Beispiel #1
0
    def _doCertificateLogon(self, request):
        """Attempt to logon using the client certificate
        
        This can only succeed if:
        * the client certificate CN matches a username 
        * cert_logins is not disabled in the configuration file
        """
        from ccsd_session import startSession, startBasicSession
        from crcnetd.modules.ccs_contact import getUserCache
        
        # Check incoming peer certificate
        cert = request.channel.transport.socket.get_peer_certificate()
        subj = cert.get_subject()
        domain = config_get('network','domain', '')
        username = "******" % (subj.CN , domain)

        allow_login = config_getboolean(None, "cert_logins", True)
        if not allow_login:
            None
            # CN matches a MAC address
            #return startBasicSession(username, SESSION_RW)
        
        # Does the CN match a username?
        users = getUserCache(ADMIN_SESSION_ID)
        if username in users.keys():
            if users[username]["enabled"]:
                # Make sure a session exists for the user
                return startSession(users[username]['login_id'], SESSION_RW)
            
        # CN matches a MAC address
        #return startBasicSession(username, SESSION_RW)
        return None
Beispiel #2
0
def initSessions():
    global sessionLock
    try:
        # Get database connection parameters
        _dhost = config_get("database", "host")
        ccsd_session.dhost = _dhost!="" and _dhost or None
	log_info("host = %s" % ccsd_session.dhost)

        _ddatabase = config_get("database", "database")
        ccsd_session.database = _ddatabase!="" and _ddatabase or None
	log_info("database = %s" % ccsd_session.database)

        _duser = config_get("database", "user")
        ccsd_session.duser = _duser!="" and _duser or None
	log_info("duser = %s" % ccsd_session.duser)

        _dpass = config_get("database", "password")
        ccsd_session.dpass = _dpass!="" and _dpass or None

        # Does the admin want us to log query times
        ccsd_session.log_times = config_getboolean(None, "log_db_times", False)

        # Create a program wide 'admin' session which is always present
        ccsd_session.sessions[ADMIN_SESSION_ID] = \
                ccsd_session("admin", SESSION_RW, "", -1, -1, ADMIN_SESSION_ID)

        # Load any other saved sessions
        ccsd_session.sessions.update(loadSessions())
        
        # Initialise the lock
        sessionLock = threading.RLock()

        log_info("Successfully loaded sessions")
    except:
        log_fatal("Failed to load initial program state!", sys.exc_info())    
Beispiel #3
0
def startCCSDServer(key, cert, cacert):
    """Initialises the CCSD Server.

    This function never returns as it enters the twisted mainloop
    """

    try:           
        # Local networks
        localnets = config_get(None, "local_networks", "127.0.0.0/8")

        # Register standard HTTP XMLRPC handler for local requests
        registerHTTPResource("RPC2", ccsd_local_xmlrpc, 
                localnets=localnets.split(","))

        # Register HTTPS XMLRPC Handler
        use_ssl = config_getboolean(None, "use_ssl", True)
        if use_ssl:
            registerHTTPSResource("RPC2", ccsd_xmlrpc)

        # Setup XMLRPC Handler configuration
        ccsd_xmlrpc.log_times = config_get(None, "log_times", None)
        ccsd_xmlrpc.profile = config_getboolean(None, "profile", False)
        ccsd_xmlrpc.prof_dir = config_get(None, "profile_dir", \
                DEFAULT_PROFILE_DIR)
        ccsd_xmlrpc.log_threads = config_get(None, "log_threads", None)
        ccsd_xmlrpc.max_threads = config_getint(None, "max_threads", 
                DEFAULT_MAX_THREADS)

        # SSL Context
        class SCF:
            def __init__(self, key, cert, cacert):
                self.mKey = key
                self.mCert = cert
                self.mCACert = cacert
                
            def verify(self, conn, cert, errnum, depth, ok):
                """Checks the certificate of an incoming connection"""
                # If there is already an error bail now
                if not ok:
                    return ok
                
                # Only perform further verification on client certs
                if depth>0:
                    return ok
                
                # At this point we know the certificate is signed by a 
                # trusted CA, check the issuer OU matches the incoming cert
                # OU and the incoming cert is not a server cert
                # XXX: Should look at using something like nsCertType rather
                # than the CN field for this.
                s = cert.get_subject()
                i = cert.get_issuer()
                if s.OU != i.OU:
                    log_warn("Rejected incoming connection from invalid " 
                            "SSL cert (%s). OU did not match." % s)
                    return 0
                if s.CN == "server":
                    log_warn("Rejected incoming connection from server SSL "
                            "cert (%s)." % s)
                    return 0
                return 1
                
            def getContext(self):
                """Create an SSL context."""
                ctx = SSL.Context(SSL.SSLv2_METHOD)
                # Add the CA certificate(s)
                store = ctx.get_cert_store()
                for cert in self.mCACert:
                    store.add_cert(cert)
                # Load the private key and certificate
                ctx.use_privatekey(self.mKey)
                ctx.use_certificate(self.mCert)
                ctx.set_verify(SSL.VERIFY_PEER | 
                        SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.verify)
                ctx.set_verify_depth(len(self.mCACert))
                return ctx

        # Port and logfile
        http_port = int(config_get(None, "http_port", 
            DEFAULT_HTTP_SERVER_PORT))
        https_port = int(config_get(None, "https_port", 
            DEFAULT_HTTPS_SERVER_PORT))
        logfile = config_get(None, "request_log", DEFAULT_REQUEST_LOG)

        # Pass off control to Twisted's mainloop
        threadable.init()
        suggestThreadpoolSize(ccsd_xmlrpc.max_threads)
        reactor.listenTCP(http_port, server.Site(_http_root, logfile))
        if use_ssl:
            reactor.listenSSL(https_port, server.Site(_https_root, logfile), \
                    SCF(key, cert, cacert))
        reactor.addSystemEventTrigger("before", "shutdown", shutdownHandler)
        log_info("Server Started. Ready to serve requests...")
    except:
        log_fatal("Could not initialise the server!", sys.exc_info())

    reactor.run()
Beispiel #4
0
def registerResource(path, res_class, **kwargs):
    """Registers a resource for both HTTP and HTTPS access"""
    registerHTTPResource(path, res_class, **kwargs)
    use_ssl = config_getboolean(None, "use_ssl", True)
    if use_ssl:
        registerHTTPSResource(path, res_class, **kwargs)