X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Futil%2Fserver.py;h=b5a966d9e566e9c13b3d2b9223f3284f03e9924c;hb=bfcea75fd4f7d91b186f4f0e479db0e6f0a231ae;hp=fece14ffc38e94adafb67eada0d4d45c70c52009;hpb=7cc85671dcb4c1dd8a564bb18110653061e0ab95;p=sfa.git diff --git a/sfa/util/server.py b/sfa/util/server.py index fece14ff..b5a966d9 100644 --- a/sfa/util/server.py +++ b/sfa/util/server.py @@ -19,11 +19,13 @@ import SimpleHTTPServer import SimpleXMLRPCServer from OpenSSL import SSL from Queue import Queue + from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import * from sfa.util.faults import * -from sfa.plc.api import SfaAPI -from sfa.util.debug import log +from sfa.plc.api import SfaAPI +from sfa.util.cache import Cache +from sfa.util.sfalogging import sfa_logger ## # Verification callback for pyOpenSSL. We do our own checking of keys because @@ -36,16 +38,6 @@ def verify_callback(conn, x509, err, depth, preverify): #print " preverified" return 1 - # we're only passing single certificates, not chains - if depth > 0: - #print " depth > 0 in verify_callback" - return 0 - - # create a Certificate object and load it from the client's x509 - ctx = conn.get_context() - server = ctx.get_app_data() - server.peer_cert = Certificate() - server.peer_cert.load_from_pyopenssl_x509(x509) # the certificate verification done by openssl checks a number of things # that we aren't interested in, so we look out for those error messages @@ -67,6 +59,10 @@ def verify_callback(conn, x509, err, depth, preverify): #print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY" return 1 + # allow chained certs with self-signed roots + if err == 19: + return 1 + # allow certs that are untrusted if err == 21: #print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE" @@ -96,42 +92,40 @@ class SecureXMLRpcRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler): def do_POST(self): """Handles the HTTPS POST request. - It was copied out from SimpleXMLRPCServer.py and modified to shutdown the socket cleanly. + It was copied out from SimpleXMLRPCServer.py and modified to shutdown + the socket cleanly. """ try: - self.api = SfaAPI(peer_cert = self.server.peer_cert, + peer_cert = Certificate() + peer_cert.load_from_pyopenssl_x509(self.connection.get_peer_certificate()) + self.api = SfaAPI(peer_cert = peer_cert, interface = self.server.interface, key_file = self.server.key_file, - cert_file = self.server.cert_file) + cert_file = self.server.cert_file, + cache = self.cache) # get arguments request = self.rfile.read(int(self.headers["content-length"])) - # In previous versions of SimpleXMLRPCServer, _dispatch - # could be overridden in this class, instead of in - # SimpleXMLRPCDispatcher. To maintain backwards compatibility, - # check to see if a subclass implements _dispatch and dispatch - # using that method if present. - #response = self.server._marshaled_dispatch(request, getattr(self, '_dispatch', None)) remote_addr = (remote_ip, remote_port) = self.connection.getpeername() - self.api.remote_addr = remote_addr - response = self.api.handle(remote_addr, request) - - + self.api.remote_addr = remote_addr + response = self.api.handle(remote_addr, request, self.server.method_map) except Exception, fault: # This should only happen if the module is buggy # internal error, report as HTTP server error - self.send_response(500) - self.end_headers() - else: - # got a valid XML RPC response - self.send_response(200) - self.send_header("Content-type", "text/xml") - self.send_header("Content-length", str(len(response))) - self.end_headers() - self.wfile.write(response) - - # shut down the connection - self.wfile.flush() - self.connection.shutdown() # Modified here! + sfa_logger().log_exc("server.do_POST") + response = self.api.prepare_response(fault) + #self.send_response(500) + #self.end_headers() + + # got a valid response + self.send_response(200) + self.send_header("Content-type", "text/xml") + self.send_header("Content-length", str(len(response))) + self.end_headers() + self.wfile.write(response) + + # shut down the connection + self.wfile.flush() + self.connection.shutdown() # Modified here! ## # Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server @@ -141,10 +135,14 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR It it very similar to SimpleXMLRPCServer but it uses HTTPS for transporting XML data. """ + sfa_logger().debug("SecureXMLRPCServer.__init__, server_address=%s, cert_file=%s"%(server_address,cert_file)) self.logRequests = logRequests self.interface = None self.key_file = key_file self.cert_file = cert_file + self.method_map = {} + # add cache to the request handler + HandlerClass.cache = Cache() #for compatibility with python 2.4 (centos53) if sys.version_info < (2, 5): SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self) @@ -152,9 +150,12 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None) SocketServer.BaseServer.__init__(self, server_address, HandlerClass) ctx = SSL.Context(SSL.SSLv23_METHOD) - ctx.use_privatekey_file(key_file) + ctx.use_privatekey_file(key_file) ctx.use_certificate_file(cert_file) + # If you wanted to verify certs against known CAs.. this is how you would do it + #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid') ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) + ctx.set_verify_depth(5) ctx.set_app_data(self) self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type)) @@ -167,6 +168,7 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR # the client. def _dispatch(self, method, params): + sfa_logger().debug("SecureXMLRPCServer._dispatch, method=%s"%method) try: return SimpleXMLRPCServer.SimpleXMLRPCDispatcher._dispatch(self, method, params) except: @@ -194,7 +196,7 @@ class ThreadPoolMixIn(SocketServer.ThreadingMixIn): Handle one request at a time until doomsday. """ # set up the threadpool - self.requests = Queue(self.numThreads) + self.requests = Queue() for x in range(self.numThreads): t = threading.Thread(target = self.process_request_thread) @@ -247,19 +249,20 @@ class SfaServer(threading.Thread): # @param cert_file certificate filename containing public key # (could be a GID file) - def __init__(self, ip, port, key_file, cert_file): + def __init__(self, ip, port, key_file, cert_file,interface): threading.Thread.__init__(self) self.key = Keypair(filename = key_file) self.cert = Certificate(filename = cert_file) #self.server = SecureXMLRPCServer((ip, port), SecureXMLRpcRequestHandler, key_file, cert_file) self.server = ThreadedServer((ip, port), SecureXMLRpcRequestHandler, key_file, cert_file) + self.server.interface=interface self.trusted_cert_list = None self.register_functions() - + sfa_logger().info("Starting SfaServer, interface=%s"%interface) ## # Register functions that will be served by the XMLRPC server. This - # function should be overrided by each descendant class. + # function should be overridden by each descendant class. def register_functions(self): self.server.register_function(self.noop) @@ -270,7 +273,6 @@ class SfaServer(threading.Thread): def noop(self, cred, anything): self.decode_authentication(cred) - return anything ##