X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Futil%2Fserver.py;h=2d8e13b2683e8b590f8fa97881907a021e9253d0;hb=b1775bb47ea5e242d337dbd34f5d58d10a57a028;hp=fece14ffc38e94adafb67eada0d4d45c70c52009;hpb=7cc85671dcb4c1dd8a564bb18110653061e0ab95;p=sfa.git

diff --git a/sfa/util/server.py b/sfa/util/server.py
index fece14ff..2d8e13b2 100644
--- a/sfa/util/server.py
+++ b/sfa/util/server.py
@@ -19,12 +19,12 @@ import SimpleHTTPServer
 import SimpleXMLRPCServer
 from OpenSSL import SSL
 from Queue import Queue
+
 from sfa.trust.certificate import Keypair, Certificate
 from sfa.trust.credential import *
 from sfa.util.faults import *
-from sfa.plc.api import SfaAPI 
-from sfa.util.debug import log
-
+from sfa.plc.api import SfaAPI
+from sfa.util.cache import Cache 
 ##
 # Verification callback for pyOpenSSL. We do our own checking of keys because
 # we have our own authentication spec. Thus we disable several of the normal
@@ -36,16 +36,6 @@ def verify_callback(conn, x509, err, depth, preverify):
        #print "  preverified"
        return 1
 
-    # we're only passing single certificates, not chains
-    if depth > 0:
-       #print "  depth > 0 in verify_callback"
-       return 0
-
-    # create a Certificate object and load it from the client's x509
-    ctx = conn.get_context()
-    server = ctx.get_app_data()
-    server.peer_cert = Certificate()
-    server.peer_cert.load_from_pyopenssl_x509(x509)
 
     # the certificate verification done by openssl checks a number of things
     # that we aren't interested in, so we look out for those error messages
@@ -67,6 +57,10 @@ def verify_callback(conn, x509, err, depth, preverify):
        #print "  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
        return 1
 
+    # allow chained certs with self-signed roots
+    if err == 19:
+        return 1
+    
     # allow certs that are untrusted
     if err == 21:
        #print "  X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
@@ -96,42 +90,40 @@ class SecureXMLRpcRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
     def do_POST(self):
         """Handles the HTTPS POST request.
 
-        It was copied out from SimpleXMLRPCServer.py and modified to shutdown the socket cleanly.
+        It was copied out from SimpleXMLRPCServer.py and modified to shutdown 
+        the socket cleanly.
         """
         try:
-            self.api = SfaAPI(peer_cert = self.server.peer_cert, 
+            peer_cert = Certificate()
+            peer_cert.load_from_pyopenssl_x509(self.connection.get_peer_certificate())
+            self.api = SfaAPI(peer_cert = peer_cert, 
                               interface = self.server.interface, 
                               key_file = self.server.key_file, 
-                              cert_file = self.server.cert_file)
+                              cert_file = self.server.cert_file,
+                              cache = self.cache)
             # get arguments
             request = self.rfile.read(int(self.headers["content-length"]))
-            # In previous versions of SimpleXMLRPCServer, _dispatch
-            # could be overridden in this class, instead of in
-            # SimpleXMLRPCDispatcher. To maintain backwards compatibility,
-            # check to see if a subclass implements _dispatch and dispatch
-            # using that method if present.
-            #response = self.server._marshaled_dispatch(request, getattr(self, '_dispatch', None))
             remote_addr = (remote_ip, remote_port) = self.connection.getpeername()
-            self.api.remote_addr = remote_addr
-            response = self.api.handle(remote_addr, request)
-
-        
+            self.api.remote_addr = remote_addr            
+            response = self.api.handle(remote_addr, request, self.server.method_map)
         except Exception, fault:
             # This should only happen if the module is buggy
             # internal error, report as HTTP server error
-            self.send_response(500)
-            self.end_headers()
-        else:
-            # got a valid XML RPC response
-            self.send_response(200)
-            self.send_header("Content-type", "text/xml")
-            self.send_header("Content-length", str(len(response)))
-            self.end_headers()
-            self.wfile.write(response)
-
-            # shut down the connection
-            self.wfile.flush()
-            self.connection.shutdown() # Modified here!
+            sfa_error.log_exc("server.do_POST")
+            response = self.api.prepare_response(fault)
+            #self.send_response(500)
+            #self.end_headers()
+       
+        # got a valid response
+        self.send_response(200)
+        self.send_header("Content-type", "text/xml")
+        self.send_header("Content-length", str(len(response)))
+        self.end_headers()
+        self.wfile.write(response)
+
+        # shut down the connection
+        self.wfile.flush()
+        self.connection.shutdown() # Modified here!
 
 ##
 # Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server
@@ -145,6 +137,9 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR
         self.interface = None
         self.key_file = key_file
         self.cert_file = cert_file
+        self.method_map = {}
+        # add cache to the request handler
+        HandlerClass.cache = Cache()
         #for compatibility with python 2.4 (centos53)
         if sys.version_info < (2, 5):
             SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self)
@@ -152,9 +147,12 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR
            SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None)
         SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
         ctx = SSL.Context(SSL.SSLv23_METHOD)
-        ctx.use_privatekey_file(key_file)
+        ctx.use_privatekey_file(key_file)        
         ctx.use_certificate_file(cert_file)
+        # If you wanted to verify certs against known CAs.. this is how you would do it
+        #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
         ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
+        ctx.set_verify_depth(5)
         ctx.set_app_data(self)
         self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
                                                         self.socket_type))
@@ -194,7 +192,7 @@ class ThreadPoolMixIn(SocketServer.ThreadingMixIn):
         Handle one request at a time until doomsday.
         """
         # set up the threadpool
-        self.requests = Queue(self.numThreads)
+        self.requests = Queue()
 
         for x in range(self.numThreads):
             t = threading.Thread(target = self.process_request_thread)
@@ -259,7 +257,7 @@ class SfaServer(threading.Thread):
 
     ##
     # Register functions that will be served by the XMLRPC server. This
-    # function should be overrided by each descendant class.
+    # function should be overridden by each descendant class.
 
     def register_functions(self):
         self.server.register_function(self.noop)
@@ -270,7 +268,6 @@ class SfaServer(threading.Thread):
 
     def noop(self, cred, anything):
         self.decode_authentication(cred)
-
         return anything
 
     ##