def create_socket(self, ssl_context):
# type: (Context) -> None
self.family_and_type = socket.AF_INET, socket.SOCK_STREAM
self.ssl_ctx = ssl_context
self.socket = Connection(self.ssl_ctx)
# self.socket.setblocking(0)
self.add_channel()
class ssl_dispatcher(asyncore.dispatcher):
def create_socket(self, ssl_context):
# type: (Context) -> None
self.family_and_type = socket.AF_INET, socket.SOCK_STREAM
self.ssl_ctx = ssl_context
self.socket = Connection(self.ssl_ctx)
# self.socket.setblocking(0)
self.add_channel()
def connect(self, addr):
# type: (util.AddrType) -> None
self.socket.setblocking(1)
self.socket.connect(addr)
self.socket.setblocking(0)
def recv(self, buffer_size=4096):
# type: (int) -> bytes
"""Receive data over SSL."""
return self.socket.recv(buffer_size)
def send(self, buffer):
# type: (bytes) -> int
"""Send data over SSL."""
return self.socket.send(buffer)
class ssl_dispatcher(asyncore.dispatcher): # noqa
def create_socket(self, ssl_context):
# type: (Context) -> None
self.family_and_type = socket.AF_INET, socket.SOCK_STREAM
self.ssl_ctx = ssl_context
self.socket = Connection(self.ssl_ctx)
# self.socket.setblocking(0)
self.add_channel()
def connect(self, addr):
# type: (util.AddrType) -> None
self.socket.setblocking(1)
self.socket.connect(addr)
self.socket.setblocking(0)
def recv(self, buffer_size=4096):
# type: (int) -> bytes
"""Receive data over SSL."""
return self.socket.recv(buffer_size)
def send(self, buffer):
# type: (bytes) -> int
"""Send data over SSL."""
return self.socket.send(buffer)
def create_socket(self, ssl_context):
# type: (Context) -> None
self.family_and_type = socket.AF_INET, socket.SOCK_STREAM
self.ssl_ctx = ssl_context
self.socket = Connection(self.ssl_ctx)
# self.socket.setblocking(0)
self.add_channel()
def __init__(self, server_address, RequestHandlerClass, ssl_context, # noqa
bind_and_activate=True):
# type: (util.AddrType, socketserver.BaseRequestHandler, Context, bool) -> None
"""
Superclass says: Constructor. May be extended, do not override.
This class says: Ho-hum.
"""
BaseServer.__init__(self, server_address, RequestHandlerClass)
self.ssl_ctx = ssl_context
self.socket = Connection(self.ssl_ctx)
if bind_and_activate:
self.server_bind()
self.server_activate()
def logon(self, username, passphrase, lifetime=43200):
"""Retrieve a proxy credential from a MyProxy server
Exceptions: GetError, RetrieveError
@param username: username of credential
@param passphrase: pass-phrase for private key of credential held on
server
@return list containing the credentials as strings in PEM format: the
proxy certificate, it's private key and the signing certificate.
"""
context = Context(protocol='sslv3')
# disable for compatibility with myproxy server (er, globus)
# globus doesn't handle this case, apparently, and instead
# chokes in proxy delegation code
context.set_options(m2.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
# connect to myproxy server
conn = Connection(context, sock=socket.socket())
# Fudge to avoid checking client cert - seems to pick globus
# host/<hostname> one
conn.clientPostConnectionCheck = None
conn.connect((self.hostname, self.port))
# send globus compatibility stuff
conn.write('0')
# send get command
cmd = MyProxyClient.__getCmd % (username,passphrase,lifetime)
conn.write(cmd)
# process server response
dat = conn.recv(8192)
respCode, errorTxt = self._deserializeResponse(dat)
if respCode:
raise GetError, errorTxt
# generate and send certificate request
# - The client will generate a public/private key pair and send a
# NULL-terminated PKCS#10 certificate request to the server.
certReq, priKey = self._createCertReq(username)
conn.send(certReq)
# process certificates
# - 1 byte , number of certs
dat = conn.recv(1)
nCerts = ord(dat[0])
# - n certs
dat = conn.recv(8192)
# process server response
resp = conn.recv(8192)
respCode, errorTxt = self._deserializeResponse(resp)
if respCode:
raise RetrieveError, errorTxt
# deserialize certs from received cert data
pemCerts = self._deserializeCerts(dat)
if len(pemCerts) != nCerts:
RetrieveError, "%d certs expected, %d received" % \
(nCerts, len(pemCerts))
# write certs and private key to file
# - proxy cert
# - private key
# - rest of cert chain
creds = pemCerts[0]+priKey+''.join([cert for cert in pemCerts[1:]])
return creds
def store(self,
username,
certFile,
keyFile,
ownerCertFile=None,
ownerKeyFile=None,
ownerPassphrase=None,
lifetime=43200):
"""Upload credentials to the server
Exceptions: GetError, StoreCredError
@param username: username selected for credential
@param certFile: user's X.509 certificate in PEM format
@param keyFile: equivalent private key file in PEM format
@param ownerCertFile: certificate used for client authentication with
the MyProxy server SSL connection. This ID will be set as the owner
of the stored credentials. Only the owner can later remove
credentials with myproxy-destroy or the destroy method. If not set,
this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem or if this
is not set, certFile
@param ownerKeyFile: corresponding private key file. See explanation
for ownerCertFile
@param ownerPassphrase: passphrase for ownerKeyFile. Omit if the
private key is not password protected. Nb. keyFile is expected to
be passphrase protected as this will be the passphrase used for
logon / getDelegation.
@return none
"""
globusLoc = os.environ.get('GLOBUS_LOCATION')
if not ownerCertFile or not ownerKeyFile:
if globusLoc:
ownerCertFile = os.path.join(globusLoc, 'etc', 'hostcert.pem')
ownerKeyFile = os.path.join(globusLoc, 'etc', 'hostkey.pem')
else:
ownerCertFile = certFile
ownerKeyFile = keyFile
context = Context(protocol='sslv3')
context.load_cert(ownerCertFile,
keyfile=ownerKeyFile,
callback=lambda *ar, **kw: ownerPassphrase)
# context.load_cert('../hostcert.pem',
# keyfile='../hostkey.pem',
# callback=lambda *ar, **kw: ownerPassphrase)
# Disable for compatibility with myproxy server (er, globus)
# globus doesn't handle this case, apparently, and instead
# chokes in proxy delegation code
context.set_options(m2.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
# connect to myproxy server
conn = Connection(context, sock=socket.socket())
# Fudge to avoid checking client cert - seems to pick globus
# host/<hostname> one
#conn.clientPostConnectionCheck = None
conn.connect((self.hostname, self.port))
# send globus compatibility stuff
conn.write('0')
# send store command
cmd = MyProxyClient.__storeCmd % (username, lifetime)
conn.write(cmd)
# process server response
dat = conn.recv(8192)
respCode, errorTxt = self._deserializeResponse(dat)
if respCode:
raise GetError, errorTxt
# Send certificate and private key
certTxt = X509.load_cert(certFile).as_pem()
keyTxt = open(keyFile).read()
conn.send(certTxt + keyTxt)
# process server response
resp = conn.recv(8192)
respCode, errorTxt = self._deserializeResponse(resp)
if respCode:
raise RetrieveError, errorTxt
def destroy(self,
username,
ownerCertFile=None,
ownerKeyFile=None,
ownerPassphrase=None):
"""destroy credentials from the server for a given username
Exceptions: GetError, StoreCredError
@param username: username selected for credential
@param ownerCertFile: certificate used for client authentication with
the MyProxy server SSL connection. This ID will be set as the owner
of the stored credentials. Only the owner can later remove
credentials with myproxy-destroy or the destroy method. If not set,
this argument defaults to $GLOBUS_LOCATION/etc/hostcert.pem
@param ownerKeyFile: corresponding private key file. See explanation
for ownerCertFile
@param ownerPassphrase: passphrase for ownerKeyFile. Omit if the
private key is not password protected.
@return none
"""
globusLoc = os.environ.get('GLOBUS_LOCATION')
if not ownerCertFile or not ownerKeyFile:
if globusLoc:
ownerCertFile = os.path.join(globusLoc, 'etc', 'hostcert.pem')
ownerKeyFile = os.path.join(globusLoc, 'etc', 'hostkey.pem')
else:
raise MyProxyClientError, \
"No client authentication cert. and private key file were given"
context = Context(protocol='sslv3')
context.load_cert(ownerCertFile,
keyfile=ownerKeyFile,
callback=lambda *ar, **kw: ownerPassphrase)
# Disable for compatibility with myproxy server (er, globus)
# globus doesn't handle this case, apparently, and instead
# chokes in proxy delegation code
context.set_options(m2.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
# connect to myproxy server
conn = Connection(context, sock=socket.socket())
# Fudge to avoid checking client cert - seems to pick globus
# host/<hostname> one
conn.clientPostConnectionCheck = None
conn.connect((self.hostname, self.port))
# send globus compatibility stuff
conn.write('0')
# send destroy command
cmd = MyProxyClient.__destroyCmd % username
conn.write(cmd)
# process server response
dat = conn.recv(8192)
respCode, errorTxt = self._deserializeResponse(dat)
if respCode:
raise GetError, errorTxt