Michael Pasternak has uploaded a new change for review.
Change subject: sdk: implement server identity check
......................................................................
sdk: implement server identity check
Change-Id: I5daf24ed7e5dfd7d0e2fb117bf62cf2e5f209148
Signed-off-by: Michael Pasternak <mpast...@redhat.com>
---
M src/codegen/entrypoint/entrypoint.py
M src/codegen/main.py
M src/ovirtsdk/api.py
M src/ovirtsdk/infrastructure/connectionspool.py
M src/ovirtsdk/web/connection.py
A src/ovirtsdk/web/httpsconnection.py
6 files changed, 77 insertions(+), 11 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine-sdk refs/changes/09/7209/1
diff --git a/src/codegen/entrypoint/entrypoint.py
b/src/codegen/entrypoint/entrypoint.py
index 3c61b09..1d15832 100644
--- a/src/codegen/entrypoint/entrypoint.py
+++ b/src/codegen/entrypoint/entrypoint.py
@@ -128,14 +128,15 @@
api_template = EntryPoint.entryPointImports() + \
EntryPoint.entryPointCustomImports(types) + \
"""class API():
- def __init__(self, url, username, password, key_file=None, cert_file=None,
port=None, timeout=None, persistent_auth=True, debug=False):
+ def __init__(self, url, username, password, key_file=None, cert_file=None,
ca_file=None, port=None, timeout=None, persistent_auth=True, debug=False):
\"""
@param url: server url (format "http/s://server[:port]/api")
@param username: user (format user@domain)
@param password: password
- [@param key_file: key_file for ssl enabled connection]
- [@param cert_file: cert_file for ssl enabled connection]
+ [@param key_file: client PEM key_file for ssl enabled connection]
+ [@param cert_file: client PEM cert_file for ssl enabled connection]
+ [@param ca_file: server ca_file for ssl enabled connection]
[@param port: port to use (if not specified in url)]
[@param timeout: request timeout]
[@param persistent_auth: enable persistent authentication (format
True|False)]
@@ -149,6 +150,7 @@
password=password,
key_file=key_file,
cert_file=cert_file,
+ ca_file=ca_file,
port=port,
strict=False,
timeout=timeout,
diff --git a/src/codegen/main.py b/src/codegen/main.py
index 7482054..ad5aab2 100644
--- a/src/codegen/main.py
+++ b/src/codegen/main.py
@@ -60,6 +60,7 @@
port=None,
key_file=None,
cert_file=None,
+ ca_file=None,
strict=False,
timeout=None,
username=USER,
diff --git a/src/ovirtsdk/api.py b/src/ovirtsdk/api.py
index b838714..10b90e3 100644
--- a/src/ovirtsdk/api.py
+++ b/src/ovirtsdk/api.py
@@ -20,7 +20,7 @@
########################################
'''
-Generated at: 2012-07-12 12:04:39.927723
+Generated at: 2012-08-15 13:34:35.546882
@author: mpast...@redhat.com
'''
@@ -48,14 +48,15 @@
class API():
- def __init__(self, url, username, password, key_file=None, cert_file=None,
port=None, timeout=None, persistent_auth=True, debug=False):
+ def __init__(self, url, username, password, key_file=None, cert_file=None,
ca_file=None, port=None, timeout=None, persistent_auth=True, debug=False):
"""
@param url: server url (format "http/s://server[:port]/api")
@param username: user (format user@domain)
@param password: password
- [@param key_file: key_file for ssl enabled connection]
- [@param cert_file: cert_file for ssl enabled connection]
+ [@param key_file: client PEM key_file for ssl enabled connection]
+ [@param cert_file: client PEM cert_file for ssl enabled connection]
+ [@param ca_file: server ca_file for ssl enabled connection]
[@param port: port to use (if not specified in url)]
[@param timeout: request timeout]
[@param persistent_auth: enable persistent authentication (format
True|False)]
@@ -69,6 +70,7 @@
password=password,
key_file=key_file,
cert_file=cert_file,
+ ca_file=ca_file,
port=port,
strict=False,
timeout=timeout,
diff --git a/src/ovirtsdk/infrastructure/connectionspool.py
b/src/ovirtsdk/infrastructure/connectionspool.py
index 1aae67e..6c7d684 100644
--- a/src/ovirtsdk/infrastructure/connectionspool.py
+++ b/src/ovirtsdk/infrastructure/connectionspool.py
@@ -22,7 +22,7 @@
'''
ConnectionsManager used to manage pool of web connections
'''
- def __init__(self, url, port, key_file, cert_file, strict, timeout,
username, password, count=20, debug=False):
+ def __init__(self, url, port, key_file, cert_file, ca_file, strict,
timeout, username, password, count=20, debug=False):
self.__free_connections = Queue(0)
self.__busy_connections = {}
@@ -37,6 +37,7 @@
port=port, \
key_file=key_file, \
cert_file=cert_file, \
+ ca_file=ca_file, \
strict=strict, \
timeout=timeout, \
username=username, \
diff --git a/src/ovirtsdk/web/connection.py b/src/ovirtsdk/web/connection.py
index 540afca..fdd3942 100644
--- a/src/ovirtsdk/web/connection.py
+++ b/src/ovirtsdk/web/connection.py
@@ -15,19 +15,21 @@
#
import base64
-from httplib import HTTPConnection, HTTPSConnection
+from httplib import HTTPConnection
import urllib
import urlparse
+from ovirtsdk.web.httpsconnection import HTTPSConnection
class Connection(object):
'''
The oVirt api connection proxy
'''
- def __init__(self, url, port, key_file, cert_file, strict, timeout,
username, password, manager, debug=False):
+ def __init__(self, url, port, key_file, cert_file, ca_file, strict,
timeout, username, password, manager, debug=False):
self.__connection = self.__createConnection(url=url,
port=port,
key_file=key_file,
cert_file=cert_file,
+ ca_file=ca_file,
strict=strict,
timeout=timeout)
self.__connection.set_debuglevel(int(debug))
@@ -81,7 +83,7 @@
return urlparse.urlparse(url)
- def __createConnection(self, url, key_file=None, cert_file=None,
port=None, strict=None, timeout=None):
+ def __createConnection(self, url, key_file=None, cert_file=None,
ca_file=None, port=None, strict=None, timeout=None):
u = self.__parse_url(url)
if(u.scheme == 'https'):
@@ -89,6 +91,7 @@
port=u.port,
key_file=key_file,
cert_file=cert_file,
+ ca_file=ca_file,
strict=strict,
timeout=timeout)
return HTTPConnection(host=u.hostname,
diff --git a/src/ovirtsdk/web/httpsconnection.py
b/src/ovirtsdk/web/httpsconnection.py
new file mode 100644
index 0000000..357f723
--- /dev/null
+++ b/src/ovirtsdk/web/httpsconnection.py
@@ -0,0 +1,57 @@
+#
+# Copyright (c) 2010 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import httplib
+import socket
+import ssl
+
+
+class HTTPSConnection(httplib.HTTPSConnection):
+ '''
+ This class is httplib.HTTPSConnection decorator providing
+ server certificate validation capabilities.
+ '''
+
+ def __init__(self, host, port=None, key_file=None, cert_file=None,
ca_file=None,
+ strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
source_address=None):
+ httplib.HTTPSConnection.__init__(self, host=host, port=port,
key_file=key_file,
+ cert_file=cert_file, strict=strict,
timeout=timeout,
+ source_address=source_address)
+ self.ca_file = ca_file
+
+ def connect(self):
+ '''
+ httplib.HTTPSConnection.connect() clone that connects to a host on a
given (SSL) port,
+ but forcing ssl.CERT_REQUIRED if ca_file has been specified.
+ '''
+
+ sock = socket.create_connection((self.host, self.port),
+ self.timeout, self.source_address)
+ if self._tunnel_host:
+ self.sock = sock
+ self._tunnel()
+
+ if self.ca_file:
+ self.sock = ssl.wrap_socket(sock,
+ self.key_file,
+ self.cert_file,
+ ca_certs=self.ca_file,
+ cert_reqs=ssl.CERT_REQUIRED)
+ else:
+ self.sock = ssl.wrap_socket(sock,
+ self.key_file,
+ self.cert_file,
+ cert_reqs=ssl.CERT_NONE)
--
To view, visit http://gerrit.ovirt.org/7209
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5daf24ed7e5dfd7d0e2fb117bf62cf2e5f209148
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine-sdk
Gerrit-Branch: master
Gerrit-Owner: Michael Pasternak <mpast...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
