[CalendarServer-changes] [10165] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Wed Dec 12 17:46:20 PST 2012
Revision: 10165
http://trac.calendarserver.org//changeset/10165
Author: sagen at apple.com
Date: 2012-12-12 17:46:20 -0800 (Wed, 12 Dec 2012)
Log Message:
-----------
Strict-Transport-Security is no longer tied to RedirectHTTPToHTTPS, and max-age is configurable, defaulting to 1 week.
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/tap/caldav.py
CalendarServer/trunk/calendarserver/tap/test/test_caldav.py
CalendarServer/trunk/twext/web2/channel/http.py
CalendarServer/trunk/twext/web2/test/test_http.py
CalendarServer/trunk/twistedcaldav/stdconfig.py
Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py 2012-12-12 23:59:38 UTC (rev 10164)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py 2012-12-13 01:46:20 UTC (rev 10165)
@@ -874,6 +874,22 @@
def requestFactory(*args, **kw):
return SSLRedirectRequest(site=underlyingSite, *args, **kw)
+ # Add the Strict-Transport-Security header to all secured requests
+ # if enabled.
+ if config.StrictTransportSecuritySeconds:
+ previousRequestFactory = requestFactory
+ def requestFactory(*args, **kw):
+ request = previousRequestFactory(*args, **kw)
+ def responseFilter(ignored, response):
+ ignored, secure = request.chanRequest.getHostInfo()
+ if secure:
+ response.headers.addRawHeader("Strict-Transport-Security",
+ "max-age={max_age:d}"
+ .format(max_age=config.StrictTransportSecuritySeconds))
+ return response
+ request.addResponseFilter(responseFilter)
+ return request
+
httpFactory = LimitingHTTPFactory(
requestFactory,
maxRequests=config.MaxRequests,
@@ -894,6 +910,9 @@
connectionService.setName(CalDAVService.connectionServiceName)
connectionService.setServiceParent(service)
+ # For calendarserver.tap.test.test_caldav.BaseServiceMakerTests.getSite():
+ connectionService.underlyingSite = underlyingSite
+
if config.InheritFDs or config.InheritSSLFDs:
# Inherit sockets to call accept() on them individually.
Modified: CalendarServer/trunk/calendarserver/tap/test/test_caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/test/test_caldav.py 2012-12-12 23:59:38 UTC (rev 10164)
+++ CalendarServer/trunk/calendarserver/tap/test/test_caldav.py 2012-12-13 01:46:20 UTC (rev 10165)
@@ -380,9 +380,10 @@
# NOTE: in a database 'single' configuration, PostgresService
# will prevent the HTTP services from actually getting added to
# the hierarchy until the hierarchy has started.
- lambda x: hasattr(x, 'args')
+ # 'underlyingSite' assigned in caldav.py
+ lambda x: hasattr(x, 'underlyingSite')
):
- return listeningService.args[1].protocolArgs['requestFactory']
+ return listeningService.underlyingSite
raise RuntimeError("No site found.")
Modified: CalendarServer/trunk/twext/web2/channel/http.py
===================================================================
--- CalendarServer/trunk/twext/web2/channel/http.py 2012-12-12 23:59:38 UTC (rev 10164)
+++ CalendarServer/trunk/twext/web2/channel/http.py 2012-12-13 01:46:20 UTC (rev 10165)
@@ -76,26 +76,11 @@
self.transport.loseConnection()
-
class SSLRedirectRequest(Request):
"""
An L{SSLRedirectRequest} prevents processing if the request is over plain
HTTP; instead, it redirects to HTTPS.
-
- If the request is already secured, it instead sets the
- Strict-Transport-Security header as documented by the U{HTTP Strict
- Transport Security specification
- <http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02>}.
-
- @ivar maxAge: the number of seconds that a client must wait after receiving
- an HTTPS response, before they may attempt to make an HTTP request
- again.
-
- @type maxAge: C{int}
"""
-
- maxAge = 600
-
def process(self):
ignored, secure = self.chanRequest.getHostInfo()
if not secure:
@@ -116,15 +101,6 @@
return super(SSLRedirectRequest, self).process()
- def writeResponse(self, response):
- """
- Response filter to add HSTS header.
- """
- response.headers.addRawHeader("Strict-Transport-Security",
- "max-age={max_age:d}"
- .format(max_age=self.maxAge))
- return super(SSLRedirectRequest, self).writeResponse(response)
-
# >%
PERSIST_NO_PIPELINE, PERSIST_PIPELINE = (1,2)
Modified: CalendarServer/trunk/twext/web2/test/test_http.py
===================================================================
--- CalendarServer/trunk/twext/web2/test/test_http.py 2012-12-12 23:59:38 UTC (rev 10164)
+++ CalendarServer/trunk/twext/web2/test/test_http.py 2012-12-13 01:46:20 UTC (rev 10165)
@@ -742,18 +742,6 @@
cxn.client.loseConnection()
self.assertDone(cxn)
-
- def test_http1_1_sts(self):
- """
- L{SSLRedirectRequest} uses strict transport security, and will set the
- appropriate header.
- """
- self.requestClass = TestSSLRedirectRequest
- return self.testHTTP1_1_chunking(
- "Strict-Transport-Security: max-age=600"
- )
-
-
def testHTTP1_1_expect_continue(self):
cxn = self.connect()
cmds = [[]]
Modified: CalendarServer/trunk/twistedcaldav/stdconfig.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/stdconfig.py 2012-12-12 23:59:38 UTC (rev 10164)
+++ CalendarServer/trunk/twistedcaldav/stdconfig.py 2012-12-13 01:46:20 UTC (rev 10165)
@@ -250,6 +250,8 @@
"RedirectHTTPToHTTPS" : False, # If True, all nonSSL requests redirected to an SSL Port
"SSLMethod" : "SSLv3_METHOD", # SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD
"SSLCiphers" : "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM",
+ "StrictTransportSecuritySeconds" : 7 * 24 * 60 * 60, # max-age value for
+ # Strict-Transport-Security header; set to 0 to disable header.
#
# Network address configuration information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20121212/fbc48ac7/attachment.html>
More information about the calendarserver-changes
mailing list