def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None, ciphers=None):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
# Disable TLS compression to migitate CRIME attack (issue #309)
OP_NO_COMPRESSION = 0x20000
context.options |= OP_NO_COMPRESSION
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if ciphers:
context.set_ciphers(ciphers)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def create_urllib3_context(ssl_version=None, cert_reqs=None,
options=None, ciphers=None):
"""All arguments have the same meaning as ``ssl_wrap_socket``.
By default, this function does a lot of the same work that
``ssl.create_default_context`` does on Python 3.4+. It:
- Disables SSLv2, SSLv3, and compression
- Sets a restricted set of server ciphers
If you wish to enable SSLv3, you can do::
from urllib3.util import ssl_
context = ssl_.create_urllib3_context()
context.options &= ~ssl_.OP_NO_SSLv3
You can do the same to enable compression (substituting ``COMPRESSION``
for ``SSLv3`` in the last line above).
:param ssl_version:
The desired protocol version to use. This will default to
PROTOCOL_SSLv23 which will negotiate the highest protocol that both
the server and your installation of OpenSSL support.
:param cert_reqs:
Whether to require the certificate verification. This defaults to
``ssl.CERT_REQUIRED``.
:param options:
Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``.
:param ciphers:
Which cipher suites to allow the server to select.
:returns:
Constructed SSLContext object with specified options
:rtype: SSLContext
"""
context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23)
context.set_ciphers(ciphers or DEFAULT_CIPHERS)
# Setting the default here, as we may have no ssl module on import
cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
if options is None:
options = 0
# SSLv2 is easily broken and is considered harmful and dangerous
options |= OP_NO_SSLv2
# SSLv3 has several problems and is now dangerous
options |= OP_NO_SSLv3
# Disable compression to prevent CRIME attacks for OpenSSL 1.0+
# (issue #309)
options |= OP_NO_COMPRESSION
context.options |= options
context.verify_mode = cert_reqs
if getattr(context, 'check_hostname', None) is not None: # Platform-specific: Python 3.2
# We do our own verification, including fingerprints and alternative
# hostnames. So disable it here
context.check_hostname = False
return context
def factory(uri, ssl=False, **init_args):
from urllib.parse import urlparse, unquote, parse_qs
o = urlparse(uri)
srv = None
if o.scheme == "irc" or o.scheme == "ircs":
# https://www.w3.org/Addressing/draft-mirashi-url-irc-01.txt
# https://www-archive.mozilla.org/projects/rt-messaging/chatzilla/irc-urls.html
args = init_args
if o.scheme == "ircs": ssl = True
if o.hostname is not None: args["host"] = o.hostname
if o.port is not None: args["port"] = o.port
if o.username is not None: args["username"] = o.username
if o.password is not None: args["password"] = o.password
modifiers = o.path.split(",")
target = unquote(modifiers.pop(0)[1:])
# Read query string
params = parse_qs(o.query)
if "msg" in params:
if "on_connect" not in args:
args["on_connect"] = []
args["on_connect"].append("PRIVMSG %s :%s" % (target, params["msg"]))
if "key" in params:
if "channels" not in args:
args["channels"] = []
args["channels"].append((target, params["key"]))
if "pass" in params:
args["password"] = params["pass"]
if "charset" in params:
args["encoding"] = params["charset"]
#
if "channels" not in args and "isnick" not in modifiers:
args["channels"] = [ target ]
from nemubot.server.IRC import IRC as IRCServer
srv = IRCServer(**args)
if ssl:
try:
from ssl import create_default_context
context = create_default_context()
except ImportError:
# Python 3.3 compat
from ssl import SSLContext, PROTOCOL_TLSv1
context = SSLContext(PROTOCOL_TLSv1)
from ssl import wrap_socket
srv._fd = context.wrap_socket(srv._fd, server_hostname=o.hostname)
return srv
def __init__(self, server_address, HandlerClass, dir):
super().__init__(server_address, HandlerClass, bind_and_activate=False)
ctx = SSLContext(PROTOCOL_TLSv1)
ctx.load_cert_chain(join(dir, 'server-cert.pem'), join(dir, 'server-key.pem'))
# ctx.load_verify_locations(join(dir, 'ca-cert.pem'))
self.socket = ctx.wrap_socket(self.socket, server_side=True)
self.server_bind()
self.server_activate()
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def sslContext(trustStore: str, keyStore: str) -> SSLContext:
sslContext = SSLContext(PROTOCOL_TLSv1_2)
sslContext.verify_mode = CERT_REQUIRED
storePath = "../../certificates/"
sslContext.load_verify_locations(storePath + trustStore)
sslContext.load_cert_chain(storePath + keyStore, password="******")
sslContext.set_ciphers("AES128-SHA")
return sslContext
def create_thriftpy_context(server_side=False, ciphers=None):
"""Backport create_default_context for older python versions.
The SSLContext has some default security options, you can disable them
manually, for example::
from thriftpy.transport import _ssl
context = _ssl.create_thriftpy_context()
context.options &= ~_ssl.OP_NO_SSLv3
You can do the same to enable compression.
"""
if MODERN_SSL:
if server_side:
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
else:
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
if ciphers:
context.set_ciphers(ciphers)
else:
context = SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= OP_NO_SSLv2
context.options |= OP_NO_SSLv3
context.options |= OP_NO_COMPRESSION
# server/client default options
if server_side:
context.options |= OP_CIPHER_SERVER_PREFERENCE
context.options |= OP_SINGLE_DH_USE
context.options |= OP_SINGLE_ECDH_USE
else:
context.verify_mode = ssl.CERT_REQUIRED
# context.check_hostname = True
warnings.warn(
"ssl check hostname support disabled, upgrade your python",
InsecurePlatformWarning)
# Platform-specific: Python 2.6
if getattr(context, 'supports_set_ciphers', True):
if ciphers:
context.set_ciphers(ciphers)
else:
warnings.warn("ssl ciphers support disabled, upgrade your python",
InsecurePlatformWarning)
return context
class secureStream(stream):
def __init__(self):
stream.createsocket(stream)
self.contxt = SSLContext(PROTOCOL_TLSv1_2)
self.contxt.verify_mode = CERT_REQUIRED
self.contxt.load_default_certs()
def connect(self,host,port):
self.connection.settimeout(15)
self.connection.connect((host,port))
self.connection = self.contxt.wrap_socket(self.connection)#stream.connection
self.connection.settimeout(0)
def twitchconnect(self):
self.connect('api.twitch.tv',443)
def receive(self,buffer=4096):
try:
data = self.connection.recv(buffer).decode()
#print(data)#temporary
except:
return(None)
else:
return(data)
def transmit(self,data):
junk = self.receive()
data = data.encode()
try:
self.connection.sendall(data)
except ConnectionAbortedError:
print('Break detected!')
self.connection = None
self.connection = socket(AF_INET,SOCK_STREAM)
self.twitchconnect()
self.connection.settimeout(0)
except ConnectionResetError:
print('Break detected!')
self.connection = None
self.connection = socket(AF_INET,SOCK_STREAM)
self.twitchconnect()
self.connection.settimeout(0)
junk = None
def close(self):
self.connection.close()
def __init__(self, host: str, port: int, nicks: list, pwd: str, chans: list, op_pass: str,
use_ssl: bool=False, ssl_options: ssl.SSLContext=None,
encoding: str='utf-8'):
"""
Asynchronous IRC client
:param host: Server address
:param port: IRC Port
:param nicks: List of nicknames to try
:param pwd: NickServ password
:param use_ssl: Enable/Disable SSL
:param ssl_options: SSLContext object
:param encoding: Character encoding to use
"""
self.host = host
self.port = port
self.nicks = nicks
self.pwd = pwd
self.chans = chans
self.oper_pass = op_pass
self.ssl = use_ssl
self.encoding = encoding
self.__nickidx = 0
self.__handlers = {
b'PING': self.__ping,
b'NOTICE': self.__notice,
b'PRIVMSG': self.__privmsg,
b'PART': self.__part,
b'JOIN': self.__join,
b'MODE': self.__mode,
b'NICK': self.__nick,
b'QUIT': self.__quit,
b'KICK': self.__kick,
b'001': self.__welcome,
b'251': self.__user_count,
b'252': self.__op_count,
b'353': self.__namreply,
b'372': self.__motd,
b'376': self.__end_motd,
b'433': self.__nick_in_use,
b'900': self.__logged_in
}
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
if use_ssl:
if not ssl_options:
ssl_options = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
# IRC often has unsigned certs, by default do not verify
ssl_options.verify_mode = ssl.CERT_NONE
sock = ssl.wrap_socket(sock, do_handshake_on_connect=False)
self.stream = tornado.iostream.SSLIOStream(sock, ssl_options=ssl_options)
else:
self.stream = tornado.iostream.IOStream(sock)
self.stream.connect((self.host, self.port),
self.__initial_auth,
server_hostname=self.host)
def create_server(
callback=None,
host='127.0.0.1',
port=8000,
ssl=None,
loop=None,
**kargs
):
"""
This is a function to assist in the creation of a growler HTTP server.
@param host str: hostname or ip address on which to bind
@param port: the port on which the server will listen
@param ssl ssl.SSLContext: The SSLContext for using TLS over the connection
@param loop asyncio.BaseEventLoop: The event loop to
@param kargs: Extra parameters passed to the HTTPServer instance created.
If there is an ssl parameter passed to this function, kargs
will require the value 'key' to be present, and an optional
'cert' parameter to pass to load_cert_chain.
@return An HTTPServer instance
"""
loop = asyncio.get_event_loop() if loop is None else loop
if ssl:
sslctx = SSLContext(ssl.PROTOCOL_SSLv23)
key = kargs.pop('key')
try:
sslctx.load_cert_chain(certfile=kargs.pop('cert'), keyfile=key)
except KeyError:
sslctx.load_cert_chain(certfile=key)
else:
sslctx = None
# What do I use as a 'callback' here?
srv = HTTPServer(cb=callback,
loop=loop,
ssl=sslctx,
host=host,
port=port,
**kargs
)
return srv
def ssl_wrap_socket(sock, keyfile = None, certfile = None, cert_reqs = None, ca_certs = None, server_hostname = None, ssl_version = None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
OP_NO_COMPRESSION = 131072
context.options |= OP_NO_COMPRESSION
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except Exception as e:
raise SSLError(e)
if certfile:
context.load_cert_chain(certfile, keyfile)
if HAS_SNI:
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def __init__(self, localaddr, remoteaddr, ssl=False, certfile=None, keyfile=None, ssl_version=ssl.PROTOCOL_SSLv23, require_authentication=False, credential_validator=None, maximum_execution_time=30, process_count=5):
smtpd.SMTPServer.__init__(self, localaddr, remoteaddr)
self.logger = logging.getLogger( secure_smtpd.LOG_NAME )
self.certfile = certfile
self.keyfile = keyfile
self.ssl_version = ssl_version
self.subprocesses = []
self.require_authentication = require_authentication
self.credential_validator = credential_validator
self.ssl = ssl
self.maximum_execution_time = maximum_execution_time
self.process_count = process_count
self.process_pool = None
self.context = SSLContext(ssl_version)
self.context.load_cert_chain(certfile=certfile, keyfile=keyfile)
def onclickBtn1():
# Loop
while True:
# Read the video frame from the url
gcontext = SSLContext(PROTOCOL_TLSv1) # Only for gangstars
info = urlopen(url, context=gcontext).read()
imgNp = np.array(bytearray(info), dtype=np.uint8)
im = cv2.imdecode(imgNp, -1)
# Convert the captured frame into grayscale
gray = cv2.cvtColor(im, cv2.COLOR_BGR2GRAY)
# Get all face from the video frame
faces = faceCascade.detectMultiScale(gray, 1.3, 5)
# For each face in faces
for (x, y, w, h) in faces:
# Create rectangle around the face
cv2.rectangle(im, (x - 20, y - 20), (x + w + 20, y + h + 20),
(0, 255, 0), 4)
# Recognize the face belongs to which ID
Id, conf = recognizer.predict(gray[y:y + h, x:x + w])
# Check the ID if exist
if (Id == 1):
Id = "M.Samanci"
# # Uncomment this block if you want to recognize other faces, and replace with the id provided in face_datasets
elif (Id == 2):
Id = "Y.Emre.Kilic" # # Name of the other person you want to recognize
# #If not exist, then it is Unknown
# else:
# Id = "Unknown"
# Put text describe who is in the picture
cv2.rectangle(im, (x - 22, y - 90), (x + w + 22, y - 22),
(0, 255, 0), -1)
cv2.putText(im, str(Id), (x, y - 40), font, 1, (255, 255, 255), 3)
# Display the video frame with the bounded rectangle
cv2.imshow('im', im)
# If 'q' is pressed, close program
if cv2.waitKey(10) & 0xFF == ord('q'):
break
def secure(self, verify=True, hostname=None):
""" Apply a layer of security onto this connection.
"""
from ssl import SSLContext, PROTOCOL_TLS, CERT_NONE, CERT_REQUIRED
context = SSLContext(PROTOCOL_TLS)
if verify:
context.verify_mode = CERT_REQUIRED
context.check_hostname = bool(hostname)
else:
context.verify_mode = CERT_NONE
context.load_default_certs()
try:
self.__socket = context.wrap_socket(self.__socket,
server_hostname=hostname)
except (IOError, OSError):
# TODO: add connection failure/diagnostic callback
raise WireError(
"Unable to establish secure connection with remote peer")
def get_ssl_context(*args):
"""Create and return an SSLContext object."""
certfile, keyfile, ca_certs, cert_reqs = args
ctx = SSLContext(ssl.PROTOCOL_SSLv23)
if certfile is not None:
ctx.load_cert_chain(certfile, keyfile)
if ca_certs is not None:
ctx.load_verify_locations(ca_certs)
if cert_reqs is not None:
ctx.verify_mode = cert_reqs
return ctx
def ssl_wrap_socket(sock,
keyfile=None,
certfile=None,
cert_reqs=None,
ca_certs=None,
server_hostname=None,
ssl_version=None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except Exception as e:
raise SSLError(e)
if certfile:
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: #OpenSSL enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
async def on_ready(self):
print('Logged in as {0.id}/{0}'.format(self.user))
print('Dev mode state: ' + ('enabled' if dev else 'disabled'))
print('------')
self.dev = dev
self.load_extension("cogs.music")
self.load_extension("cogs.config")
self.pool = await asyncpg.create_pool(db, min_size=4, max_size=9, ssl=SSLContext())
query = """
SELECT * FROM config
"""
self.config = {r['guild_id']: dict(r) for r in await self.pool.fetch(query)}
if os.name != 'nt':
try:
discord.opus.load_opus("libopus.so.0.5.3")
except Exception as e:
print(f"Couldnt load opus:\n {e}\nThe bot might not work.")
def __init__(
self,
socket: SyncSocketStream,
backend: SyncBackend,
ssl_context: SSLContext = None,
):
self.socket = socket
self.ssl_context = SSLContext() if ssl_context is None else ssl_context
self.backend = backend
self.h2_state = h2.connection.H2Connection(config=self.CONFIG)
self.sent_connection_init = False
self.streams = {} # type: Dict[int, SyncHTTP2Stream]
self.events = {} # type: Dict[int, List[h2.events.Event]]
self.state = ConnectionState.ACTIVE
def __init__(
self,
ssl_context: SSLContext = None,
max_connections: int = None,
max_keepalive: int = None,
keepalive_expiry: float = None,
http2: bool = False,
):
self.ssl_context = SSLContext() if ssl_context is None else ssl_context
self.max_connections = max_connections
self.max_keepalive = max_keepalive
self.keepalive_expiry = keepalive_expiry
self.http2 = http2
self.connections: Dict[Origin, Set[SyncHTTPConnection]] = {}
self.thread_lock = ThreadLock()
self.backend = SyncBackend()
self.next_keepalive_check = 0.0
def check_authorization(request_handler):
"""
Assert whether the authorization header is valid by checking it against
the cache first and if unsuccessful, the oauth server. Sets the 'user'
field of the request_handler object.
:return: When successful returns user's name. Returns None on failure.
"""
auth_header = request_handler.headers.getheader('Authorization')
if auth_header is None:
getLogger('auth').debug(
"authentication failed: no Authorization header available",
extra=request_handler.get_log_dict())
return None
auth_url = config.get('oauth', 'verify_url', default=defaults.VERIFY_URL)
getLogger('auth').debug("verify_url: %s" % auth_url,
extra=request_handler.get_log_dict())
cache = TimedCache(timeout=0) # FIXME: Cache is broken
name = cache.get(auth_header)
if name is not None:
return name
auth_request = Request(auth_url, None, {'Authorization': auth_header})
try:
ctx = SSLContext(SSL_PROTOCOL)
response = urlopen(auth_request, context=ctx)
name = response.read()
except HTTPError as error:
if error.code == 403:
getLogger('auth').debug(
"authentication failed: Wrong/expired code",
extra=request_handler.get_log_dict())
else:
getLogger('auth').debug("authentication failed: HttpError %s" %
error,
extra=request_handler.get_log_dict())
name = ''
if name == '':
name = None
getLogger('auth').debug('authentication failed: response %s' % name,
extra=request_handler.get_log_dict())
else:
getLogger('auth').debug('Authenticated user: ' + name,
extra=request_handler.get_log_dict())
cache.add(auth_header, name)
return name
def get_remote_file(filename, verbose=True):
"""
INPUT:
- ``filename`` -- the URL of a file on the web, e.g.,
``"http://modular.math.washington.edu/myfile.txt"``
- ``verbose`` -- whether to display download status
OUTPUT:
creates a file in the temp directory and returns the absolute path
to that file.
EXAMPLES::
sage: url = 'https://www.sagemath.org/files/loadtest.py'
sage: g = get_remote_file(url, verbose=False) # optional - internet
sage: with open(g) as f: print(f.read()) # optional - internet
print("hi from the net")
<BLANKLINE>
print(2 + 3)
"""
if verbose:
print("Attempting to load remote file: " + filename)
from sage.misc.temporary_file import tmp_filename
temp_name = tmp_filename() + '.' + os.path.splitext(filename)[1][1:]
# IMPORTANT -- urllib takes a long time to load,
# so do not import it in the module scope.
req = Request(filename, headers={"User-Agent": "sage-doctest"})
if verbose:
print("Loading started")
content = urlopen(req, timeout=1, context=SSLContext())
with open(temp_name, 'wb') as f:
f.write(content.read())
if verbose:
print("Loading ended")
return temp_name
def __init__(
self,
ssl_context: SSLContext = None,
max_connections: int = None,
max_keepalive_connections: int = None,
keepalive_expiry: float = None,
http2: bool = False,
uds: str = None,
local_address: str = None,
retries: int = 0,
max_keepalive: int = None,
backend: Union[AsyncBackend, str] = "auto",
):
if max_keepalive is not None:
warnings.warn(
"'max_keepalive' is deprecated. Use 'max_keepalive_connections'.",
DeprecationWarning,
)
max_keepalive_connections = max_keepalive
if isinstance(backend, str):
backend = lookup_async_backend(backend)
self._ssl_context = SSLContext(
) if ssl_context is None else ssl_context
self._max_connections = max_connections
self._max_keepalive_connections = max_keepalive_connections
self._keepalive_expiry = keepalive_expiry
self._http2 = http2
self._uds = uds
self._local_address = local_address
self._retries = retries
self._connections: Dict[Origin, Set[AsyncHTTPConnection]] = {}
self._thread_lock = ThreadLock()
self._backend = backend
self._next_keepalive_check = 0.0
if http2:
try:
import h2 # noqa: F401
except ImportError:
raise ImportError(
"Attempted to use http2=True, but the 'h2' "
"package is not installed. Use 'pip install httpcore[http2]'."
)
def store_vv_file(self, vmid, ticket):
"""
Description: Connecting to the machine involves two steps, the second one is obtaining a 'vv' file with the
connection parameters, which we can later pipe to virt-viewer and the connection will be opened.
Arguments: 1. vmid: The VM UUID in oVirt-format.
2. ticket: The ticket obtained in the first step (method get_viewer_ticket)
Returns: The temporary filename with all the parameters to connect to the machine (piped to virt-viewer)
"""
global conf
if not ticket:
return False
req = urllib.request.Request(
'%s/%s/%s/%s/%s' %
(conf.CONFIG['ovirturl'], 'vms', vmid, 'graphicsconsoles', ticket))
# Python 2 -> 3 conversion: encodestring expects a byte-like string, not str
base64str = encodestring(
('%s:%s' % (conf.USERNAME + '@' + conf.CONFIG['ovirtdomain'],
conf.PASSWORD)).encode()).decode().replace('\n', '')
req.add_header('Authorization', 'Basic ' + base64str)
req.add_header('Content-Type', 'application/xml')
req.add_header('Accept', 'application/x-virt-viewer')
req.add_header('filter', 'true')
unverified_ctxt = SSLContext(PROTOCOL_TLSv1)
try:
contents = urllib.request.urlopen(req,
context=unverified_ctxt).read()
if conf.CONFIG['fullscreen'] == '1':
contents = contents.replace('fullscreen=0', 'fullscreen=1')
filename = '/tmp/viewer-' + str(randint(10000, 99999))
f = open(filename, 'wb')
f.write(contents)
f.close()
return filename
except urllib.request.HTTPError as em:
QMessageBox.critical(
None,
_('apptitle') + ': ' + _('error'),
_('unexpected_request_error') + '(' + str(em.code) + '): ' +
em.reason + '. ' + _('check_vm_config_updated'))
return None
def __init__(
self,
auto_reconnect: bool = True,
ssl: Optional[Union[bool, ssl.SSLContext]] = None,
loop: Optional[asyncio.AbstractEventLoop] = None,
) -> None:
"""Initialize a ThingsDB client.
Args:
auto_reconnect (bool, optional):
When set to `True`, the client will automatically
reconnect when a connection is lost. If set to `False` and the
connection gets lost, one may call the `reconnect()` method to
make a new connection. The auto-reconnect option can act on
node changes and does so automatically if the connected user
has the required `WATCH` privileges on the `@node` scope.
Defaults to `True`.
ssl (SSLContext or bool, optional):
Accepts an ssl.SSLContext for creating a secure connection
using SSL/TLS. This argument may simply be set to `True` in
which case a context using `ssl.PROTOCOL_TLS` is created.
Defaults to None.
loop (AbstractEventLoop, optional):
Can be used to run the client on a specific event loop.
If this argument is not used, the default event loop will be
used. Defaults to `None`.
"""
self._loop = loop if loop else asyncio.get_event_loop()
self._auth = None
self._pool = None
self._protocol = None
self._pid = 0
self._write_pkg = self._ensure_write if auto_reconnect else self._write
self._reconnect = auto_reconnect
self._scope = '@t' # default to thingsdb scope
self._pool_idx = 0
self._reconnecting = False
if ssl is True:
self._ssl = SSLContext(PROTOCOL_TLS)
elif ssl is False:
self._ssl = None
else:
self._ssl = ssl
self._event_handlers = []
async def start_tls(self, context: ssl.SSLContext,
server_hostname: Optional[str] = None,
suppress_ragged_eofs: bool = False) -> None:
plain_socket = self._raw_socket
self._raw_socket = context.wrap_socket(
self._raw_socket, server_side=not server_hostname, do_handshake_on_connect=False,
server_hostname=server_hostname, suppress_ragged_eofs=suppress_ragged_eofs)
while True:
try:
self._raw_socket.do_handshake()
return
except ssl.SSLWantReadError:
await self._wait_readable()
except ssl.SSLWantWriteError:
await self._wait_writable()
except BaseException:
self._raw_socket = plain_socket
raise
def scrape():
sslcontext = SSLContext()
curr_time = datetime.now().time()
for page in range(ord('A'), ord('Z') + 1):
for row in get_rows_from_page(page, sslcontext):
if row.find('tr').text == "No classes to display":
continue
else:
for idx, tr in enumerate(row.find_all('tr')):
cell = tr.find_all('td')
if idx == 0:
build_class_schedule(cell, curr_time)
else:
# for blocks but i'll ignore muna
pass
print('database updated')
async def send_json():
#log.debug('send_json')
try:
if secure:
async with websockets.connect(url) as websocket:
await websocket.send(msg_json)
else:
context = SSLContext(protocol=PROTOCOL_TLS)
async with websockets.connect(url, ssl=context) as websocket:
await websocket.send(msg_json)
except NameError as n:
log.debug(f'{str(n)} in send_json')
raise
except Exception as e:
log.debug(e)
raise
async def _startup():
if psql_uri:
import asyncpg
kwargs = {"min_size": 3, "max_size": 8, "command_timeout": 5}
if "localhost" not in psql_uri:
kwargs["ssl"] = SSLContext()
if psql_pool_args:
kwargs.update(psql_pool_args)
app.db = await asyncpg.create_pool(psql_uri, **kwargs)
else:
app.db = None
if mongo_uri:
from motor.motor_asyncio import AsyncIOMotorClient
app.mdb = AsyncIOMotorClient(mongo_uri)
else:
app.mdb = None
async def test_send_eof_not_implemented(self,
server_context: ssl.SSLContext,
ca: CA,
force_tlsv12: bool) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
conn.sendall(b"hello")
conn.unwrap()
conn.close()
client_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
ca.configure_trust(client_context)
if force_tlsv12:
expected_pattern = r"send_eof\(\) requires at least TLSv1.3"
if hasattr(ssl, "TLSVersion"):
client_context.maximum_version = ssl.TLSVersion.TLSv1_2
else: # Python 3.6
client_context.options |= ssl.OP_NO_TLSv1_3
else:
expected_pattern = (
r"send_eof\(\) has not yet been implemented for TLS streams")
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=False)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync, daemon=True)
server_thread.start()
stream = await connect_tcp(*server_sock.getsockname())
async with await TLSStream.wrap(stream,
hostname="localhost",
ssl_context=client_context) as wrapper:
assert await wrapper.receive() == b"hello"
with pytest.raises(NotImplementedError) as exc:
await wrapper.send_eof()
exc.match(expected_pattern)
server_thread.join()
server_sock.close()
def __init__(self,
hote_imap,
nom_utilisateur,
mot_de_passe,
dossier_cible='INBOX',
verify_peer=True,
use_secure_socket=True,
legacy_secure_protocol=False):
super().__init__('IMAPFactory via {}'.format(hote_imap))
self._ssl_context = SSLContext(
protocol=PROTOCOL_TLS) if use_secure_socket else None
self._use_secure_socket = use_secure_socket
if verify_peer is False and use_secure_socket is True:
# don't check if certificate hostname doesn't match target hostname
self._ssl_context.check_hostname = False
# don't check if the certificate is trusted by a certificate authority
self._ssl_context.verify_mode = CERT_NONE
if legacy_secure_protocol and use_secure_socket:
self._ssl_context.options = OP_ALL
self._hote_imap = Session.UNIVERSELLE.retranscrire(hote_imap)
self._client = IMAPClient(host=self._hote_imap,
port=993 if self._use_secure_socket else 143,
ssl=self._use_secure_socket,
ssl_context=self._ssl_context)
self._nom_utilisateur = Session.UNIVERSELLE.retranscrire(
nom_utilisateur)
self._verify_peer = verify_peer
self._dossier_cible = dossier_cible
self._mot_de_passe = mot_de_passe
self._client.login(
self._nom_utilisateur,
Session.UNIVERSELLE.retranscrire(self._mot_de_passe))
self._echec = False
MailToolbox.INSTANCES.append(self)
def __init__(
self,
ssl_context: SSLContext = None,
max_connections: int = None,
max_keepalive: int = None,
keepalive_expiry: float = None,
http2: bool = False,
local_addr: bytes = None,
):
self._ssl_context = SSLContext(
) if ssl_context is None else ssl_context
self._max_connections = max_connections
self._max_keepalive = max_keepalive
self._keepalive_expiry = keepalive_expiry
self._http2 = http2
self._local_addr = local_addr
self._connections: Dict[Origin, Set[AsyncHTTPConnection]] = {}
self._thread_lock = ThreadLock()
self._backend = AutoBackend()
self._next_keepalive_check = 0.0
def _is_present(self):
r"""
Test whether Internet is available.
EXAMPLES::
sage: from sage.features.internet import Internet
sage: Internet()._is_present() # random, optional - internet
FeatureTestResult('internet', True)
"""
import urllib.error
from urllib.request import Request, urlopen
from ssl import SSLContext
req = Request("https://www.sagemath.org", headers={"User-Agent": "sage-doctest"})
try:
urlopen(req, timeout=1, context=SSLContext())
return FeatureTestResult(self, True)
except urllib.error.URLError:
return FeatureTestResult(self, False)
async def send_to_station(device: dict, message: dict = None):
device_token = get_device_token(device['yandex_token'], device['id'],
device['platform'])
uri = f"wss://{device['host']}:{device['port']}"
try:
async with websockets.connect(uri, ssl=SSLContext()) as ws:
await ws.send(
json.dumps({
'conversationToken': device_token,
'payload': message
}))
res = json.loads(await ws.recv())
_LOGGER.debug(res)
return res
except Exception as e:
_LOGGER.error(f"Station connect error: {e}")
return None
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return (context, context.wrap_socket(sock, server_hostname=server_hostname))
return (context, context.wrap_socket(sock))
def create_urllib3_context(ssl_version = None, cert_reqs = None, options = None, ciphers = None):
context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23)
cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
if options is None:
options = 0
options |= OP_NO_SSLv2
options |= OP_NO_SSLv3
options |= OP_NO_COMPRESSION
context.options |= options
if getattr(context, 'supports_set_ciphers', True):
context.set_ciphers(ciphers or DEFAULT_CIPHERS)
context.verify_mode = cert_reqs
if getattr(context, 'check_hostname', None) is not None:
context.check_hostname = False
return context
def send_email_alert_notification(email_message_content):
# Creating an email object
msg = EmailMessage()
# Set the sender address
msg['From'] = FROM_EMAIL_ADDRESS_VALUE
# Set the destination addresses
recipients = RECIPIENTS_EMAIL_ADDRESS_VALUES
# recipients = ['*****@*****.**'] # Example single recipient
# Join the recipients addresses into one string and set the destination values
msg['To'] = ", ".join(recipients)
# msg['To'] = recipients # Use with only single recipient and no .join()
#
# Set the message subject by slicing the message body content down
# msg['Subject'] = email_message_content[0:33]
# SMS message typically have no subject
msg['Subject'] = ""
# Append the tag line to the message body
email_message_content = email_message_content + EMAIL_MESSAGE_TAG_LINE
print (email_message_content)
# Populate the message content with message body
msg.set_content(email_message_content)
# Send the email via smtp
with SMTP(host=EMAIL_SMTP_SERVER_HOST_NAME, port=587) as smtp_server:
try:
# Define a secure SSL connection
smtp_server.starttls(context=SSLContext(PROTOCOL_TLSv1_2))
# Supply authentication credentials
smtp_server.login(user=SMTP_SERVER_LOGIN_NAME, password=SMTP_SERVER_LOGIN_PASSWORD)
# Send the email message
smtp_server.send_message(msg)
except Exception as e:
print('Error sending email. Details: {} - {}'.format(e.__class__, e))
def _load_client_certs(self, ssl_context: ssl.SSLContext) -> None:
"""
Loads client certificates into our SSLContext object
"""
if self.cert is not None:
if isinstance(self.cert, str):
ssl_context.load_cert_chain(certfile=self.cert)
elif isinstance(self.cert, tuple) and len(self.cert) == 2:
ssl_context.load_cert_chain(certfile=self.cert[0], keyfile=self.cert[1])
elif isinstance(self.cert, tuple) and len(self.cert) == 3:
ssl_context.load_cert_chain(
certfile=self.cert[0],
keyfile=self.cert[1],
password=self.cert[2], # type: ignore
)
def create_socket(ip: str, port: int, context: ssl.SSLContext = None,
verify_hostname: bool = True, timeout: int = 10) -> ssl.SSLSocket:
"""
Creates a new SSL-wrapped socket.
:param ip: The IP to connect to.
:param port: The port to connect to.
:param context: The SSL context to use, or None for a default one to be created.
:param verify_hostname: Ignored
:param timeout: The timeout for recv().
:return: A new SSLSocket.
"""
verify_hostname = current_app.conf["SERVER_LOGIN_ON_CLIENT_VERIFY"]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
if context:
sock = context.wrap_socket(s)
else:
sock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED if verify_hostname else ssl.CERT_NONE)
sock.connect((ip, port))
return sock
def _config_ssl_context(config):
if config.get_ssl_context() is not None:
return
if config.get_service_url().scheme == 'https':
try:
if config.get_ssl_protocol() is None:
ctx = create_default_context()
else:
ctx = SSLContext(config.get_ssl_protocol())
if config.get_ssl_cipher_suites() is not None:
ctx.set_ciphers(config.get_ssl_cipher_suites())
if config.get_ssl_ca_certs() is not None:
ctx.load_verify_locations(config.get_ssl_ca_certs())
config.set_ssl_context(ctx)
except (SSLError, ValueError) as err:
raise IllegalArgumentException(str(err))
async def test_ragged_eof_on_receive(
self, server_context: ssl.SSLContext,
client_context: ssl.SSLContext) -> None:
server_exc = None
def serve_sync() -> None:
nonlocal server_exc
conn, addr = server_sock.accept()
try:
conn.settimeout(1)
conn.sendall(b"hello")
except BaseException as exc:
server_exc = exc
finally:
conn.close()
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=True)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync, daemon=True)
server_thread.start()
try:
async with await connect_tcp(*server_sock.getsockname()) as stream:
wrapper = await TLSStream.wrap(
stream,
hostname="localhost",
ssl_context=client_context,
standard_compatible=False,
)
assert await wrapper.receive() == b"hello"
with pytest.raises(EndOfStream):
await wrapper.receive()
finally:
server_thread.join()
server_sock.close()
assert server_exc is None
def __init__(self, bot, name, nick, *, channels=None, config=None,
server, port=6667, use_ssl=False, ignore_cert_errors=True, timeout=300, local_bind=False):
"""
:type bot: cloudbot.bot.CloudBot
:type name: str
:type nick: str
:type channels: list[str]
:type config: dict[str, unknown]
:type server: str
:type port: int
:type use_ssl: bool
:type ignore_cert_errors: bool
:type timeout: int
"""
super().__init__(bot, name, nick, channels=channels, config=config)
self.use_ssl = use_ssl
self._ignore_cert_errors = ignore_cert_errors
self._timeout = timeout
self.server = server
self.port = port
self.local_bind = local_bind
# create SSL context
if self.use_ssl:
self.ssl_context = SSLContext(PROTOCOL_SSLv23)
if self._ignore_cert_errors:
self.ssl_context.verify_mode = ssl.CERT_NONE
else:
self.ssl_context.verify_mode = ssl.CERT_REQUIRED
else:
self.ssl_context = None
# if we're connected
self._connected = False
# if we've quit
self._quit = False
# transport and protocol
self._transport = None
self._protocol = None
def _get_connector(verify_host_certificate: bool,
client_key: Optional[Path],
client_cert: Optional[Path]) -> TCPConnector:
"""Return an aiohttp ClientSession based on the options."""
ssl_context = SSLContext()
if not verify_host_certificate:
ssl_context.check_hostname = False
ssl_context.verify_mode = CERT_NONE
cert = client_cert
key = client_key
if cert is not None:
ssl_context.load_cert_chain(cert, key)
return TCPConnector(ssl=ssl_context)
def _connect_with_pymysql(self, ip_address: str, ctx: ssl.SSLContext,
**kwargs):
"""Helper function to create a pymysql DB-API connection object.
:type ca_filepath: str
:param ca_filepath: A string representing the path to the server's
certificate authority.
:type cert_filepath: str
:param cert_filepath: A string representing the path to the ephemeral
certificate.
:type key_filepath: str
:param key_filepath: A string representing the path to the private key file.
:type ip_addresses: Dict[str, str]
:param ip_addresses: A Dictionary containing the different IP addresses
of the Cloud SQL instance.
:rtype: pymysql.Connection
:returns: A PyMySQL Connection object for the Cloud SQL instance.
"""
try:
import pymysql
except ImportError:
raise ImportError(
'Unable to import module "pymysql." Please install and try again.'
)
# Create socket and wrap with context.
sock = ctx.wrap_socket(socket.create_connection((ip_address, 3307)),
server_hostname=ip_address)
# Create pymysql connection object and hand in pre-made connection
conn = pymysql.Connection(host=ip_address,
defer_connect=True,
**kwargs)
conn.connect(sock)
return conn
def __init__(self, config):
super().__init__()
self.setName('Connection thread.')
self.daemon = True
self.__config = config
self.__host = config["host"]
self.__port = config.get("port", 1883)
self.__default_quality_of_service = config.get("qos", 1)
credentials = config["security"]
self.__min_reconnect_delay = 1
self.__tls = bool(
credentials.get('tls', False) or credentials.get('caCert', False))
self.__ca_cert = None
self.__private_key = None
self.__cert = None
self.__token = None
self.__is_connected = False
self.__stopped = False
self.__paused = False
if credentials.get("accessToken") is not None:
self.__token = str(credentials["accessToken"])
if self.__tls:
self.__ca_cert = credentials.get("caCert")
self.__private_key = credentials.get("privateKey")
self.__cert = credentials.get("cert")
self.client = TBGatewayMqttClient(
self.__host,
self.__port,
self.__token,
self,
quality_of_service=self.__default_quality_of_service)
if self.__tls and self.__ca_cert is None and self.__private_key is None and self.__cert is None:
# pylint: disable=protected-access
self.client._client.tls_set_context(SSLContext(PROTOCOL_TLSv1_2))
# Adding callbacks
self.client._client._on_connect = self._on_connect
self.client._client._on_disconnect = self._on_disconnect
# self.client._client._on_log = self._on_log
self.start()
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=CERT_NONE,
ca_certs=None, server_hostname=None,
ssl_version=PROTOCOL_SSLv23):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except TypeError as e: # Reraise as SSLError
# fixme: This block needs a test.
raise SSLError(e)
if certfile:
# fixme: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def lambda_handler(event, context):
username = os.environ['CASSANDRA_USER']
password = os.environ['CASSANDRA_PWD']
ssl_context = SSLContext(PROTOCOL_TLSv1_2)
auth_provider = PlainTextAuthProvider(username=username, password=password)
cluster = Cluster(['cassandra.us-east-1.amazonaws.com'],
ssl_context=ssl_context,
auth_provider=auth_provider,
port=9142)
session = cluster.connect()
stmt = session.prepare(
"INSERT INTO neighborhood_stops.stops (stop_id, stop_code, stop_name, lat, lon, neighborhood) VALUES (?, ?, ?, ?, ?, ?)"
)
execution_profile = session.execution_profile_clone_update(
session.get_execution_profile(EXEC_PROFILE_DEFAULT))
execution_profile.consistency_level = ConsistencyLevel.LOCAL_QUORUM
bucket = 'bigdatafilippo'
key = 'quartieri.csv'
response = s3.get_object(Bucket=bucket, Key=key)
content = response.get('Body').read().decode('utf-8')
reader = csv.reader(content.splitlines(), delimiter=',')
rows = list(reader)
count = 0
for row in rows:
stop_id = row[1]
stop_code = row[2]
stop_name = row[3]
lat = row[4]
lon = row[5]
neighborhood = row[6]
notFound = 'Non trovato'
if (neighborhood != notFound):
session.execute(
stmt, (stop_id, stop_code, stop_name, lat, lon, neighborhood),
execution_profile=execution_profile)
count += 1
print('count ' + str(count))
def secure_socket(s, host):
ssl_context = SSLContext(PROTOCOL_SSLv23)
ssl_context.options |= OP_NO_SSLv2
return ssl_context.wrap_socket(s, server_hostname=host if HAS_SNI else None)
def get_ssl_context(*args):
"""Create and return an SSLContext object."""
certfile, keyfile, ca_certs, cert_reqs = args
# Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
# This configures the server and client to negotiate the
# highest protocol version they both support. A very good thing.
ctx = SSLContext(ssl.PROTOCOL_SSLv23)
if hasattr(ctx, "options"):
# Explicitly disable SSLv2 and SSLv3. Note that up to
# date versions of MongoDB 2.4 and above already do this,
# python disables SSLv2 by default in >= 2.7.7 and >= 3.3.4
# and SSLv3 in >= 3.4.3. There is no way for us to do this
# explicitly for python 2.6 or 2.7 before 2.7.9.
ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
if certfile is not None:
ctx.load_cert_chain(certfile, keyfile)
if ca_certs is not None:
ctx.load_verify_locations(ca_certs)
elif cert_reqs != ssl.CERT_NONE:
# CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
if hasattr(ctx, "load_default_certs"):
ctx.load_default_certs()
# Python >= 3.2.0, useless on Windows.
elif (sys.platform != "win32" and
hasattr(ctx, "set_default_verify_paths")):
ctx.set_default_verify_paths()
elif sys.platform == "win32" and HAVE_WINCERTSTORE:
with _WINCERTSLOCK:
if _WINCERTS is None:
_load_wincerts()
ctx.load_verify_locations(_WINCERTS.name)
elif HAVE_CERTIFI:
ctx.load_verify_locations(certifi.where())
else:
raise ConfigurationError(
"`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
"CA certificates could be loaded. `ssl_ca_certs` is "
"required.")
ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
return ctx
def __get_ssl_context(cls, sslca=None):
"""Make an SSLConext for this Python version using public or sslca
"""
if ((version_info[0] == 2 and (version_info[1] >= 7 and version_info[2] >= 9)) or
(version_info[0] == 3 and version_info[1] >= 4)):
logger.debug('SSL method for 2.7.9+ / 3.4+')
# pylint: disable=no-name-in-module
from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, OP_NO_COMPRESSION
ctx = SSLContext(PROTOCOL_TLSv1_2)
ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH')
# see CRIME security exploit
ctx.options |= OP_NO_COMPRESSION
# the following options are used to verify the identity of the broker
if sslca:
ctx.load_verify_locations(sslca)
ctx.verify_mode = CERT_REQUIRED
ctx.check_hostname = False
else:
# Verify public certifcates if sslca is None (default)
from ssl import Purpose # pylint: disable=no-name-in-module
ctx.load_default_certs(purpose=Purpose.SERVER_AUTH)
ctx.verify_mode = CERT_REQUIRED
ctx.check_hostname = True
elif version_info[0] == 3 and version_info[1] < 4:
logger.debug('Using SSL method for 3.2+, < 3.4')
# pylint: disable=no-name-in-module
from ssl import SSLContext, CERT_REQUIRED, PROTOCOL_SSLv23, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
ctx = SSLContext(PROTOCOL_SSLv23)
ctx.options |= (OP_NO_SSLv2 | OP_NO_SSLv3 | OP_NO_TLSv1)
ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH')
# the following options are used to verify the identity of the broker
if sslca:
ctx.load_verify_locations(sslca)
ctx.verify_mode = CERT_REQUIRED
else:
# Verify public certifcates if sslca is None (default)
ctx.set_default_verify_paths()
ctx.verify_mode = CERT_REQUIRED
else:
raise Exception("Unsupported Python version %s" % '.'.join(str(item) for item in version_info[:3]))
return ctx
def get_ssl_context(*args):
"""Create and return an SSLContext object."""
certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args
# Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
# This configures the server and client to negotiate the
# highest protocol version they both support. A very good thing.
ctx = SSLContext(ssl.PROTOCOL_SSLv23)
if hasattr(ctx, "options"):
# Explicitly disable SSLv2 and SSLv3. Note that up to
# date versions of MongoDB 2.4 and above already do this,
# python disables SSLv2 by default in >= 2.7.7 and >= 3.3.4
# and SSLv3 in >= 3.4.3. There is no way for us to do this
# explicitly for python 2.6 or 2.7 before 2.7.9.
ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
if certfile is not None:
if passphrase is not None:
vi = sys.version_info
# Since python just added a new parameter to an existing method
# this seems to be about the best we can do.
if (vi[0] == 2 and vi < (2, 7, 9) or
vi[0] == 3 and vi < (3, 3)):
raise ConfigurationError(
"Support for ssl_pem_passphrase requires "
"python 2.7.9+ (pypy 2.5.1+) or 3.3+")
ctx.load_cert_chain(certfile, keyfile, passphrase)
else:
ctx.load_cert_chain(certfile, keyfile)
if crlfile is not None:
if not hasattr(ctx, "verify_flags"):
raise ConfigurationError(
"Support for ssl_crlfile requires "
"python 2.7.9+ (pypy 2.5.1+) or 3.4+")
# Match the server's behavior.
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ctx.load_verify_locations(crlfile)
if ca_certs is not None:
ctx.load_verify_locations(ca_certs)
elif cert_reqs != ssl.CERT_NONE:
# CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
if hasattr(ctx, "load_default_certs"):
ctx.load_default_certs()
# Python >= 3.2.0, useless on Windows.
elif (sys.platform != "win32" and
hasattr(ctx, "set_default_verify_paths")):
ctx.set_default_verify_paths()
elif sys.platform == "win32" and HAVE_WINCERTSTORE:
with _WINCERTSLOCK:
if _WINCERTS is None:
_load_wincerts()
ctx.load_verify_locations(_WINCERTS.name)
elif HAVE_CERTIFI:
ctx.load_verify_locations(certifi.where())
else:
raise ConfigurationError(
"`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
"CA certificates could be loaded. `ssl_ca_certs` is "
"required.")
ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
return ctx
def __init__(self):
stream.createsocket(stream)
self.contxt = SSLContext(PROTOCOL_TLSv1_2)
self.contxt.verify_mode = CERT_REQUIRED
self.contxt.load_default_certs()
def get_ssl_context(*args):
"""Create and return an SSLContext object."""
(certfile,
keyfile,
passphrase,
ca_certs,
cert_reqs,
crlfile,
match_hostname) = args
verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
# Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
# This configures the server and client to negotiate the
# highest protocol version they both support. A very good thing.
# PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating
# PROTOCOL_SSLv23.
ctx = SSLContext(
getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23))
# SSLContext.check_hostname was added in CPython 2.7.9 and 3.4.
# PROTOCOL_TLS_CLIENT (added in Python 3.6) enables it by default.
if hasattr(ctx, "check_hostname"):
if _PY37PLUS and verify_mode != ssl.CERT_NONE:
# Python 3.7 uses OpenSSL's hostname matching implementation
# making it the obvious version to start using this with.
# Python 3.6 might have been a good version, but it suffers
# from https://bugs.python.org/issue32185.
# We'll use our bundled match_hostname for older Python
# versions, which also supports IP address matching
# with Python < 3.5.
ctx.check_hostname = match_hostname
else:
ctx.check_hostname = False
if hasattr(ctx, "options"):
# Explicitly disable SSLv2, SSLv3 and TLS compression. Note that
# up to date versions of MongoDB 2.4 and above already disable
# SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
# and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do
# any of this explicitly for python 2.7 before 2.7.9.
ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
# OpenSSL >= 1.0.0
ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0)
# Python 3.7+ with OpenSSL >= 1.1.0h
ctx.options |= getattr(ssl, "OP_NO_RENEGOTIATION", 0)
if certfile is not None:
try:
if passphrase is not None:
vi = sys.version_info
# Since python just added a new parameter to an existing method
# this seems to be about the best we can do.
if (vi[0] == 2 and vi < (2, 7, 9) or
vi[0] == 3 and vi < (3, 3)):
raise ConfigurationError(
"Support for ssl_pem_passphrase requires "
"python 2.7.9+ (pypy 2.5.1+) or 3.3+")
ctx.load_cert_chain(certfile, keyfile, passphrase)
else:
ctx.load_cert_chain(certfile, keyfile)
except ssl.SSLError as exc:
raise ConfigurationError(
"Private key doesn't match certificate: %s" % (exc,))
if crlfile is not None:
if not hasattr(ctx, "verify_flags"):
raise ConfigurationError(
"Support for ssl_crlfile requires "
"python 2.7.9+ (pypy 2.5.1+) or 3.4+")
# Match the server's behavior.
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ctx.load_verify_locations(crlfile)
if ca_certs is not None:
ctx.load_verify_locations(ca_certs)
elif cert_reqs != ssl.CERT_NONE:
# CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
if hasattr(ctx, "load_default_certs"):
ctx.load_default_certs()
# Python >= 3.2.0, useless on Windows.
elif (sys.platform != "win32" and
hasattr(ctx, "set_default_verify_paths")):
ctx.set_default_verify_paths()
elif sys.platform == "win32" and HAVE_WINCERTSTORE:
with _WINCERTSLOCK:
if _WINCERTS is None:
_load_wincerts()
ctx.load_verify_locations(_WINCERTS.name)
elif HAVE_CERTIFI:
ctx.load_verify_locations(certifi.where())
else:
raise ConfigurationError(
"`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
"CA certificates could be loaded. `ssl_ca_certs` is "
"required.")
ctx.verify_mode = verify_mode
return ctx
def open_url(url, data=None, headers=None, method=None, use_proxy=True,
force=False, last_mod_time=None, timeout=10, validate_certs=True,
url_username=None, url_password=None, http_agent=None,
force_basic_auth=False, follow_redirects='urllib2'):
'''
Sends a request via HTTP(S) or FTP using urllib2 (Python2) or urllib (Python3)
Does not require the module environment
'''
handlers = []
ssl_handler = maybe_add_ssl_handler(url, validate_certs)
if ssl_handler:
handlers.append(ssl_handler)
# FIXME: change the following to use the generic_urlparse function
# to remove the indexed references for 'parsed'
parsed = urlparse(url)
if parsed[0] != 'ftp':
username = url_username
if headers is None:
headers = {}
if username:
password = url_password
netloc = parsed[1]
elif '@' in parsed[1]:
credentials, netloc = parsed[1].split('@', 1)
if ':' in credentials:
username, password = credentials.split(':', 1)
else:
username = credentials
password = ''
parsed = list(parsed)
parsed[1] = netloc
# reconstruct url without credentials
url = urlunparse(parsed)
if username and not force_basic_auth:
passman = urllib_request.HTTPPasswordMgrWithDefaultRealm()
# this creates a password manager
passman.add_password(None, netloc, username, password)
# because we have put None at the start it will always
# use this username/password combination for urls
# for which `theurl` is a super-url
authhandler = urllib_request.HTTPBasicAuthHandler(passman)
# create the AuthHandler
handlers.append(authhandler)
elif username and force_basic_auth:
headers["Authorization"] = basic_auth_header(username, password)
else:
try:
rc = netrc.netrc(os.environ.get('NETRC'))
login = rc.authenticators(parsed[1])
except IOError:
login = None
if login:
username, _, password = login
if username and password:
headers["Authorization"] = basic_auth_header(username, password)
if not use_proxy:
proxyhandler = urllib_request.ProxyHandler({})
handlers.append(proxyhandler)
if HAS_SSLCONTEXT and not validate_certs:
# In 2.7.9, the default context validates certificates
context = SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.verify_mode = ssl.CERT_NONE
context.check_hostname = False
handlers.append(urllib_request.HTTPSHandler(context=context))
# pre-2.6 versions of python cannot use the custom https
# handler, since the socket class is lacking create_connection.
# Some python builds lack HTTPS support.
if hasattr(socket, 'create_connection') and CustomHTTPSHandler:
handlers.append(CustomHTTPSHandler)
handlers.append(RedirectHandlerFactory(follow_redirects, validate_certs))
opener = urllib_request.build_opener(*handlers)
urllib_request.install_opener(opener)
if method:
if method.upper() not in ('OPTIONS','GET','HEAD','POST','PUT','DELETE','TRACE','CONNECT','PATCH'):
raise ConnectionError('invalid HTTP request method; %s' % method.upper())
request = RequestWithMethod(url, method.upper(), data)
else:
request = urllib_request.Request(url, data)
# add the custom agent header, to help prevent issues
# with sites that block the default urllib agent string
request.add_header('User-agent', http_agent)
# if we're ok with getting a 304, set the timestamp in the
# header, otherwise make sure we don't get a cached copy
if last_mod_time and not force:
tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000')
request.add_header('If-Modified-Since', tstamp)
else:
request.add_header('cache-control', 'no-cache')
# user defined headers now, which may override things we've set above
if headers:
if not isinstance(headers, dict):
raise ValueError("headers provided to fetch_url() must be a dict")
for header in headers:
request.add_header(header, headers[header])
urlopen_args = [request, None]
if sys.version_info >= (2,6,0):
# urlopen in python prior to 2.6.0 did not
# have a timeout parameter
urlopen_args.append(timeout)
r = urllib_request.urlopen(*urlopen_args)
return r
class SMTPServer(smtpd.SMTPServer):
def __init__(self, localaddr, remoteaddr, ssl=False, certfile=None, keyfile=None, ssl_version=ssl.PROTOCOL_SSLv23, require_authentication=False, credential_validator=None, maximum_execution_time=30, process_count=5):
smtpd.SMTPServer.__init__(self, localaddr, remoteaddr)
self.logger = logging.getLogger( secure_smtpd.LOG_NAME )
self.certfile = certfile
self.keyfile = keyfile
self.ssl_version = ssl_version
self.subprocesses = []
self.require_authentication = require_authentication
self.credential_validator = credential_validator
self.ssl = ssl
self.maximum_execution_time = maximum_execution_time
self.process_count = process_count
self.process_pool = None
self.context = SSLContext(ssl_version)
self.context.load_cert_chain(certfile=certfile, keyfile=keyfile)
def handle_accept(self):
self.process_pool = ProcessPool(self._accept_subprocess, process_count=self.process_count)
self.close()
def _accept_subprocess(self, queue):
while True:
try:
self.socket.setblocking(1)
pair = self.accept()
map = {}
if pair is not None:
self.logger.info('_accept_subprocess(): smtp connection accepted within subprocess.')
newsocket, fromaddr = pair
newsocket.settimeout(self.maximum_execution_time)
if self.ssl:
newsocket = self.context.wrap_socket(
newsocket,
server_side=True,
)
channel = SMTPChannel(
self,
newsocket,
fromaddr,
require_authentication=self.require_authentication,
credential_validator=self.credential_validator,
map=map
)
self.logger.info('_accept_subprocess(): starting asyncore within subprocess.')
asyncore.loop(map=map)
self.logger.error('_accept_subprocess(): asyncore loop exited.')
except (ExitNow, SSLError):
self._shutdown_socket(newsocket)
self.logger.info('_accept_subprocess(): smtp channel terminated asyncore.')
except Exception as e:
self._shutdown_socket(newsocket)
self.logger.error('_accept_subprocess(): uncaught exception: %s' % str(e))
def _shutdown_socket(self, s):
try:
s.shutdown(socket.SHUT_RDWR)
s.close()
except Exception as e:
self.logger.error('_shutdown_socket(): failed to cleanly shutdown socket: %s' % str(e))
def run(self):
asyncore.loop()
if hasattr(signal, 'SIGTERM'):
def sig_handler(signal,frame):
self.logger.info("Got signal %s, shutting down." % signal)
sys.exit(0)
signal.signal(signal.SIGTERM, sig_handler)
while 1:
time.sleep(1)
import threading
import time
from threading import Thread
# Pypy compatability
try:
from ssl import PROTOCOL_TLSv1_2 as PROTOCOL_TLSv1
except ImportError:
from ssl import PROTOCOL_TLSv1 as PROTOCOL_TLSv1
run_http = config["insecure"]["enabled"]
run_https = config["secure"]["enabled"]
if run_https:
context = SSLContext(PROTOCOL_TLSv1)
context.load_cert_chain(
config["secure"]["cert"],
config["secure"]["key"]
)
if run_http and run_https:
if config["debug"]:
raise Warning("Cannot run in debug mode with both https and http enabled due to flask limitations.")
Thread(
target=app.run,
kwargs={
"host": config["server"]["address"],
"port": config["secure"]["port"],
"debug": config["debug"],
"ssl_context": context
def open_url(url, data=None, headers=None, method=None, use_proxy=True,
force=False, last_mod_time=None, timeout=10, validate_certs=True,
url_username=None, url_password=None, http_agent=None, force_basic_auth=False):
'''
Fetches a file from an HTTP/FTP server using urllib2
'''
handlers = []
# FIXME: change the following to use the generic_urlparse function
# to remove the indexed references for 'parsed'
parsed = urlparse.urlparse(url)
if parsed[0] == 'https' and validate_certs:
if not HAS_SSL:
raise NoSSLError('SSL validation is not available in your version of python. You can use validate_certs=False, however this is unsafe and not recommended')
# do the cert validation
netloc = parsed[1]
if '@' in netloc:
netloc = netloc.split('@', 1)[1]
if ':' in netloc:
hostname, port = netloc.split(':', 1)
port = int(port)
else:
hostname = netloc
port = 443
# create the SSL validation handler and
# add it to the list of handlers
ssl_handler = SSLValidationHandler(hostname, port)
handlers.append(ssl_handler)
if parsed[0] != 'ftp':
username = url_username
if username:
password = url_password
netloc = parsed[1]
elif '@' in parsed[1]:
credentials, netloc = parsed[1].split('@', 1)
if ':' in credentials:
username, password = credentials.split(':', 1)
else:
username = credentials
password = ''
parsed = list(parsed)
parsed[1] = netloc
# reconstruct url without credentials
url = urlparse.urlunparse(parsed)
if username and not force_basic_auth:
passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
# this creates a password manager
passman.add_password(None, netloc, username, password)
# because we have put None at the start it will always
# use this username/password combination for urls
# for which `theurl` is a super-url
authhandler = urllib2.HTTPBasicAuthHandler(passman)
# create the AuthHandler
handlers.append(authhandler)
elif username and force_basic_auth:
if headers is None:
headers = {}
headers["Authorization"] = "Basic %s" % base64.b64encode("%s:%s" % (username, password))
if not use_proxy:
proxyhandler = urllib2.ProxyHandler({})
handlers.append(proxyhandler)
# pre-2.6 versions of python cannot use the custom https
# handler, since the socket class is lacking create_connection.
# Some python builds lack HTTPS support.
if hasattr(socket, 'create_connection') and CustomHTTPSHandler:
handlers.append(CustomHTTPSHandler)
opener = urllib2.build_opener(*handlers)
urllib2.install_opener(opener)
if method:
if method.upper() not in ('OPTIONS','GET','HEAD','POST','PUT','DELETE','TRACE','CONNECT','PATCH'):
raise ConnectionError('invalid HTTP request method; %s' % method.upper())
request = RequestWithMethod(url, method.upper(), data)
else:
request = urllib2.Request(url, data)
# add the custom agent header, to help prevent issues
# with sites that block the default urllib agent string
request.add_header('User-agent', http_agent)
# if we're ok with getting a 304, set the timestamp in the
# header, otherwise make sure we don't get a cached copy
if last_mod_time and not force:
tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000')
request.add_header('If-Modified-Since', tstamp)
else:
request.add_header('cache-control', 'no-cache')
# user defined headers now, which may override things we've set above
if headers:
if not isinstance(headers, dict):
raise ValueError("headers provided to fetch_url() must be a dict")
for header in headers:
request.add_header(header, headers[header])
urlopen_args = [request, None]
if sys.version_info >= (2,6,0):
# urlopen in python prior to 2.6.0 did not
# have a timeout parameter
urlopen_args.append(timeout)
if HAS_SSLCONTEXT and not validate_certs:
# In 2.7.9, the default context validates certificates
context = SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.verify_mode = ssl.CERT_NONE
context.check_hostname = False
urlopen_args += (None, None, None, context)
r = urllib2.urlopen(*urlopen_args)
return r
def get_ssl_context(*args):
"""Create and return an SSLContext object."""
certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args
# Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
# This configures the server and client to negotiate the
# highest protocol version they both support. A very good thing.
# PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating
# PROTOCOL_SSLv23.
ctx = SSLContext(
getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23))
# SSLContext.check_hostname was added in CPython 2.7.9 and 3.4.
# PROTOCOL_TLS_CLIENT enables it by default. Using it
# requires passing server_hostname to wrap_socket, which we already
# do for SNI support. To support older versions of Python we have to
# call match_hostname directly, so we disable check_hostname explicitly
# to avoid calling match_hostname twice.
if hasattr(ctx, "check_hostname"):
ctx.check_hostname = False
if hasattr(ctx, "options"):
# Explicitly disable SSLv2, SSLv3 and TLS compression. Note that
# up to date versions of MongoDB 2.4 and above already disable
# SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
# and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do
# any of this explicitly for python 2.6 or 2.7 before 2.7.9.
ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
# OpenSSL >= 1.0.0
ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0)
if certfile is not None:
try:
if passphrase is not None:
vi = sys.version_info
# Since python just added a new parameter to an existing method
# this seems to be about the best we can do.
if (vi[0] == 2 and vi < (2, 7, 9) or
vi[0] == 3 and vi < (3, 3)):
raise ConfigurationError(
"Support for ssl_pem_passphrase requires "
"python 2.7.9+ (pypy 2.5.1+) or 3.3+")
ctx.load_cert_chain(certfile, keyfile, passphrase)
else:
ctx.load_cert_chain(certfile, keyfile)
except ssl.SSLError as exc:
raise ConfigurationError(
"Private key doesn't match certificate: %s" % (exc,))
if crlfile is not None:
if not hasattr(ctx, "verify_flags"):
raise ConfigurationError(
"Support for ssl_crlfile requires "
"python 2.7.9+ (pypy 2.5.1+) or 3.4+")
# Match the server's behavior.
ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ctx.load_verify_locations(crlfile)
if ca_certs is not None:
ctx.load_verify_locations(ca_certs)
elif cert_reqs != ssl.CERT_NONE:
# CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
if hasattr(ctx, "load_default_certs"):
ctx.load_default_certs()
# Python >= 3.2.0, useless on Windows.
elif (sys.platform != "win32" and
hasattr(ctx, "set_default_verify_paths")):
ctx.set_default_verify_paths()
elif sys.platform == "win32" and HAVE_WINCERTSTORE:
with _WINCERTSLOCK:
if _WINCERTS is None:
_load_wincerts()
ctx.load_verify_locations(_WINCERTS.name)
elif HAVE_CERTIFI:
ctx.load_verify_locations(certifi.where())
else:
raise ConfigurationError(
"`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
"CA certificates could be loaded. `ssl_ca_certs` is "
"required.")
ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
return ctx
from __future__ import absolute_import, division, print_function
from ssl import CERT_NONE, PROTOCOL_SSLv23, SSLContext
from psphere.client import Client
if __name__ == '__main__':
context = SSLContext(PROTOCOL_SSLv23)
context.verify_mode = CERT_NONE
test_client = Client('localhost:8989', 'user', 'pass', sslcontext=context)
print(test_client.si.CurrentTime())
test_client.logout()
"""
CASSH add
"""
pubkey = request.files['file']
username = request.form['username']
payload = {}
payload.update({'realname': current_user['name'], 'password': current_user['password']})
payload.update({'username': username})
payload.update({'pubkey': pubkey.read().decode('UTF-8')})
try:
req = put(APP.config['CASSH_URL'] + '/client', \
data=payload, \
headers=APP.config['HEADERS'], \
verify=False)
except ConnectionError:
return Response('Connection error : %s' % APP.config['CASSH_URL'])
if 'Error' in req.text:
return Response(req.text)
return redirect('/status')
@APP.errorhandler(404)
def page_not_found(_):
""" Display error page """
return render_template('404.html'), 404
if __name__ == '__main__':
CONTEXT = SSLContext(PROTOCOL_TLSv1_2)
CONTEXT.load_cert_chain(APP.config['SSL_PUB_KEY'], APP.config['SSL_PRIV_KEY'])
PORT = int(getenv('PORT', APP.config['PORT']))
APP.run(debug=APP.config['DEBUG'], host='0.0.0.0', port=PORT, ssl_context=CONTEXT)
