mirror of
https://github.com/openSUSE/osc.git
synced 2024-12-26 18:06:13 +01:00
- fixed "logic" issue in init_basicauth
the old code didn't turn off the ssl checking if conf['apiurl'] was configured with "sslcertk = 1". Example: ~/.oscrc: [https://foo] sslcertk = 0 ... [https://main] sslcertk = 1 ... [general] apiurl = https://main if you send a request to https://foo (and conf['apiurl'] == https://main) it'll fail because the ssl checking isn't disabled.
This commit is contained in:
Marcus Huewe
parent
2b3fdb4588
commit
2cb03b4efe
113
osc/conf.py
113
osc/conf.py
@ -348,31 +348,22 @@ def get_apiurl_usr(apiurl):
|
|||||||
% (apiurl, config['user'])
|
% (apiurl, config['user'])
|
||||||
return config['user']
|
return config['user']
|
||||||
|
|
||||||
|
# workaround m2crypto issue:
|
||||||
|
# if multiple SSL.Context objects are created
|
||||||
def init_basicauth(config):
|
# m2crypto only uses the last object which was created.
|
||||||
"""initialize urllib2 with the credentials for Basic Authentication"""
|
# So we need to build a new opener everytime we switch the
|
||||||
|
# apiurl (because different apiurls may have different
|
||||||
|
# cafile/capath locations)
|
||||||
|
def _build_opener(url):
|
||||||
from osc.core import __version__
|
from osc.core import __version__
|
||||||
import cookielib
|
|
||||||
import urllib2
|
import urllib2
|
||||||
import sys
|
import sys
|
||||||
|
global config
|
||||||
if config['api_host_options'][config['apiurl']]['sslcertck']:
|
apiurl = urljoin(*parse_apisrv_url(None, url))
|
||||||
try:
|
if not _build_opener.__dict__.has_key('last_opener'):
|
||||||
import oscssl
|
_build_opener.last_opener = (None, None)
|
||||||
from M2Crypto import m2urllib2
|
if apiurl == _build_opener.last_opener[0]:
|
||||||
except ImportError, e:
|
return _build_opener.last_opener[1]
|
||||||
print e
|
|
||||||
raise NoSecureSSLError("M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto." % config['apiurl'])
|
|
||||||
|
|
||||||
if sys.version_info < (2, 6):
|
|
||||||
# HTTPS proxy is not supported in old urllib2. It only leads to an error
|
|
||||||
# or, at best, a warning.
|
|
||||||
if 'https_proxy' in os.environ:
|
|
||||||
del os.environ['https_proxy']
|
|
||||||
if 'HTTPS_PROXY' in os.environ:
|
|
||||||
del os.environ['HTTPS_PROXY']
|
|
||||||
|
|
||||||
# workaround for http://bugs.python.org/issue9639
|
# workaround for http://bugs.python.org/issue9639
|
||||||
authhandler_class = urllib2.HTTPBasicAuthHandler
|
authhandler_class = urllib2.HTTPBasicAuthHandler
|
||||||
@ -388,35 +379,23 @@ def init_basicauth(config):
|
|||||||
|
|
||||||
authhandler_class = OscHTTPBasicAuthHandler
|
authhandler_class = OscHTTPBasicAuthHandler
|
||||||
|
|
||||||
if config['http_debug']:
|
options = config['api_host_options'][apiurl]
|
||||||
# brute force
|
# with None as first argument, it will always use this username/password
|
||||||
def urllib2_debug_init(self, debuglevel=0):
|
# combination for urls for which arg2 (apisrv) is a super-url
|
||||||
self._debuglevel = 1
|
|
||||||
urllib2.AbstractHTTPHandler.__init__ = urllib2_debug_init
|
|
||||||
|
|
||||||
authhandler = authhandler_class( \
|
authhandler = authhandler_class( \
|
||||||
urllib2.HTTPPasswordMgrWithDefaultRealm())
|
urllib2.HTTPPasswordMgrWithDefaultRealm())
|
||||||
|
authhandler.add_password(None, apiurl, options['user'], options['pass'])
|
||||||
|
|
||||||
cookie_file = os.path.expanduser(config['cookiejar'])
|
if options['sslcertck']:
|
||||||
global cookiejar
|
|
||||||
cookiejar = cookielib.LWPCookieJar(cookie_file)
|
|
||||||
try:
|
|
||||||
cookiejar.load(ignore_discard=True)
|
|
||||||
except IOError:
|
|
||||||
try:
|
try:
|
||||||
open(cookie_file, 'w').close()
|
import oscssl
|
||||||
os.chmod(cookie_file, 0600)
|
from M2Crypto import m2urllib2
|
||||||
except:
|
except ImportError, e:
|
||||||
#print 'Unable to create cookiejar file: \'%s\'. Using RAM-based cookies.' % cookie_file
|
print e
|
||||||
cookiejar = cookielib.CookieJar()
|
raise NoSecureSSLError('M2Crypto is needed to access %s in a secure way.\nPlease install python-m2crypto.' % apiurl)
|
||||||
|
|
||||||
|
cafile = options.get('cafile', None)
|
||||||
if config['api_host_options'][config['apiurl']]['sslcertck']:
|
capath = options.get('capath', None)
|
||||||
cafile = capath = None
|
|
||||||
if 'capath' in config['api_host_options'][config['apiurl']]:
|
|
||||||
capath = config['api_host_options'][config['apiurl']]['capath']
|
|
||||||
if 'cafile' in config['api_host_options'][config['apiurl']]:
|
|
||||||
cafile = config['api_host_options'][config['apiurl']]['cafile']
|
|
||||||
if not cafile and not capath:
|
if not cafile and not capath:
|
||||||
for i in ['/etc/pki/tls/cert.pem', '/etc/ssl/certs' ]:
|
for i in ['/etc/pki/tls/cert.pem', '/etc/ssl/certs' ]:
|
||||||
if os.path.isfile(i):
|
if os.path.isfile(i):
|
||||||
@ -432,15 +411,43 @@ def init_basicauth(config):
|
|||||||
import sys
|
import sys
|
||||||
print >>sys.stderr, "WARNING: SSL certificate checks disabled. Connection is insecure!\n"
|
print >>sys.stderr, "WARNING: SSL certificate checks disabled. Connection is insecure!\n"
|
||||||
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar), authhandler)
|
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar), authhandler)
|
||||||
|
|
||||||
urllib2.install_opener(opener)
|
|
||||||
|
|
||||||
opener.addheaders = [('User-agent', 'osc/%s' % __version__)]
|
opener.addheaders = [('User-agent', 'osc/%s' % __version__)]
|
||||||
|
_build_opener.last_opener = (apiurl, opener)
|
||||||
|
return opener
|
||||||
|
|
||||||
# with None as first argument, it will always use this username/password
|
def init_basicauth(config):
|
||||||
# combination for urls for which arg2 (apisrv) is a super-url
|
"""initialize urllib2 with the credentials for Basic Authentication"""
|
||||||
for host, auth in config['api_host_options'].iteritems():
|
|
||||||
authhandler.add_password(None, host, auth['user'], auth['pass'])
|
import cookielib
|
||||||
|
import urllib2
|
||||||
|
import sys
|
||||||
|
|
||||||
|
if sys.version_info < (2, 6):
|
||||||
|
# HTTPS proxy is not supported in old urllib2. It only leads to an error
|
||||||
|
# or, at best, a warning.
|
||||||
|
if 'https_proxy' in os.environ:
|
||||||
|
del os.environ['https_proxy']
|
||||||
|
if 'HTTPS_PROXY' in os.environ:
|
||||||
|
del os.environ['HTTPS_PROXY']
|
||||||
|
|
||||||
|
if config['http_debug']:
|
||||||
|
# brute force
|
||||||
|
def urllib2_debug_init(self, debuglevel=0):
|
||||||
|
self._debuglevel = 1
|
||||||
|
urllib2.AbstractHTTPHandler.__init__ = urllib2_debug_init
|
||||||
|
|
||||||
|
cookie_file = os.path.expanduser(config['cookiejar'])
|
||||||
|
global cookiejar
|
||||||
|
cookiejar = cookielib.LWPCookieJar(cookie_file)
|
||||||
|
try:
|
||||||
|
cookiejar.load(ignore_discard=True)
|
||||||
|
except IOError:
|
||||||
|
try:
|
||||||
|
open(cookie_file, 'w').close()
|
||||||
|
os.chmod(cookie_file, 0600)
|
||||||
|
except:
|
||||||
|
#print 'Unable to create cookiejar file: \'%s\'. Using RAM-based cookies.' % cookie_file
|
||||||
|
cookiejar = cookielib.CookieJar()
|
||||||
|
|
||||||
|
|
||||||
def get_configParser(conffile=None, force_read=False):
|
def get_configParser(conffile=None, force_read=False):
|
||||||
|
|||||||
@ -2045,6 +2045,7 @@ def http_request(method, url, headers={}, data=None, file=None, timeout=100):
|
|||||||
data = ''
|
data = ''
|
||||||
|
|
||||||
req = urllib2.Request(url)
|
req = urllib2.Request(url)
|
||||||
|
urllib2.install_opener(conf._build_opener(url))
|
||||||
api_host_options = {}
|
api_host_options = {}
|
||||||
try:
|
try:
|
||||||
api_host_options = conf.get_apiurl_api_host_options(url)
|
api_host_options = conf.get_apiurl_api_host_options(url)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user