#!/usr/bin/env plcsh
# checking ssl connection
# mimicks what PyCurl does

import sys
import pycurl

class check_ssl:

    def getpeername_post_request (self,local_peername) :
        methodname="GetPeerName"
        from PLC.GPG import gpg_sign
        signature = gpg_sign((),
                             self.options.PLC_ROOT_GPG_KEY,
                             self.options.PLC_ROOT_GPG_KEY_PUB,
                         methodname)
        post="""<?xml version='1.0'?>
<methodCall>
<methodName>GetPeerName</methodName>
<params>
<param>
<value><struct>
<member>
<name>AuthMethod</name>
<value><string>gpg</string></value>
</member>
<member>
<name>name</name>
<value><string>%s</string></value>
</member>
<member>
<name>signature</name>
<value><string>%s
</string></value>
</member>
</struct></value>
</param>
</params>
</methodCall>"""%(local_peername,signature)
        return post

    def check_url (self,url,local_peername,remote_peername,cert,timeout=10,verbose=1):
        curl=pycurl.Curl()
        curl.setopt(pycurl.NOSIGNAL, 1)
        
        # Follow redirections
        curl.setopt(pycurl.FOLLOWLOCATION, 1)
        curl.setopt(pycurl.URL, str(url))
        cert_path = str(cert)
        curl.setopt(pycurl.CAINFO, cert_path)
        curl.setopt(pycurl.SSL_VERIFYPEER, 2)

   # Set connection timeout
        if timeout:
            curl.setopt(pycurl.CONNECTTIMEOUT, timeout)
            curl.setopt(pycurl.TIMEOUT, timeout)

        curl.setopt(pycurl.VERBOSE, verbose)

    # Post request
        curl.setopt(pycurl.POST, 1)
        curl.setopt(pycurl.POSTFIELDS, self.getpeername_post_request(local_peername))

        import StringIO
        b = StringIO.StringIO()
        curl.setopt(pycurl.WRITEFUNCTION, b.write)

        try:
            curl.perform()
            errcode = curl.getinfo(pycurl.HTTP_CODE)
            response = b.getvalue()
            print 'xmlrpc answer',response
            if response.find('Failed') >= 0:
                print 'FAILURE : failed to authenticate ?'
                return False
            elif response.find(remote_peername) <0:
                print 'FAILURE : xmlrpc round trip OK but peername does not match'
                return False
            else:
                print 'SUCCESS'
                return True

        except pycurl.error, err:
            (errcode, errmsg) = err
            if errcode == 60:
                print 'FAILURE', "SSL certificate validation failed, %r"%(errmsg)
            elif errcode != 200:
                print 'FAILURE', "HTTP error %d, errmsg %r" % (errcode,errmsg)
            return False

    def main (self):
        from optparse import OptionParser
        usage="%prog [options] local-peername remote-peername cacert hostname [ .. hostname ]"
        parser=OptionParser(usage=usage)
        parser.add_option('-s','--secret',default='/etc/planetlab/secring.gpg',
                          dest='PLC_ROOT_GPG_KEY',
                          help='local GPG secret ring')
        parser.add_option('-p','--public',default='/etc/planetlab/pubring.gpg',
                          dest='PLC_ROOT_GPG_KEY_PUB',
                          help='local GPG public ring')
        (self.options, args) = parser.parse_args()

        if len(args) < 4:
            parser.print_help()
            sys.exit(2)
        arg=0
        local_peername=args[arg] ; arg+=1
        remote_peername=args[arg] ; arg+=1
        cacert=args[arg]; arg+=1
        ok=False
        for hostname in args[arg:]:
# this does not seem to make any difference
#            for url_format in [ 'https://%s:443/PLCAPI/' , 'https://%s/PLCAPI/' ]:
            for url_format in [ 'https://%s/PLCAPI/' ]:
                url=url_format%hostname
                print '============================== Checking url=',url
                if self.check_url(url,local_peername,remote_peername,cacert):
                    ok=True
        if ok:
            return 0
        else:
            return 1
            
if __name__ == '__main__':
    sys.exit(check_ssl().main())