def _configure_ssl(self, properties):
if (not properties
or not self._SSL_PROPS.intersection(set(iter(properties)))):
return None
mode = proton.SSLDomain.MODE_CLIENT
if properties.get('x-ssl-server', properties.get('x-server')):
mode = proton.SSLDomain.MODE_SERVER
identity = properties.get('x-ssl-identity')
ca_file = properties.get('x-ssl-ca-file')
if (not ca_file and properties.get('x-ssl')
and hasattr(ssl, 'get_default_verify_paths')):
ca_file = ssl.get_default_verify_paths().cafile
hostname = properties.get('x-ssl-peer-name',
properties.get('hostname'))
# default to most secure level of certificate validation
if not ca_file:
vdefault = 'no-verify'
elif not hostname:
vdefault = 'verify-cert'
else:
vdefault = 'verify-peer'
vmode = properties.get('x-ssl-verify-mode', vdefault)
try:
vmode = self._VERIFY_MODES[vmode]
except KeyError:
raise proton.SSLException("bad value for x-ssl-verify-mode: '%s'" %
vmode)
if vmode == proton.SSLDomain.VERIFY_PEER_NAME:
if not hostname or not ca_file:
raise proton.SSLException("verify-peer needs x-ssl-peer-name"
" and x-ssl-ca-file")
elif vmode == proton.SSLDomain.VERIFY_PEER:
if not ca_file:
raise proton.SSLException("verify-cert needs x-ssl-ca-file")
# This will throw proton.SSLUnavailable if SSL support is not installed
domain = proton.SSLDomain(mode)
if identity:
# our identity:
domain.set_credentials(identity[0], identity[1], identity[2])
if ca_file:
# how we verify peers:
domain.set_trusted_ca_db(ca_file)
domain.set_peer_authentication(vmode, ca_file)
if mode == proton.SSLDomain.MODE_SERVER:
if properties.get('x-ssl-allow-cleartext'):
domain.allow_unsecured_client()
pn_ssl = proton.SSL(self._pn_transport, domain)
if hostname:
pn_ssl.peer_hostname = hostname
LOG.debug("SSL configured for connection %s", self._name)
return pn_ssl
def _configure_ssl(self, properties):
if not properties:
return None
verify_modes = {'verify-peer': proton.SSLDomain.VERIFY_PEER_NAME,
'verify-cert': proton.SSLDomain.VERIFY_PEER,
'no-verify': proton.SSLDomain.ANONYMOUS_PEER}
mode = proton.SSLDomain.MODE_CLIENT
if properties.get('x-ssl-server', properties.get('x-server')):
mode = proton.SSLDomain.MODE_SERVER
identity = properties.get('x-ssl-identity')
ca_file = properties.get('x-ssl-ca-file')
if not identity and not ca_file:
return None # SSL not configured
hostname = None
# This will throw proton.SSLUnavailable if SSL support is not installed
domain = proton.SSLDomain(mode)
if identity:
# our identity:
domain.set_credentials(identity[0], identity[1], identity[2])
if ca_file:
# how we verify peers:
domain.set_trusted_ca_db(ca_file)
hostname = properties.get('x-ssl-peer-name',
properties.get('hostname'))
vdefault = 'verify-peer' if hostname else 'verify-cert'
vmode = verify_modes.get(properties.get('x-ssl-verify-mode',
vdefault))
# check for configuration error
if not vmode:
raise proton.SSLException("bad value for x-ssl-verify-mode")
if vmode == proton.SSLDomain.VERIFY_PEER_NAME and not hostname:
raise proton.SSLException("verify-peer needs x-ssl-peer-name")
domain.set_peer_authentication(vmode, ca_file)
if mode == proton.SSLDomain.MODE_SERVER:
if properties.get('x-ssl-allow-cleartext'):
domain.allow_unsecured_client()
pn_ssl = proton.SSL(self._pn_transport, domain)
if hostname:
pn_ssl.peer_hostname = hostname
LOG.debug("SSL configured for connection %s", self._name)
return pn_ssl
def __init__(self, args):
super(QpidWatcher, self).__init__()
if args.ssl_cert and args.ssl_key:
self.ssl_domain = proton.SSLDomain(proton.SSLDomain.MODE_CLIENT)
self.ssl_domain.set_credentials(args.ssl_cert, args.ssl_key, None)
# Bad practice, but this is meant for dev testing only.
self.ssl_domain.set_peer_authentication(
proton.SSLDomain.ANONYMOUS_PEER)
else:
self.ssl_domain = None
self.received = 0
self.expected = args.messages
self.url = args.address
self.source = args.source
self.timeout = args.timeout
self.subject = args.subject
self.show_message = args.show_message
self.drain = args.drain
def _get_ssl_domain():
"""
Create the SSL configuration object for qpid-proton.
:return: the configured ``SSLDomain`` object or ``None`` when SSL is not configured
:rtype: proton.SSLDomain
"""
conf = current_app.config
if not all(
conf.get(key) and os.path.exists(conf[key])
for key in ('IIB_MESSAGING_CERT', 'IIB_MESSAGING_KEY', 'IIB_MESSAGING_CA')
):
current_app.logger.warning(
'Skipping authentication due to missing certificates and/or a private key'
)
return
domain = proton.SSLDomain(proton.SSLDomain.MODE_CLIENT)
domain.set_credentials(conf['IIB_MESSAGING_CERT'], conf['IIB_MESSAGING_KEY'], None)
domain.set_trusted_ca_db(conf['IIB_MESSAGING_CA'])
domain.set_peer_authentication(proton.SSLDomain.VERIFY_PEER)
return domain
def __init__(
self,
umb_urls,
radas_address,
claim_messages,
pub_cert,
ca_cert,
timeout,
throttle,
retry,
message_sender_callback,
):
super(ManifestClaimsHandler, self).__init__()
self.umb_urls = umb_urls
self.radas_address = radas_address
self.claim_messages = list(claim_messages)
self.received_messages = []
self.timeout = timeout
self.throttle = throttle
self.retry = retry
self.timer_task = None
self.receiver = None
self.message_sender_callback = message_sender_callback
self.awaiting_response = {} # {request_id: monotonic.monotonic()}
self.retry_count = {} # {request_id: 1/2}
# a mutable list caches messages to send
self.to_send = list(claim_messages)
# {request_id: message} a map used to find wanted message by request_id
self.id_msg_map = {}
for msg in self.claim_messages:
self.id_msg_map[msg["request_id"]] = msg
self.connected = False
self.ssl_domain = proton.SSLDomain(proton.SSLDomain.MODE_CLIENT)
self.ssl_domain.set_credentials(pub_cert, pub_cert, None)
self.ssl_domain.set_trusted_ca_db(ca_cert)
self.ssl_domain.set_peer_authentication(
proton.SSLDomain.ANONYMOUS_PEER)