Juan Hernandez has uploaded a new change for review. Change subject: sdk: Send session header ......................................................................
sdk: Send session header As part of the implementation of the CSRF protection mechanism the server will in the near future start to require clients to send a header named JSESSIONID containing exactly the same value than the already existing JSESSIONID cookie. See the corresponding engine change for details: http://gerrit.ovirt.org/26578 This patch modifies the SDK so that it will always send this header. Change-Id: Idb4fa7788d7c4c0824f5d4b95205d2f043bc6a93 Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com> --- M src/ovirtsdk/web/connection.py 1 file changed, 20 insertions(+), 14 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine-sdk refs/changes/43/26843/1 diff --git a/src/ovirtsdk/web/connection.py b/src/ovirtsdk/web/connection.py index 9b0f4d6..10cf6fc 100644 --- a/src/ovirtsdk/web/connection.py +++ b/src/ovirtsdk/web/connection.py @@ -29,6 +29,11 @@ from ovirtsdk.infrastructure.errors import NoCertificatesError, ImmutableError, RequestError, ConnectionError +# The name of the session identifier, use both as the name of the session +# cookie and the name of the session header: +SESSION_ID = "JSESSIONID" + + class Connection(object): ''' The oVirt api connection proxy @@ -101,6 +106,12 @@ request_adapter = CookieJarAdapter(self.__url + url, request_headers) self.__manager.addCookieHeaders(request_adapter) + # In order to protect itself from CSRF attacks, the server requires + # a header containing the same value that the session cookie: + session_id = self.__getCookie(SESSION_ID) + if session_id is not None: + request_headers[SESSION_ID] = session_id + # Every request except the last one should indicate that we prefer # to use persistent authentication: if persistent_auth and not last: @@ -114,9 +125,7 @@ self.getHeaders(request_headers, no_auth= persistent_auth and \ - self.__isSetJsessionCookie( - self.__manager.getCookiesJar() - ), + session_id is not None ) ) @@ -157,19 +166,16 @@ if conn.getConnection().debuglevel: print 'body:\n' + body if body else '' - def __isSetJsessionCookie(self, cookies_jar): + def __getCookie(self, name): ''' - Checks if JSESSIONID cookie is set + Get the value of the cookie, or None if the cookie + doesn't exist. + ''' - @param cookies_jar: cookies container - ''' - if cookies_jar and len(cookies_jar._cookies) > 0: - for key in cookies_jar._cookies.keys(): - if key and len(cookies_jar._cookies[key]) > 0: - for value in cookies_jar._cookies[key].values(): - if value and 'JSESSIONID' in value.keys(): - return True - return False + for cookie in self.__manager.getCookiesJar(): + if cookie.name == name: + return cookie.value + return None def getHeaders(self, headers={}, no_auth=False): headers.update(self.getDefaultHeaders(no_auth)) -- To view, visit http://gerrit.ovirt.org/26843 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Idb4fa7788d7c4c0824f5d4b95205d2f043bc6a93 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine-sdk Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
