X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fserver%2Fthreadedserver.py;h=4be1aff2d740ecae9449db479f82d13812a04252;hb=HEAD;hp=d5c47bf44565c0bda38748795aaf4edc17967212;hpb=4a9e6751f9f396f463932133b9d62fc925a99ef6;p=sfa.git diff --git a/sfa/server/threadedserver.py b/sfa/server/threadedserver.py index d5c47bf4..4be1aff2 100644 --- a/sfa/server/threadedserver.py +++ b/sfa/server/threadedserver.py @@ -12,16 +12,16 @@ import traceback import threading from queue import Queue import socketserver +import ssl import http.server import xmlrpc.server -from OpenSSL import SSL +import xmlrpc.client from sfa.util.sfalogging import logger from sfa.util.config import Config from sfa.util.cache import Cache from sfa.trust.certificate import Certificate from sfa.trust.trustedroots import TrustedRoots -from sfa.util.py23 import xmlrpc_client # don't hard code an api class anymore here from sfa.generic import Generic @@ -36,77 +36,80 @@ def verify_callback(conn, x509, err, depth, preverify): # if the cert has been preverified, then it is ok if preverify: # print " preverified" - return 1 + return True # the certificate verification done by openssl checks a number of things # that we aren't interested in, so we look out for those error messages # and ignore them # XXX SMBAKER: I don't know what this error is, but it's being returned - # xxx thierry: this most likely means the cert has a validity range in the future + # xxx thierry: this most likely means the cert + # has a validity range in the future # by newer pl nodes. if err == 9: # print " X509_V_ERR_CERT_NOT_YET_VALID" - return 1 + return True # allow self-signed certificates if err == 18: # print " X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT" - return 1 + return False # allow certs that don't have an issuer if err == 20: # print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY" - return 1 + return False # allow chained certs with self-signed roots if err == 19: - return 1 + return False # allow certs that are untrusted if err == 21: # print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE" - return 1 + return False # allow certs that are untrusted if err == 27: # print " X509_V_ERR_CERT_UNTRUSTED" - return 1 + return False # ignore X509_V_ERR_CERT_SIGNATURE_FAILURE if err == 7: - return 1 + return False - logger.debug(" error %s in verify_callback" % err) + logger.debug(" unhandled error %s in verify_callback" % err) - return 0 + return False ## # taken from the web (XXX find reference). Implements HTTPS xmlrpc request # handler - +# python-2.7 http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/ +# python-3.3 https://gist.github.com/ubershmekel/6194556 class SecureXMLRpcRequestHandler(xmlrpc.server.SimpleXMLRPCRequestHandler): - """Secure XML-RPC request handler class. + """ + Secure XML-RPC request handler class. - It it very similar to SimpleXMLRPCRequestHandler but it uses HTTPS for transporting XML data. + It it very similar to SimpleXMLRPCRequestHandler + but it uses HTTPS for transporting XML data. """ - def setup(self): - self.connection = self.request - self.rfile = socket._fileobject(self.request, "rb", self.rbufsize) - self.wfile = socket._fileobject(self.request, "wb", self.wbufsize) + # porting to python3 + # setup() no longer needed def do_POST(self): - """Handles the HTTPS POST request. + """ + Handles the HTTPS POST request. - It was copied out from SimpleXMLRPCServer.py and modified to shutdown + It was copied out from SimpleXMLRPCServer.py and modified to shutdown the socket cleanly. """ try: peer_cert = Certificate() peer_cert.load_from_pyopenssl_x509( - self.connection.get_peer_certificate()) + self.connection.getpeercert()) generic = Generic.the_flavour() self.api = generic.make_api(peer_cert=peer_cert, interface=self.server.interface, @@ -140,27 +143,31 @@ class SecureXMLRpcRequestHandler(xmlrpc.server.SimpleXMLRPCRequestHandler): self.send_header("Content-type", "text/xml") self.send_header("Content-length", str(len(response))) self.end_headers() - self.wfile.write(response) + self.wfile.write(response.encode()) self.wfile.flush() # close db connection self.api.close_dbsession() # shut down the connection - self.connection.shutdown() # Modified here! + self.connection.shutdown(socket.SHUT_RDWR) # Modified here! ## # Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server -class SecureXMLRPCServer(http.server.HTTPServer, xmlrpc.server.SimpleXMLRPCDispatcher): +class SecureXMLRPCServer(http.server.HTTPServer, + xmlrpc.server.SimpleXMLRPCDispatcher): - def __init__(self, server_address, HandlerClass, key_file, cert_file, logRequests=True): + def __init__(self, server_address, HandlerClass, + key_file, cert_file, logRequests=True): """ Secure XML-RPC server. - It it very similar to SimpleXMLRPCServer but it uses HTTPS for transporting XML data. + It it very similar to SimpleXMLRPCServer + but it uses HTTPS for transporting XML data. """ - logger.debug("SecureXMLRPCServer.__init__, server_address=%s, " - "cert_file=%s, key_file=%s" % (server_address, cert_file, key_file)) + logger.debug( + f"SecureXMLRPCServer.__init__, server_address={server_address}, " + f"cert_file={cert_file}, key_file={key_file}") self.logRequests = logRequests self.interface = None self.key_file = key_file @@ -168,29 +175,30 @@ class SecureXMLRPCServer(http.server.HTTPServer, xmlrpc.server.SimpleXMLRPCDispa self.method_map = {} # add cache to the request handler HandlerClass.cache = Cache() - # for compatibility with python 2.4 (centos53) - if sys.version_info < (2, 5): - xmlrpc.server.SimpleXMLRPCDispatcher.__init__(self) - else: - xmlrpc.server.SimpleXMLRPCDispatcher.__init__( - self, True, None) + xmlrpc.server.SimpleXMLRPCDispatcher.__init__(self, True, None) socketserver.BaseServer.__init__(self, server_address, HandlerClass) - ctx = SSL.Context(SSL.SSLv23_METHOD) - ctx.use_privatekey_file(key_file) - ctx.use_certificate_file(cert_file) - # If you wanted to verify certs against known CAs.. this is how you would do it - # ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid') + ssl_context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH) + ssl_context.load_cert_chain(cert_file, key_file) + # If you wanted to verify certs against known CAs.. + # this is how you would do it + # ssl_context.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid') config = Config() trusted_cert_files = TrustedRoots( config.get_trustedroots_dir()).get_file_list() + cadata = "" for cert_file in trusted_cert_files: - ctx.load_verify_locations(cert_file) - ctx.set_verify(SSL.VERIFY_PEER | - SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) - ctx.set_verify_depth(5) - ctx.set_app_data(self) - self.socket = SSL.Connection(ctx, socket.socket(self.address_family, - self.socket_type)) + with open(cert_file) as cafile: + cadata += cafile.read() + ssl_context.load_verify_locations(cadata=cadata) +# ctx.set_verify(SSL.VERIFY_PEER | +# SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) +# ctx.set_verify_depth(5) +# ctx.set_app_data(self) + # with python3 we use standard library SSLContext.wrap_socket() + # instead of an OpenSSL.SSL.Connection object + self.socket = ssl_context.wrap_socket( + socket.socket(self.address_family, self.socket_type), + server_side=True) self.server_bind() self.server_activate() @@ -202,48 +210,24 @@ class SecureXMLRPCServer(http.server.HTTPServer, xmlrpc.server.SimpleXMLRPCDispa def _dispatch(self, method, params): logger.debug("SecureXMLRPCServer._dispatch, method=%s" % method) try: - return xmlrpc.server.SimpleXMLRPCDispatcher._dispatch(self, method, params) + return xmlrpc.server.SimpleXMLRPCDispatcher._dispatch( + self, method, params) except: # can't use format_exc() as it is not available in jython yet # (even in trunk). type, value, tb = sys.exc_info() - raise xmlrpc_client.Fault(1, ''.join( + raise xmlrpc.client.Fault(1, ''.join( traceback.format_exception(type, value, tb))) - # override this one from the python 2.7 code - # originally defined in class TCPServer - def shutdown_request(self, request): - """Called to shutdown and close an individual request.""" - # ---------- - # the std python 2.7 code just attempts a request.shutdown(socket.SHUT_WR) - # this works fine with regular sockets - # However we are dealing with an instance of OpenSSL.SSL.Connection instead - # This one only supports shutdown(), and in addition this does not - # always perform as expected - # ---------- std python 2.7 code - try: - # explicitly shutdown. socket.close() merely releases - # the socket and waits for GC to perform the actual close. - request.shutdown(socket.SHUT_WR) - except socket.error: - pass # some platforms may raise ENOTCONN here - # ---------- - except TypeError: - # we are dealing with an OpenSSL.Connection object, - # try to shut it down but never mind if that fails - try: - request.shutdown() - except: - pass - # ---------- - self.close_request(request) + # porting to python3 + # shutdown_request() no longer needed + # From Active State code: http://code.activestate.com/recipes/574454/ # This is intended as a drop-in replacement for the ThreadingMixIn class in # module SocketServer of the standard lib. Instead of spawning a new thread # for each request, requests are processed by of pool of reusable threads. - class ThreadPoolMixIn(socketserver.ThreadingMixIn): """ use a thread pool instead of a new thread on every request @@ -261,10 +245,10 @@ class ThreadPoolMixIn(socketserver.ThreadingMixIn): # set up the threadpool self.requests = Queue() - for x in range(self.numThreads): - t = threading.Thread(target=self.process_request_thread) - t.setDaemon(1) - t.start() + for _ in range(self.numThreads): + thread = threading.Thread(target=self.process_request_thread) + thread.setDaemon(1) + thread.start() # server main loop while True: