X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Futil%2Fserver.py;h=505c7889a289e4cb6fb81a615703dab88786e22a;hb=04ee37a509b179c89d2584458bbe0d69db5b7c9c;hp=e6d3f3beb46ca43137f7f340149c1886c4b55921;hpb=952322d76247f8991f3c2688ed7e1f5a22ca4572;p=sfa.git diff --git a/sfa/util/server.py b/sfa/util/server.py index e6d3f3be..505c7889 100644 --- a/sfa/util/server.py +++ b/sfa/util/server.py @@ -19,13 +19,14 @@ import SimpleHTTPServer import SimpleXMLRPCServer from OpenSSL import SSL from Queue import Queue + +#import sfa.util.sfalogging from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import * from sfa.util.faults import * from sfa.plc.api import SfaAPI from sfa.util.cache import Cache -from sfa.util.debug import log - +#from sfa.util.debug import log ## # Verification callback for pyOpenSSL. We do our own checking of keys because # we have our own authentication spec. Thus we disable several of the normal @@ -37,10 +38,6 @@ def verify_callback(conn, x509, err, depth, preverify): #print " preverified" return 1 - # we're only passing single certificates, not chains - if depth > 0: - #print " depth > 0 in verify_callback" - return 0 # the certificate verification done by openssl checks a number of things # that we aren't interested in, so we look out for those error messages @@ -62,6 +59,10 @@ def verify_callback(conn, x509, err, depth, preverify): #print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY" return 1 + # allow chained certs with self-signed roots + if err == 19: + return 1 + # allow certs that are untrusted if err == 21: #print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE" @@ -107,25 +108,24 @@ class SecureXMLRpcRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler): remote_addr = (remote_ip, remote_port) = self.connection.getpeername() self.api.remote_addr = remote_addr response = self.api.handle(remote_addr, request, self.server.method_map) - - except Exception, fault: # This should only happen if the module is buggy # internal error, report as HTTP server error - self.send_response(500) - self.end_headers() traceback.print_exc() - else: - # got a valid XML RPC response - self.send_response(200) - self.send_header("Content-type", "text/xml") - self.send_header("Content-length", str(len(response))) - self.end_headers() - self.wfile.write(response) - - # shut down the connection - self.wfile.flush() - self.connection.shutdown() # Modified here! + response = self.api.prepare_response(fault) + #self.send_response(500) + #self.end_headers() + + # got a valid response + self.send_response(200) + self.send_header("Content-type", "text/xml") + self.send_header("Content-length", str(len(response))) + self.end_headers() + self.wfile.write(response) + + # shut down the connection + self.wfile.flush() + self.connection.shutdown() # Modified here! ## # Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server @@ -149,9 +149,12 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None) SocketServer.BaseServer.__init__(self, server_address, HandlerClass) ctx = SSL.Context(SSL.SSLv23_METHOD) - ctx.use_privatekey_file(key_file) + ctx.use_privatekey_file(key_file) ctx.use_certificate_file(cert_file) + # If you wanted to verify certs against known CAs.. this is how you would do it + #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid') ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) + ctx.set_verify_depth(5) ctx.set_app_data(self) self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type)) @@ -267,7 +270,6 @@ class SfaServer(threading.Thread): def noop(self, cred, anything): self.decode_authentication(cred) - return anything ##