO: investigate ways to combine this with existing PLC server?
##
-### $Id$
-### $URL$
-
import sys
+import socket, os
import traceback
import threading
-import socket, os
+from Queue import Queue
import SocketServer
import BaseHTTPServer
import SimpleHTTPServer
import SimpleXMLRPCServer
from OpenSSL import SSL
-from Queue import Queue
+
from sfa.trust.certificate import Keypair, Certificate
+from sfa.trust.trustedroots import TrustedRoots
+from sfa.util.config import Config
from sfa.trust.credential import *
from sfa.util.faults import *
-from sfa.plc.api import SfaAPI
-from sfa.util.debug import log
+from sfa.plc.api import SfaAPI
+from sfa.util.cache import Cache
+from sfa.util.sfalogging import logger
##
# Verification callback for pyOpenSSL. We do our own checking of keys because
#print " preverified"
return 1
- # we're only passing single certificates, not chains
- if depth > 0:
- #print " depth > 0 in verify_callback"
- return 0
-
- # create a Certificate object and load it from the client's x509
- ctx = conn.get_context()
- server = ctx.get_app_data()
- server.peer_cert = Certificate()
- server.peer_cert.load_from_pyopenssl_x509(x509)
# the certificate verification done by openssl checks a number of things
# that we aren't interested in, so we look out for those error messages
#print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
return 1
+ # allow chained certs with self-signed roots
+ if err == 19:
+ return 1
+
# allow certs that are untrusted
if err == 21:
#print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
return 0
##
-# taken from the web (XXX find reference). Implents HTTPS xmlrpc request handler
+# taken from the web (XXX find reference). Implements HTTPS xmlrpc request handler
class SecureXMLRpcRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
"""Secure XML-RPC request handler class.
def do_POST(self):
"""Handles the HTTPS POST request.
- It was copied out from SimpleXMLRPCServer.py and modified to shutdown the socket cleanly.
+ It was copied out from SimpleXMLRPCServer.py and modified to shutdown
+ the socket cleanly.
"""
try:
- self.api = SfaAPI(peer_cert = self.server.peer_cert,
+ peer_cert = Certificate()
+ peer_cert.load_from_pyopenssl_x509(self.connection.get_peer_certificate())
+ self.api = SfaAPI(peer_cert = peer_cert,
interface = self.server.interface,
key_file = self.server.key_file,
- cert_file = self.server.cert_file)
+ cert_file = self.server.cert_file,
+ cache = self.cache)
# get arguments
request = self.rfile.read(int(self.headers["content-length"]))
- # In previous versions of SimpleXMLRPCServer, _dispatch
- # could be overridden in this class, instead of in
- # SimpleXMLRPCDispatcher. To maintain backwards compatibility,
- # check to see if a subclass implements _dispatch and dispatch
- # using that method if present.
- #response = self.server._marshaled_dispatch(request, getattr(self, '_dispatch', None))
remote_addr = (remote_ip, remote_port) = self.connection.getpeername()
- self.api.remote_addr = remote_addr
- response = self.api.handle(remote_addr, request)
-
-
+ self.api.remote_addr = remote_addr
+ response = self.api.handle(remote_addr, request, self.server.method_map)
except Exception, fault:
- raise
# This should only happen if the module is buggy
# internal error, report as HTTP server error
- self.send_response(500)
- self.end_headers()
- else:
- # got a valid XML RPC response
- self.send_response(200)
- self.send_header("Content-type", "text/xml")
- self.send_header("Content-length", str(len(response)))
- self.end_headers()
- self.wfile.write(response)
-
- # shut down the connection
- self.wfile.flush()
- self.connection.shutdown() # Modified here!
+ logger.log_exc("server.do_POST")
+ response = self.api.prepare_response(fault)
+ #self.send_response(500)
+ #self.end_headers()
+
+ # got a valid response
+ self.send_response(200)
+ self.send_header("Content-type", "text/xml")
+ self.send_header("Content-length", str(len(response)))
+ self.end_headers()
+ self.wfile.write(response)
+
+ # shut down the connection
+ self.wfile.flush()
+ self.connection.shutdown() # Modified here!
##
# Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server
It it very similar to SimpleXMLRPCServer but it uses HTTPS for transporting XML data.
"""
+ logger.debug("SecureXMLRPCServer.__init__, server_address=%s, cert_file=%s"%(server_address,cert_file))
self.logRequests = logRequests
self.interface = None
self.key_file = key_file
self.cert_file = cert_file
+ self.method_map = {}
+ # add cache to the request handler
+ HandlerClass.cache = Cache()
#for compatibility with python 2.4 (centos53)
if sys.version_info < (2, 5):
SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self)
SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None)
SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
ctx = SSL.Context(SSL.SSLv23_METHOD)
- ctx.use_privatekey_file(key_file)
+ ctx.use_privatekey_file(key_file)
ctx.use_certificate_file(cert_file)
+ # If you wanted to verify certs against known CAs.. this is how you would do it
+ #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
+ config = Config()
+ trusted_cert_files = TrustedRoots(config.get_trustedroots_dir()).get_file_list()
+ for cert_file in trusted_cert_files:
+ ctx.load_verify_locations(cert_file)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
+ ctx.set_verify_depth(5)
ctx.set_app_data(self)
self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
self.socket_type))
# the client.
def _dispatch(self, method, params):
+ logger.debug("SecureXMLRPCServer._dispatch, method=%s"%method)
try:
return SimpleXMLRPCServer.SimpleXMLRPCDispatcher._dispatch(self, method, params)
except:
# can't use format_exc() as it is not available in jython yet
- # (evein in trunk).
+ # (even in trunk).
type, value, tb = sys.exc_info()
raise xmlrpclib.Fault(1,''.join(traceback.format_exception(type, value, tb)))
+ # override this one from the python 2.7 code
+ # originally defined in class TCPServer
+ def shutdown_request(self, request):
+ """Called to shutdown and close an individual request."""
+ # ----------
+ # the std python 2.7 code just attempts a request.shutdown(socket.SHUT_WR)
+ # this works fine with regular sockets
+ # However we are dealing with an instance of OpenSSL.SSL.Connection instead
+ # This one only supports shutdown(), and in addition this does not
+ # always perform as expected
+ # ---------- std python 2.7 code
+ try:
+ #explicitly shutdown. socket.close() merely releases
+ #the socket and waits for GC to perform the actual close.
+ request.shutdown(socket.SHUT_WR)
+ except socket.error:
+ pass #some platforms may raise ENOTCONN here
+ # ----------
+ except TypeError:
+ # we are dealing with an OpenSSL.Connection object,
+ # try to shut it down but never mind if that fails
+ try: request.shutdown()
+ except: pass
+ # ----------
+ self.close_request(request)
+
## From Active State code: http://code.activestate.com/recipes/574454/
# This is intended as a drop-in replacement for the ThreadingMixIn class in
# module SocketServer of the standard lib. Instead of spawning a new thread
Handle one request at a time until doomsday.
"""
# set up the threadpool
- self.requests = Queue(self.numThreads)
+ self.requests = Queue()
for x in range(self.numThreads):
t = threading.Thread(target = self.process_request_thread)
# @param cert_file certificate filename containing public key
# (could be a GID file)
- def __init__(self, ip, port, key_file, cert_file):
+ def __init__(self, ip, port, key_file, cert_file,interface):
threading.Thread.__init__(self)
self.key = Keypair(filename = key_file)
self.cert = Certificate(filename = cert_file)
#self.server = SecureXMLRPCServer((ip, port), SecureXMLRpcRequestHandler, key_file, cert_file)
self.server = ThreadedServer((ip, port), SecureXMLRpcRequestHandler, key_file, cert_file)
+ self.server.interface=interface
self.trusted_cert_list = None
self.register_functions()
-
+ logger.info("Starting SfaServer, interface=%s"%interface)
##
# Register functions that will be served by the XMLRPC server. This
- # function should be overrided by each descendant class.
+ # function should be overridden by each descendant class.
def register_functions(self):
self.server.register_function(self.noop)
def noop(self, cred, anything):
self.decode_authentication(cred)
-
return anything
##