2 # This module implements a general-purpose server layer for sfa.
3 # The same basic server should be usable on the registry, component, or
6 # TODO: investigate ways to combine this with existing PLC server?
9 ### $Id: server.py 18501 2010-07-09 20:20:48Z tmack $
10 ### $URL: http://svn.planet-lab.org/svn/sfa/trunk/sfa/util/server.py $
18 import SimpleHTTPServer
19 import SimpleXMLRPCServer
20 from OpenSSL import SSL
21 from Queue import Queue
22 from sfa.trust.certificate import Keypair, Certificate
23 from sfa.trust.credential import *
24 from sfa.util.faults import *
25 from sfa.plc.api import SfaAPI
26 from sfa.util.cache import Cache
27 from sfa.util.debug import log
28 from sfa.util.sfalogging import logger
30 # Verification callback for pyOpenSSL. We do our own checking of keys because
31 # we have our own authentication spec. Thus we disable several of the normal
32 # prohibitions that OpenSSL places on certificates
34 def verify_callback(conn, x509, err, depth, preverify):
35 # if the cert has been preverified, then it is ok
41 # the certificate verification done by openssl checks a number of things
42 # that we aren't interested in, so we look out for those error messages
45 # XXX SMBAKER: I don't know what this error is, but it's being returned
48 #print " X509_V_ERR_CERT_NOT_YET_VALID"
51 # allow self-signed certificates
53 #print " X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"
56 # allow certs that don't have an issuer
58 #print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
61 # allow chained certs with self-signed roots
65 # allow certs that are untrusted
67 #print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
70 # allow certs that are untrusted
72 #print " X509_V_ERR_CERT_UNTRUSTED"
75 print " error", err, "in verify_callback"
80 # taken from the web (XXX find reference). Implents HTTPS xmlrpc request handler
81 class SecureXMLRpcRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
82 """Secure XML-RPC request handler class.
84 It it very similar to SimpleXMLRPCRequestHandler but it uses HTTPS for transporting XML data.
87 self.connection = self.request
88 self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
89 self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
92 """Handles the HTTPS POST request.
94 It was copied out from SimpleXMLRPCServer.py and modified to shutdown
98 peer_cert = Certificate()
99 peer_cert.load_from_pyopenssl_x509(self.connection.get_peer_certificate())
100 self.api = SfaAPI(peer_cert = peer_cert,
101 interface = self.server.interface,
102 key_file = self.server.key_file,
103 cert_file = self.server.cert_file,
106 request = self.rfile.read(int(self.headers["content-length"]))
107 remote_addr = (remote_ip, remote_port) = self.connection.getpeername()
108 self.api.remote_addr = remote_addr
109 response = self.api.handle(remote_addr, request, self.server.method_map)
110 except Exception, fault:
111 # This should only happen if the module is buggy
112 # internal error, report as HTTP server error
113 traceback.print_exc()
114 response = self.api.prepare_response(fault)
115 #self.send_response(500)
118 # got a valid response
119 self.send_response(200)
120 self.send_header("Content-type", "text/xml")
121 self.send_header("Content-length", str(len(response)))
123 self.wfile.write(response)
125 # shut down the connection
127 self.connection.shutdown() # Modified here!
130 # Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server
131 class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLRPCDispatcher):
132 def __init__(self, server_address, HandlerClass, key_file, cert_file, logRequests=True):
133 """Secure XML-RPC server.
135 It it very similar to SimpleXMLRPCServer but it uses HTTPS for transporting XML data.
137 self.logRequests = logRequests
138 self.interface = None
139 self.key_file = key_file
140 self.cert_file = cert_file
142 # add cache to the request handler
143 HandlerClass.cache = Cache()
144 #for compatibility with python 2.4 (centos53)
145 if sys.version_info < (2, 5):
146 SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self)
148 SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None)
149 SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
150 ctx = SSL.Context(SSL.SSLv23_METHOD)
151 ctx.use_privatekey_file(key_file)
152 ctx.use_certificate_file(cert_file)
153 # If you wanted to verify certs against known CAs.. this is how you would do it
154 #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
155 ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
156 ctx.set_verify_depth(5)
157 ctx.set_app_data(self)
158 self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
161 self.server_activate()
165 # Convert an exception on the server to a full stack trace and send it to
168 def _dispatch(self, method, params):
170 return SimpleXMLRPCServer.SimpleXMLRPCDispatcher._dispatch(self, method, params)
172 # can't use format_exc() as it is not available in jython yet
174 type, value, tb = sys.exc_info()
175 raise xmlrpclib.Fault(1,''.join(traceback.format_exception(type, value, tb)))
177 ## From Active State code: http://code.activestate.com/recipes/574454/
178 # This is intended as a drop-in replacement for the ThreadingMixIn class in
179 # module SocketServer of the standard lib. Instead of spawning a new thread
180 # for each request, requests are processed by of pool of reusable threads.
181 class ThreadPoolMixIn(SocketServer.ThreadingMixIn):
183 use a thread pool instead of a new thread on every request
185 # XX TODO: Make this configurable
187 # numThreads = config.SFA_SERVER_NUM_THREADS
189 allow_reuse_address = True # seems to fix socket.error on server restart
191 def serve_forever(self):
193 Handle one request at a time until doomsday.
195 # set up the threadpool
196 self.requests = Queue()
198 for x in range(self.numThreads):
199 t = threading.Thread(target = self.process_request_thread)
205 self.handle_request()
210 def process_request_thread(self):
212 obtain request from queue instead of directly from server socket
215 SocketServer.ThreadingMixIn.process_request_thread(self, *self.requests.get())
218 def handle_request(self):
220 simply collect requests and put them on the queue for the workers.
223 request, client_address = self.get_request()
226 if self.verify_request(request, client_address):
227 self.requests.put((request, client_address))
229 class ThreadedServer(ThreadPoolMixIn, SecureXMLRPCServer):
232 # Implements an HTTPS XML-RPC server. Generally it is expected that SFA
233 # functions will take a credential string, which is passed to
234 # decode_authentication. Decode_authentication() will verify the validity of
235 # the credential, and verify that the user is using the key that matches the
236 # GID supplied in the credential.
238 class SfaServer(threading.Thread):
241 # Create a new SfaServer object.
243 # @param ip the ip address to listen on
244 # @param port the port to listen on
245 # @param key_file private key filename of registry
246 # @param cert_file certificate filename containing public key
247 # (could be a GID file)
249 def __init__(self, ip, port, key_file, cert_file):
250 threading.Thread.__init__(self)
251 self.key = Keypair(filename = key_file)
252 self.cert = Certificate(filename = cert_file)
253 #self.server = SecureXMLRPCServer((ip, port), SecureXMLRpcRequestHandler, key_file, cert_file)
254 self.server = ThreadedServer((ip, port), SecureXMLRpcRequestHandler, key_file, cert_file)
255 self.trusted_cert_list = None
256 self.register_functions()
260 # Register functions that will be served by the XMLRPC server. This
261 # function should be overridden by each descendant class.
263 def register_functions(self):
264 self.server.register_function(self.noop)
267 # Sample no-op server function. The no-op function decodes the credential
268 # that was passed to it.
270 def noop(self, cred, anything):
271 self.decode_authentication(cred)
275 # Execute the server, serving requests forever.
278 self.server.serve_forever()