def robot_init():
e = Engine.load_dynamic_engine("pkcs11", "/usr/local/lib/engine_pkcs11.so")
pk = Engine.Engine("pkcs11")
pk.ctrl_cmd_string("MODULE_PATH", "/usr/lib/libeTPkcs11.so")
ret = pk.init()
print "Loading certificate DeRoberto"
cert = e.load_certificate("30354530383037334131344144353636")
print "Loading key ..."
key = e.load_private_key("30354530383037334131344144353636", "indicate#2011")
ctx = SSL.Context("sslv23")
ctx.set_cipher_list("HIGH:!aNULL:!eNULL:@STRENGTH")
ctx.set_session_id_ctx("foobar")
m2.ssl_ctx_use_x509(ctx.ctx, cert.x509)
m2.ssl_ctx_use_pkey_privkey(ctx.ctx, key.pkey)
class SmartRedirectHandler(m2urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
redirect = headers['Location']
return redirect
opener = m2urllib2.build_opener(ctx, SmartRedirectHandler())
return opener
def __init__(self, certfile, keyfile=None):
"""Set up an SSL Context based on the certificate and key file passed
"""
ctx = self.secure_init(certfile, keyfile)
opener = m2urllib2.build_opener(ctx, urllib2.HTTPCookieProcessor())
urllib2.install_opener(opener)
self.install_ndg_client(certfile, keyfile)
def installOpener():
def verifyCallback(preVerifyOK, x509StoreCtx):
'''callback function used to control the behaviour when the
SSL_VERIFY_PEER flag is set
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
@type preVerifyOK: int
@param preVerifyOK: If a verification error is found, this parameter
will be set to 0
@type x509StoreCtx: M2Crypto.X509_Store_Context
@param x509StoreCtx: locate the certificate to be verified and perform
additional verification steps as needed
@rtype: int
@return: controls the strategy of the further verification process.
- If verify_callback returns 0, the verification process is immediately
stopped with "verification failed" state. If SSL_VERIFY_PEER is set,
a verification failure alert is sent to the peer and the TLS/SSL
handshake is terminated.
- If verify_callback returns 1, the verification process is continued.
If verify_callback always returns 1, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The calling process can however retrieve the error
code of the last verification error using SSL_get_verify_result(3) or
by maintaining its own error storage managed by verify_callback.
'''
if preVerifyOK == 0:
# Something is wrong with the certificate don't bother proceeding
# any further
return preVerifyOK
x509Cert = x509StoreCtx.get_current_cert()
x509Cert.get_subject()
x509CertChain = x509StoreCtx.get1_chain()
for cert in x509CertChain:
subject = cert.get_subject()
dn = subject.as_text()
print dn
# If all is OK preVerifyOK will be 1. Return this to the caller to
# that it's OK to proceed
return preVerifyOK
ctx = SSL.Context()
caDirPath = '../ndg.security.test/ndg/security/test/config/ca'
ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,
9,
callback=verifyCallback)
# ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 1)
ctx.load_verify_locations(capath=caDirPath)
# ctx.load_cert(certFilePath,
# keyfile=priKeyFilePath,
# callback=lambda *arg, **kw: priKeyPwd)
from M2Crypto.m2urllib2 import build_opener
urllib2.install_opener(build_opener(ssl_context=ctx))
def __init__(self, user, password):
ctx = SSL.Context('sslv3')
self.params = urllib.urlencode(dict(i_Login = user, i_Senha = password))
self.opener = m2urllib2.build_opener(ctx, urllib2.HTTPCookieProcessor())
urllib2.install_opener(self.opener)
# Cria Cookie
f = self.opener.open('https://memphis.ulbranet.com.br/pls/ulbra24/AAmain.login', None, self.txheaders)
f.close()
def test_urllib2_leak(self):
pid = self.start_server(self.args)
try:
import gc
o = m2urllib2.build_opener()
r = o.open('https://%s:%s/' % (srv_host, self.srv_port))
s = [r.fp._sock.fp]
r.close()
self.assertEqual(len(gc.get_referrers(s[0])), 1)
finally:
self.stop_server(pid)
def test_urllib2(self):
pid = self.start_server(self.args)
try:
opener = m2urllib2.build_opener()
opener.addheaders = [('Connection', 'close')]
u = opener.open('https://%s:%s/' % (srv_host, self.srv_port))
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.assertIn(b's_server -quiet -www', data)
def test_transfer_encoding_chunked(self):
pid = self.start_server(self.args)
try:
url = 'https://%s:%s/te_chunked_response.txt' % (srv_host,
self.srv_port)
o = m2urllib2.build_opener()
u = o.open(url)
data = u.read()
self.assertEqual(b'foo\nfoobar\n', data)
finally:
self.stop_server(pid)
def test_transfer_encoding_chunked(self):
pid = self.start_server(self.args)
try:
url = 'https://%s:%s/te_chunked_response.txt' % (srv_host,
self.srv_port)
o = m2urllib2.build_opener()
u = o.open(url)
data = u.read()
self.assertEqual(b'foo\nfoobar\n', data)
finally:
self.stop_server(pid)
def test_urllib2(self):
pid = self.start_server(self.args)
try:
opener = m2urllib2.build_opener()
opener.addheaders = [('Connection', 'close')]
u = opener.open('https://%s:%s/' % (srv_host, self.srv_port))
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.assertIn(b's_server -quiet -www', data)
def test_urllib2(self):
pid = self.start_server(self.args)
try:
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener()
opener.addheaders = [('Connection', 'close')]
u = opener.open('https://%s:%s/' % (srv_host, srv_port))
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.failIf(string.find(data, 's_server -quiet -www') == -1)
def test_urllib2_leak(self):
pid = self.start_server(self.args)
try:
import gc
from M2Crypto import m2urllib2
o = m2urllib2.build_opener()
r = o.open('https://%s:%s/' % (srv_host, self.srv_port))
s = [r.fp._sock.fp]
r.close()
self.assertEqual(len(gc.get_referrers(s[0])), 1)
finally:
self.stop_server(pid)
def test_urllib2(self):
pid = self.start_server(self.args)
try:
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener()
opener.addheaders = [('Connection', 'close')]
u = opener.open('https://%s:%s/' % (srv_host, self.srv_port))
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.failIf(string.find(data, 's_server -quiet -www') == -1)
def test_urllib2_leak(self):
pid = self.start_server(self.args)
try:
o = m2urllib2.build_opener()
r = o.open('https://%s:%s/' % (srv_host, self.srv_port))
s = [r.fp._sock.fp]
r.close()
# TODO This should be assertEqual 1, but we leak sock
# somehwere. Not sure how to fix it.
log.debug('get_referrers = %d', len(gc.get_referrers(s[0])))
self.assertLessEqual(len(gc.get_referrers(s[0])), 2)
finally:
self.stop_server(pid)
def test_urllib2_secure_context_fail(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_verify_locations('test/server.pem')
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx)
opener.addheaders = [('Connection', 'close')]
self.assertRaises(SSL.SSLError, opener.open, 'https://%s:%s/' % (srv_host, srv_port))
finally:
self.stop_server(pid)
def test_urllib2_leak(self):
pid = self.start_server(self.args)
try:
o = m2urllib2.build_opener()
r = o.open('https://%s:%s/' % (srv_host, self.srv_port))
s = [r.fp._sock.fp]
r.close()
# TODO This should be assertEqual 1, but we leak sock
# somehwere. Not sure how to fix it.
log.debug('get_referrers = %d', len(gc.get_referrers(s[0])))
self.assertLessEqual(len(gc.get_referrers(s[0])), 2)
finally:
self.stop_server(pid)
def test_urllib2_secure_context_fail(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_verify_locations('tests/server.pem')
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx)
opener.addheaders = [('Connection', 'close')]
self.assertRaises(SSL.SSLError, opener.open, 'https://%s:%s/' % (srv_host, self.srv_port))
finally:
self.stop_server(pid)
def test_z_urllib2_opener(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx, m2urllib2.HTTPBasicAuthHandler())
m2urllib2.install_opener(opener)
req = m2urllib2.Request('https://%s:%s/' % (srv_host, srv_port))
u = m2urllib2.urlopen(req)
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.failIf(string.find(data, 's_server -quiet -www') == -1)
def test_z_urllib2_opener(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx, m2urllib2.HTTPBasicAuthHandler())
m2urllib2.install_opener(opener)
req = m2urllib2.Request('https://%s:%s/' % (srv_host, self.srv_port))
u = m2urllib2.urlopen(req)
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.failIf(string.find(data, 's_server -quiet -www') == -1)
def __init__(self, url, version=2):
"""
Create a Gallery for remote access.
url - base address of the gallery
version - version of the gallery being connected to (default 2),
either 1 for Gallery1 or 2 for Gallery2
gallery-uploader is able to cope with secured connections, thanks to
M2Crypto. It won't catch any exception, though: handling i.e. unverified
certificates is entirely left to higher level applications, which must
hence be ready to catch M2Crypto exceptions.
Moreover, gallery-uploader works fine (only emits a warning) also if
M2Crypto is not available, and in that case connections will NOT be
secure! If you want to avoid this risk, you can simply assert
gallery.M2CRYPTO_AVAILABLE .
"""
self.version = version # Gallery1 or Gallery2
if version == 1:
self.url = url + '/gallery_remote2.php'
else:
# default to G2
self.url = url + '/main.php'
# Until proven otherwise:
self.secured = False
if self.url.startswith( 'https://' ):
if M2CRYPTO_AVAILABLE:
self.secured = True
else:
print "WARNING: M2Crypto missing, gallery-uploader connections will not be secure!"
self.cookiejar = cookielib.CookieJar()
if self.secured:
self.ssl_context = SSL.Context()
self.ssl_context.load_verify_info( capath=CA_SYSTEM_DIR )
self.ssl_context.set_verify( SSL.verify_peer |
SSL.verify_fail_if_no_peer_cert |
SSL.verify_client_once, 20 )
self.opener = m2urllib2.build_opener( self.ssl_context, urllib2.HTTPCookieProcessor(self.cookiejar) )
else:
self.opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(self.cookiejar))
self.logged_in = 0
self.protocol_version = '2.5'
self.auth_token = ''
def test_urllib2_secure_context(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_verify_locations('tests/ca.pem')
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx)
opener.addheaders = [('Connection', 'close')]
u = opener.open('https://%s:%s/' % (srv_host, self.srv_port))
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.failIf(string.find(data, 's_server -quiet -www') == -1)
def test_z_urllib2_opener(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
opener = m2urllib2.build_opener(
ctx, m2urllib2.HTTPBasicAuthHandler())
m2urllib2.install_opener(opener)
req = m2urllib2.Request('https://%s:%s/' %
(srv_host, self.srv_port))
u = m2urllib2.urlopen(req)
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.assertIn(b's_server -quiet -www', data)
def test_z_urllib2_opener(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
opener = m2urllib2.build_opener(
ctx, m2urllib2.HTTPBasicAuthHandler())
m2urllib2.install_opener(opener)
req = m2urllib2.Request('https://%s:%s/' %
(srv_host, self.srv_port))
u = m2urllib2.urlopen(req)
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.assertIn(b's_server -quiet -www', data)
def test_urllib2_secure_context(self):
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_verify_locations('test/ca.pem')
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx)
opener.addheaders = [('Connection', 'close')]
u = opener.open('https://%s:%s/' % (srv_host, srv_port))
data = u.read()
u.close()
finally:
self.stop_server(pid)
self.failIf(string.find(data, 's_server -quiet -www') == -1)
def usage1():
context = Context();
context.set_allow_unknown_ca(False)
# add client site certificate and private key
# to support Client verification
context.load_cert(certfile='cert.pem', keyfile='key.pem')
# add server site trusted CA certifications
# to support server verification
context.load_verify_info(capath='./')
opener = m2urllib2.build_opener(context)
response = opener.open("https://sjmcm1csa2/")
print 'html: ', response.read()
print 'info: ', response.info()
print 'url: ', response.geturl()
def __init__(self, idpConfigFilePath=None, installOpener=False):
if _M2CRYPTO_NOT_INSTALLED:
raise ImportError("M2Crypto is required for SSL-based IdP "
"validation but it is not installed.")
super(SSLIdPValidationDriver, self).__init__()
# Context object determines what validation is applied against the
# peer's certificate in the SSL connection
self.ctx = SSL.Context()
# Enforce peer cert checking via this classes' __call__ method
self.ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,
9,
callback=self)
if installOpener:
urllib2.install_opener(build_opener(ssl_context=self.ctx))
if idpConfigFilePath is not None:
self.idPValidators += \
self.readConfig(idpConfigFilePath=idpConfigFilePath)
log.info("%d IdPValidator(s) initialised", len(self.idPValidators))
def __init__(self, idpConfigFilePath=None, installOpener=False):
if _M2CRYPTO_NOT_INSTALLED:
raise ImportError("M2Crypto is required for SSL-based IdP "
"validation but it is not installed.")
super(SSLIdPValidationDriver, self).__init__()
# Context object determines what validation is applied against the
# peer's certificate in the SSL connection
self.ctx = SSL.Context()
# Enforce peer cert checking via this classes' __call__ method
self.ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert,
9,
callback=self)
if installOpener:
urllib2.install_opener(build_opener(ssl_context=self.ctx))
if idpConfigFilePath is not None:
self.idPValidators += \
self.readConfig(idpConfigFilePath=idpConfigFilePath)
log.info("%d IdPValidator(s) initialised", len(self.idPValidators))
'passwordTextField': login_data['password'],
'success' : 'https://login.m.o2online.de/ndm/?url=o2activehome&',
'id13_hf_0' : ''
}
login_data_encoded = m2urllib.urlencode(login_form_data)
ctx = SSL.Context()
# If you comment out the next 2 lines, the connection won't be secure
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, depth=9)
ctx.load_verify_locations(O2_SSL_CERTIFICATE)
c = SSL.Connection(ctx)
cj = cookielib.CookieJar()
opener = m2urllib2.build_opener(ctx, m2urllib2.HTTPCookieProcessor(cj))
m2urllib2.install_opener(opener)
print "processing"
try:
ctx.load_verify_locations(O2_SSL_CERTIFICATE)
# login
resp = opener.open(O2_LOGIN, login_data_encoded)
ctx.load_verify_locations(O2_SSL_CERTIFICATE)
# go to billing page
resp = opener.open('http://m.o2online.de/vertrag/rechnung/aktuelle-rechnung')
last_respone = resp.read();
print "get billing page"
def usage():
opener = m2urllib2.build_opener()
response = opener.open('www.google.com')
print 'html: ', response.read()
print 'info: ', response.info()
print 'url: ', response.geturl()
def test_urllib2_opener_handlers(self):
ctx = SSL.Context()
m2urllib2.build_opener(ctx, m2urllib2.HTTPBasicAuthHandler())
def test_urllib2_opener_handlers(self):
ctx = SSL.Context()
from M2Crypto import m2urllib2
m2urllib2.build_opener(ctx, m2urllib2.HTTPBasicAuthHandler())
def _build_opener(apiurl):
from osc.core import __version__
global config
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler, object):
# python2: inherit from object in order to make it a new-style class
# (HTTPBasicAuthHandler is not a new-style class)
def _rewind_request(self, req):
if hasattr(req.data, 'seek'):
# if the request is issued again (this time with an
# Authorization header), the file's offset has to be
# repositioned to the beginning of the file (otherwise,
# a 0-length body is sent which most likely does not match
# the Content-Length header (if present))
req.data.seek(0)
def retry_http_basic_auth(self, host, req, realm):
self._rewind_request(req)
return super(self.__class__,
self).retry_http_basic_auth(host, req, realm)
if 'last_opener' not in _build_opener.__dict__:
_build_opener.last_opener = (None, None)
if apiurl == _build_opener.last_opener[0]:
return _build_opener.last_opener[1]
# respect no_proxy env variable
if proxy_bypass(apiurl):
# initialize with empty dict
proxyhandler = ProxyHandler({})
else:
# read proxies from env
proxyhandler = ProxyHandler()
authhandler_class = OscHTTPBasicAuthHandler
# workaround for http://bugs.python.org/issue9639
if sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 9):
class OscHTTPBasicAuthHandlerCompat(OscHTTPBasicAuthHandler):
# The following two functions were backported from upstream 2.7.
def http_error_auth_reqed(self, authreq, host, req, headers):
authreq = headers.get(authreq, None)
if authreq:
mo = AbstractBasicAuthHandler.rx.search(authreq)
if mo:
scheme, quote, realm = mo.groups()
if quote not in ['"', "'"]:
warnings.warn("Basic Auth Realm was unquoted",
UserWarning, 2)
if scheme.lower() == 'basic':
return self.retry_http_basic_auth(host, req, realm)
def retry_http_basic_auth(self, host, req, realm):
self._rewind_request(req)
user, pw = self.passwd.find_user_password(realm, host)
if pw is not None:
raw = "%s:%s" % (user, pw)
auth = 'Basic %s' % base64.b64encode(raw).strip()
if req.get_header(self.auth_header, None) == auth:
return None
req.add_unredirected_header(self.auth_header, auth)
return self.parent.open(req, timeout=req.timeout)
else:
return None
authhandler_class = OscHTTPBasicAuthHandlerCompat
options = config['api_host_options'][apiurl]
# with None as first argument, it will always use this username/password
# combination for urls for which arg2 (apisrv) is a super-url
authhandler = authhandler_class( \
HTTPPasswordMgrWithDefaultRealm())
authhandler.add_password(None, apiurl, options['user'], options['pass'])
if options['sslcertck']:
try:
from . import oscssl
from M2Crypto import m2urllib2
except ImportError as e:
print(e)
raise NoSecureSSLError(
'M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto.'
% apiurl)
cafile = options.get('cafile', None)
capath = options.get('capath', None)
if not cafile and not capath:
for i in ['/etc/pki/tls/cert.pem', '/etc/ssl/certs']:
if os.path.isfile(i):
cafile = i
break
elif os.path.isdir(i):
capath = i
break
if not cafile and not capath:
raise oscerr.OscIOError(
None,
'No CA certificates found. (You may want to install ca-certificates-mozilla package)'
)
ctx = oscssl.mySSLContext()
if ctx.load_verify_locations(capath=capath, cafile=cafile) != 1:
raise oscerr.OscIOError(
None,
'No CA certificates found. (You may want to install ca-certificates-mozilla package)'
)
opener = m2urllib2.build_opener(
ctx, oscssl.myHTTPSHandler(ssl_context=ctx, appname='osc'),
HTTPCookieProcessor(cookiejar), authhandler, proxyhandler)
else:
handlers = [HTTPCookieProcessor(cookiejar), authhandler, proxyhandler]
try:
# disable ssl cert check in python >= 2.7.9
ctx = ssl._create_unverified_context()
handlers.append(HTTPSHandler(context=ctx))
except AttributeError:
pass
print(
"WARNING: SSL certificate checks disabled. Connection is insecure!\n",
file=sys.stderr)
opener = build_opener(*handlers)
opener.addheaders = [('User-agent', 'osc/%s' % __version__)]
_build_opener.last_opener = (apiurl, opener)
return opener
def _build_opener(apiurl):
from osc.core import __version__
global config
if 'last_opener' not in _build_opener.__dict__:
_build_opener.last_opener = (None, None)
if apiurl == _build_opener.last_opener[0]:
return _build_opener.last_opener[1]
# respect no_proxy env variable
if proxy_bypass(apiurl):
# initialize with empty dict
proxyhandler = ProxyHandler({})
else:
# read proxies from env
proxyhandler = ProxyHandler()
# workaround for http://bugs.python.org/issue9639
authhandler_class = HTTPBasicAuthHandler
if sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 1) \
and not 'reset_retry_count' in dir(HTTPBasicAuthHandler):
print('warning: your urllib2 version seems to be broken. ' \
'Using a workaround for http://bugs.python.org/issue9639', file=sys.stderr)
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
def http_error_401(self, *args):
response = HTTPBasicAuthHandler.http_error_401(self, *args)
self.retried = 0
return response
def http_error_404(self, *args):
self.retried = 0
return None
authhandler_class = OscHTTPBasicAuthHandler
elif sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 1):
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
def http_error_404(self, *args):
self.reset_retry_count()
return None
authhandler_class = OscHTTPBasicAuthHandler
elif sys.version_info >= (2, 6, 5) and sys.version_info < (2, 6, 6):
# workaround for broken urllib2 in python 2.6.5: wrong credentials
# lead to an infinite recursion
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
def retry_http_basic_auth(self, host, req, realm):
# don't retry if auth failed
if req.get_header(self.auth_header, None) is not None:
return None
return HTTPBasicAuthHandler.retry_http_basic_auth(self, host, req, realm)
authhandler_class = OscHTTPBasicAuthHandler
options = config['api_host_options'][apiurl]
# with None as first argument, it will always use this username/password
# combination for urls for which arg2 (apisrv) is a super-url
authhandler = authhandler_class( \
HTTPPasswordMgrWithDefaultRealm())
authhandler.add_password(None, apiurl, options['user'], options['pass'])
if options['sslcertck']:
try:
from . import oscssl
from M2Crypto import m2urllib2
except ImportError as e:
print(e)
raise NoSecureSSLError('M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto.' % apiurl)
cafile = options.get('cafile', None)
capath = options.get('capath', None)
if not cafile and not capath:
for i in ['/etc/pki/tls/cert.pem', '/etc/ssl/certs']:
if os.path.isfile(i):
cafile = i
break
elif os.path.isdir(i):
capath = i
break
if not cafile and not capath:
raise oscerr.OscIOError(None, 'No CA certificates found')
ctx = oscssl.mySSLContext()
if ctx.load_verify_locations(capath=capath, cafile=cafile) != 1:
raise oscerr.OscIOError(None, 'No CA certificates found')
opener = m2urllib2.build_opener(ctx, oscssl.myHTTPSHandler(ssl_context=ctx, appname='osc'), HTTPCookieProcessor(cookiejar), authhandler, proxyhandler)
else:
handlers = [HTTPCookieProcessor(cookiejar), authhandler, proxyhandler]
try:
# disable ssl cert check in python >= 2.7.9
ctx = ssl._create_unverified_context()
handlers.append(HTTPSHandler(context=ctx))
except AttributeError:
pass
print("WARNING: SSL certificate checks disabled. Connection is insecure!\n", file=sys.stderr)
opener = build_opener(*handlers)
opener.addheaders = [('User-agent', 'osc/%s' % __version__)]
_build_opener.last_opener = (apiurl, opener)
return opener
def test_urllib2_opener_handlers(self):
ctx = SSL.Context()
m2urllib2.build_opener(ctx, m2urllib2.HTTPBasicAuthHandler())
def test_urllib2_opener_handlers(self):
ctx = SSL.Context()
from M2Crypto import m2urllib2
opener = m2urllib2.build_opener(ctx,
m2urllib2.HTTPBasicAuthHandler())
def create_opener(self, *handlers):
return m2urllib2.build_opener(self.ssl_context, *handlers)
def create_opener(self, *handlers):
return m2urllib2.build_opener(self.ssl_context, *handlers)
def _build_opener(apiurl):
from osc.core import __version__
global config
if 'last_opener' not in _build_opener.__dict__:
_build_opener.last_opener = (None, None)
if apiurl == _build_opener.last_opener[0]:
return _build_opener.last_opener[1]
# respect no_proxy env variable
if proxy_bypass(apiurl):
# initialize with empty dict
proxyhandler = ProxyHandler({})
else:
# read proxies from env
proxyhandler = ProxyHandler()
# workaround for http://bugs.python.org/issue9639
authhandler_class = HTTPBasicAuthHandler
if sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 9):
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
# The following two functions were backported from upstream 2.7.
def http_error_auth_reqed(self, authreq, host, req, headers):
authreq = headers.get(authreq, None)
if authreq:
mo = AbstractBasicAuthHandler.rx.search(authreq)
if mo:
scheme, quote, realm = mo.groups()
if quote not in ['"', "'"]:
warnings.warn("Basic Auth Realm was unquoted",
UserWarning, 2)
if scheme.lower() == 'basic':
return self.retry_http_basic_auth(host, req, realm)
def retry_http_basic_auth(self, host, req, realm):
user, pw = self.passwd.find_user_password(realm, host)
if pw is not None:
raw = "%s:%s" % (user, pw)
auth = 'Basic %s' % base64.b64encode(raw).strip()
if req.get_header(self.auth_header, None) == auth:
return None
req.add_unredirected_header(self.auth_header, auth)
return self.parent.open(req, timeout=req.timeout)
else:
return None
authhandler_class = OscHTTPBasicAuthHandler
options = config['api_host_options'][apiurl]
# with None as first argument, it will always use this username/password
# combination for urls for which arg2 (apisrv) is a super-url
authhandler = authhandler_class( \
HTTPPasswordMgrWithDefaultRealm())
authhandler.add_password(None, apiurl, options['user'], options['pass'])
if options['sslcertck']:
try:
from . import oscssl
from M2Crypto import m2urllib2
except ImportError as e:
print(e)
raise NoSecureSSLError('M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto.' % apiurl)
cafile = options.get('cafile', None)
capath = options.get('capath', None)
if not cafile and not capath:
for i in ['/etc/pki/tls/cert.pem', '/etc/ssl/certs']:
if os.path.isfile(i):
cafile = i
break
elif os.path.isdir(i):
capath = i
break
if not cafile and not capath:
raise oscerr.OscIOError(None, 'No CA certificates found. (You may want to install ca-certificates-mozilla package)')
ctx = oscssl.mySSLContext()
if ctx.load_verify_locations(capath=capath, cafile=cafile) != 1:
raise oscerr.OscIOError(None, 'No CA certificates found. (You may want to install ca-certificates-mozilla package)')
opener = m2urllib2.build_opener(ctx, oscssl.myHTTPSHandler(ssl_context=ctx, appname='osc'), HTTPCookieProcessor(cookiejar), authhandler, proxyhandler)
else:
handlers = [HTTPCookieProcessor(cookiejar), authhandler, proxyhandler]
try:
# disable ssl cert check in python >= 2.7.9
ctx = ssl._create_unverified_context()
handlers.append(HTTPSHandler(context=ctx))
except AttributeError:
pass
print("WARNING: SSL certificate checks disabled. Connection is insecure!\n", file=sys.stderr)
opener = build_opener(*handlers)
opener.addheaders = [('User-agent', 'osc/%s' % __version__)]
_build_opener.last_opener = (apiurl, opener)
return opener
def _build_opener(apiurl):
from osc.core import __version__
global config
if 'last_opener' not in _build_opener.__dict__:
_build_opener.last_opener = (None, None)
if apiurl == _build_opener.last_opener[0]:
return _build_opener.last_opener[1]
# respect no_proxy env variable
if proxy_bypass(apiurl):
# initialize with empty dict
proxyhandler = ProxyHandler({})
else:
# read proxies from env
proxyhandler = ProxyHandler()
# workaround for http://bugs.python.org/issue9639
authhandler_class = HTTPBasicAuthHandler
if sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 1) \
and not 'reset_retry_count' in dir(HTTPBasicAuthHandler):
print('warning: your urllib2 version seems to be broken. ' \
'Using a workaround for http://bugs.python.org/issue9639', file=sys.stderr)
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
def http_error_401(self, *args):
response = HTTPBasicAuthHandler.http_error_401(self, *args)
self.retried = 0
return response
def http_error_404(self, *args):
self.retried = 0
return None
authhandler_class = OscHTTPBasicAuthHandler
elif sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 1):
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
def http_error_404(self, *args):
self.reset_retry_count()
return None
authhandler_class = OscHTTPBasicAuthHandler
elif sys.version_info >= (2, 6, 5) and sys.version_info < (2, 6, 6):
# workaround for broken urllib2 in python 2.6.5: wrong credentials
# lead to an infinite recursion
class OscHTTPBasicAuthHandler(HTTPBasicAuthHandler):
def retry_http_basic_auth(self, host, req, realm):
# don't retry if auth failed
if req.get_header(self.auth_header, None) is not None:
return None
return HTTPBasicAuthHandler.retry_http_basic_auth(
self, host, req, realm)
authhandler_class = OscHTTPBasicAuthHandler
options = config['api_host_options'][apiurl]
# with None as first argument, it will always use this username/password
# combination for urls for which arg2 (apisrv) is a super-url
authhandler = authhandler_class( \
HTTPPasswordMgrWithDefaultRealm())
authhandler.add_password(None, apiurl, options['user'], options['pass'])
if options['sslcertck']:
try:
from . import oscssl
from M2Crypto import m2urllib2
except ImportError as e:
print(e)
raise NoSecureSSLError(
'M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto.'
% apiurl)
cafile = options.get('cafile', None)
capath = options.get('capath', None)
if not cafile and not capath:
for i in ['/etc/pki/tls/cert.pem', '/etc/ssl/certs']:
if os.path.isfile(i):
cafile = i
break
elif os.path.isdir(i):
capath = i
break
if not cafile and not capath:
raise oscerr.OscIOError(None, 'No CA certificates found')
ctx = oscssl.mySSLContext()
if ctx.load_verify_locations(capath=capath, cafile=cafile) != 1:
raise oscerr.OscIOError(None, 'No CA certificates found')
opener = m2urllib2.build_opener(
ctx, oscssl.myHTTPSHandler(ssl_context=ctx, appname='osc'),
HTTPCookieProcessor(cookiejar), authhandler, proxyhandler)
else:
handlers = [HTTPCookieProcessor(cookiejar), authhandler, proxyhandler]
try:
# disable ssl cert check in python >= 2.7.9
ctx = ssl._create_unverified_context()
handlers.append(HTTPSHandler(context=ctx))
except AttributeError:
pass
print(
"WARNING: SSL certificate checks disabled. Connection is insecure!\n",
file=sys.stderr)
opener = build_opener(*handlers)
opener.addheaders = [('User-agent', 'osc/%s' % __version__)]
_build_opener.last_opener = (apiurl, opener)
return opener
def _build_opener(url):
from osc.core import __version__
global config
apiurl = urljoin(*parse_apisrv_url(None, url))
if "last_opener" not in _build_opener.__dict__:
_build_opener.last_opener = (None, None)
if apiurl == _build_opener.last_opener[0]:
return _build_opener.last_opener[1]
# respect no_proxy env variable
if urllib.proxy_bypass(apiurl):
# initialize with empty dict
proxyhandler = urllib2.ProxyHandler({})
else:
# read proxies from env
proxyhandler = urllib2.ProxyHandler()
# workaround for http://bugs.python.org/issue9639
authhandler_class = urllib2.HTTPBasicAuthHandler
if (
sys.version_info >= (2, 6, 6)
and sys.version_info < (2, 7, 1)
and not "reset_retry_count" in dir(urllib2.HTTPBasicAuthHandler)
):
print >> sys.stderr, "warning: your urllib2 version seems to be broken. " "Using a workaround for http://bugs.python.org/issue9639"
class OscHTTPBasicAuthHandler(urllib2.HTTPBasicAuthHandler):
def http_error_401(self, *args):
response = urllib2.HTTPBasicAuthHandler.http_error_401(self, *args)
self.retried = 0
return response
def http_error_404(self, *args):
self.retried = 0
return None
authhandler_class = OscHTTPBasicAuthHandler
elif sys.version_info >= (2, 6, 6) and sys.version_info < (2, 7, 1):
class OscHTTPBasicAuthHandler(urllib2.HTTPBasicAuthHandler):
def http_error_404(self, *args):
self.reset_retry_count()
return None
authhandler_class = OscHTTPBasicAuthHandler
elif sys.version_info >= (2, 6, 5) and sys.version_info < (2, 6, 6):
# workaround for broken urllib2 in python 2.6.5: wrong credentials
# lead to an infinite recursion
class OscHTTPBasicAuthHandler(urllib2.HTTPBasicAuthHandler):
def retry_http_basic_auth(self, host, req, realm):
# don't retry if auth failed
if req.get_header(self.auth_header, None) is not None:
return None
return urllib2.HTTPBasicAuthHandler.retry_http_basic_auth(self, host, req, realm)
authhandler_class = OscHTTPBasicAuthHandler
options = config["api_host_options"][apiurl]
# with None as first argument, it will always use this username/password
# combination for urls for which arg2 (apisrv) is a super-url
authhandler = authhandler_class(urllib2.HTTPPasswordMgrWithDefaultRealm())
authhandler.add_password(None, apiurl, options["user"], options["pass"])
if options["sslcertck"]:
try:
import oscssl
from M2Crypto import m2urllib2
except ImportError, e:
print e
raise NoSecureSSLError(
"M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto." % apiurl
)
cafile = options.get("cafile", None)
capath = options.get("capath", None)
if not cafile and not capath:
for i in ["/etc/pki/tls/cert.pem", "/etc/ssl/certs"]:
if os.path.isfile(i):
cafile = i
break
elif os.path.isdir(i):
capath = i
break
ctx = oscssl.mySSLContext()
if ctx.load_verify_locations(capath=capath, cafile=cafile) != 1:
raise Exception("No CA certificates found")
opener = m2urllib2.build_opener(
ctx,
oscssl.myHTTPSHandler(ssl_context=ctx, appname="osc"),
urllib2.HTTPCookieProcessor(cookiejar),
authhandler,
proxyhandler,
)
