From 2b8fb7af76b173ad4ad6583dbedbdf11a49f9549 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Fri, 29 Mar 2019 17:12:54 +0100 Subject: [PATCH] simple_ssl_context() is now a helper exposed in module sfa.util.ssl + various mis-spells os certificate --- config/default_config.xml | 2 +- docs/pythondoc-cert.html | 6 +++--- sfa/client/manifolduploader.py | 26 +++++++------------------- sfa/client/sfaserverproxy.py | 19 +++++++------------ sfa/planetlab/plshell.py | 9 +++------ sfa/trust/certificate.py | 7 +++---- sfa/util/ssl.py | 9 +++++++++ 7 files changed, 33 insertions(+), 45 deletions(-) create mode 100644 sfa/util/ssl.py diff --git a/config/default_config.xml b/config/default_config.xml index edeec256..d31e5258 100644 --- a/config/default_config.xml +++ b/config/default_config.xml @@ -65,7 +65,7 @@ Thierry Parmentelat Data Directory /var/lib/sfa/ - Directory where cached certficiates and other data is stored. + Directory where cached certificates and other data is stored. diff --git a/docs/pythondoc-cert.html b/docs/pythondoc-cert.html index efff287f..254acbda 100644 --- a/docs/pythondoc-cert.html +++ b/docs/pythondoc-cert.html @@ -57,10 +57,10 @@ If subject!=None, then create a blank certificate and set it's subject name.
string
-If string!=None, load the certficate from the string.
+If string!=None, load the certificate from the string.
filename
-If filename!=None, load the certficiate from the file.
+If filename!=None, load the certificate from the file.
add_extension(name, critical, value) [#]
@@ -179,7 +179,7 @@ String containing the name of the issuer
set_parent(p) [#]
-

Set the parent certficiate.

+

Set the parent certificate.

p
diff --git a/sfa/client/manifolduploader.py b/sfa/client/manifolduploader.py index 8d1d74eb..510382fd 100755 --- a/sfa/client/manifolduploader.py +++ b/sfa/client/manifolduploader.py @@ -22,20 +22,15 @@ # so the defaults below are of no real importance # this for now points at demo.myslice.info, but sounds like a # better default for the long run -DEFAULT_URL = "http://myslice.onelab.eu:7080" -DEFAULT_PLATFORM = 'ple' - -# starting with 2.7.9 we need to turn off server verification -import ssl -try: - turn_off_server_verify = {'context': ssl._create_unverified_context()} -except: - turn_off_server_verify = {} - import getpass import xmlrpc.client +from sfa.util.ssl import simple_ssl_context + +DEFAULT_URL = "http://myslice.onelab.eu:7080" +DEFAULT_PLATFORM = 'ple' + class ManifoldUploader: """A utility class for uploading delegated credentials to a manifold/MySlice infrastructure""" @@ -88,17 +83,10 @@ class ManifoldUploader: # won't be happy with several calls issued in the same session # so we do not cache this one def proxy(self): - # if not self._proxy: - # url=self.url() - # self.logger.info("Connecting manifold url %s"%url) - # self._proxy = xmlrpc.client.ServerProxy(url, allow_none = True) - # return self._proxy url = self.url() self.logger.debug("Connecting manifold url %s" % url) - proxy = xmlrpc.client.ServerProxy(url, allow_none=True, - **turn_off_server_verify) - - return proxy + return xmlrpc.client.ServerProxy(url, allow_none=True, + context=simple_ssl_context()) # does the job for one credential # expects the credential (string) and an optional message (e.g. hrn) for reporting diff --git a/sfa/client/sfaserverproxy.py b/sfa/client/sfaserverproxy.py index 457a1d25..6c11ee06 100644 --- a/sfa/client/sfaserverproxy.py +++ b/sfa/client/sfaserverproxy.py @@ -1,11 +1,6 @@ # XMLRPC-specific code for SFA Client -# starting with 2.7.9 we need to turn off server verification -import ssl -try: - turn_off_server_verify = {'context': ssl._create_unverified_context()} -except: - turn_off_server_verify = {} +from sfa.util.ssl import simple_ssl_context import xmlrpc.client import http.client @@ -55,9 +50,9 @@ class XMLRPCTransport(xmlrpc.client.Transport): # create a HTTPS connection object from a host descriptor # host may be a string, or a (host, x509-dict) tuple host, extra_headers, x509 = self.get_host_info(host) - conn = http.client.HTTPSConnection(host, None, key_file=self.key_file, - cert_file=self.cert_file, - **turn_off_server_verify) + conn = http.client.HTTPSConnection( + host, None, key_file=self.key_file, + cert_file=self.cert_file, context=simple_ssl_context()) # Some logic to deal with timeouts. It appears that some (or all) versions # of python don't set the timeout after the socket is created. We'll do it @@ -90,9 +85,9 @@ class XMLRPCServerProxy(xmlrpc.client.ServerProxy): # remember url for GetVersion # xxx not sure this is still needed as SfaServerProxy has this too self.url = url - xmlrpc.client.ServerProxy.__init__(self, url, transport, allow_none=allow_none, - verbose=verbose, - **turn_off_server_verify) + xmlrpc.client.ServerProxy.__init__( + self, url, transport, allow_none=allow_none, + context=simple_ssl_context(), verbose=verbose) def __getattr__(self, attr): logger.debug("xml-rpc %s method:%s" % (self.url, attr)) diff --git a/sfa/planetlab/plshell.py b/sfa/planetlab/plshell.py index 1dd1773f..38062492 100644 --- a/sfa/planetlab/plshell.py +++ b/sfa/planetlab/plshell.py @@ -4,7 +4,7 @@ import socket from urllib.parse import urlparse from sfa.util.sfalogging import logger - +from sfa.util.ssl import simple_ssl_context class PlShell: """ @@ -89,12 +89,9 @@ class PlShell: 'Username': str(config.SFA_PLC_USER), 'AuthString': str(config.SFA_PLC_PASSWORD), } - # minimal verification for backwards compat - import ssl - ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS) - ssl_context.verify_mode = ssl.CERT_NONE self.proxy = xmlrpc.client.ServerProxy( - url, verbose=False, allow_none=True, context=ssl_context) + url, verbose=False, allow_none=True, + context=simple_ssl_context()) def __getattr__(self, name): def func(*args, **kwds): diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py index d0d36d53..a0e3a70e 100644 --- a/sfa/trust/certificate.py +++ b/sfa/trust/certificate.py @@ -189,7 +189,6 @@ class Keypair: # public key. def load_from_file(self, filename): - logger.info(f"opening {filename} from certficate.load_from_file") self.filename = filename buffer = open(filename, 'r').read() self.load_from_string(buffer) @@ -358,8 +357,8 @@ class Certificate: # @param create If create==True, then also create a blank X509 certificate. # @param subject If subject!=None, then create a blank certificate and set # it's subject name. - # @param string If string!=None, load the certficate from the string. - # @param filename If filename!=None, load the certficiate from the file. + # @param string If string!=None, load the certificate from the string. + # @param filename If filename!=None, load the certificate from the file. # @param isCA If !=None, set whether this cert is for a CA def __init__(self, lifeDays=1825, create=False, subject=None, string=None, @@ -804,7 +803,7 @@ class Certificate: return result ## - # Set the parent certficiate. + # Set the parent certificate. # # @param p certificate object. diff --git a/sfa/util/ssl.py b/sfa/util/ssl.py new file mode 100644 index 00000000..6ecf8d48 --- /dev/null +++ b/sfa/util/ssl.py @@ -0,0 +1,9 @@ +import ssl + +def simple_ssl_context(): + """ + an SSL context that turns off server verification + """ + ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + ssl_context.verify_mode = ssl.CERT_NONE + return ssl_context -- 2.43.0