[CalendarServer-changes] [13913] CalendarServer/trunk/calendarserver/tap
source_changes at macosforge.org
source_changes at macosforge.org
Fri Aug 22 11:00:16 PDT 2014
Revision: 13913
http://trac.calendarserver.org//changeset/13913
Author: sagen at apple.com
Date: 2014-08-22 11:00:16 -0700 (Fri, 22 Aug 2014)
Log Message:
-----------
Detect missing, empty, or bogus TLS certificate files
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/tap/caldav.py
CalendarServer/trunk/calendarserver/tap/test/test_util.py
CalendarServer/trunk/calendarserver/tap/util.py
Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py 2014-08-21 18:45:59 UTC (rev 13912)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py 2014-08-22 18:00:16 UTC (rev 13913)
@@ -25,7 +25,7 @@
import sys
from collections import OrderedDict
from os import getuid, getgid, umask, remove, environ, stat, chown
-from os.path import exists, basename, isfile
+from os.path import exists, basename
import socket
from stat import S_ISSOCK
import time
@@ -127,7 +127,7 @@
checkDirectories, getRootResource,
oracleConnectorFromConfig, pgConnectorFromConfig,
pgServiceFromConfig, getDBPool, MemoryLimitService,
- storeFromConfig
+ storeFromConfig, getSSLPassphrase, PreFlightChecksStep
)
try:
from calendarserver.version import version
@@ -1582,6 +1582,10 @@
)
pps.addStep(
+ PreFlightChecksStep(config)
+ )
+
+ pps.addStep(
UpgradeReleaseLockStep(store)
)
@@ -2652,77 +2656,6 @@
-def getSSLPassphrase(*ignored):
-
- if not config.SSLPrivateKey:
- return None
-
- if config.SSLCertAdmin and isfile(config.SSLCertAdmin):
- child = Popen(
- args=[
- "sudo", config.SSLCertAdmin,
- "--get-private-key-passphrase", config.SSLPrivateKey,
- ],
- stdout=PIPE, stderr=PIPE,
- )
- output, error = child.communicate()
-
- if child.returncode:
- log.error(
- "Could not get passphrase for {key}: {error}",
- key=config.SSLPrivateKey, error=error
- )
- else:
- log.info(
- "Obtained passphrase for {key}", key=config.SSLPrivateKey
- )
- return output.strip()
-
- if (
- config.SSLPassPhraseDialog and
- isfile(config.SSLPassPhraseDialog)
- ):
- sslPrivKey = open(config.SSLPrivateKey)
- try:
- keyType = None
- for line in sslPrivKey.readlines():
- if "-----BEGIN RSA PRIVATE KEY-----" in line:
- keyType = "RSA"
- break
- elif "-----BEGIN DSA PRIVATE KEY-----" in line:
- keyType = "DSA"
- break
- finally:
- sslPrivKey.close()
-
- if keyType is None:
- log.error(
- "Could not get private key type for {key}",
- key=config.SSLPrivateKey
- )
- else:
- child = Popen(
- args=[
- config.SSLPassPhraseDialog,
- "{}:{}".format(config.ServerHostName, config.SSLPort),
- keyType,
- ],
- stdout=PIPE, stderr=PIPE,
- )
- output, error = child.communicate()
-
- if child.returncode:
- log.error(
- "Could not get passphrase for {key}: {error}",
- key=config.SSLPrivateKey, error=error
- )
- else:
- return output.strip()
-
- return None
-
-
-
def getSystemIDs(userName, groupName):
"""
Return the system ID numbers corresponding to either:
Modified: CalendarServer/trunk/calendarserver/tap/test/test_util.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/test/test_util.py 2014-08-21 18:45:59 UTC (rev 13912)
+++ CalendarServer/trunk/calendarserver/tap/test/test_util.py 2014-08-22 18:00:16 UTC (rev 13913)
@@ -14,12 +14,18 @@
# limitations under the License.
##
-from calendarserver.tap.util import MemoryLimitService, Stepper
+import OpenSSL
+from calendarserver.tap.util import (
+ MemoryLimitService, Stepper, PreFlightChecksStep
+)
from twistedcaldav.util import computeProcessCount
from twistedcaldav.test.util import TestCase
from twisted.internet.task import Clock
from twisted.internet.defer import succeed, inlineCallbacks
+from twisted.python.filepath import FilePath
+from twistedcaldav.config import ConfigDict, ConfigurationError
+
class ProcessCountTestCase(TestCase):
def test_count(self):
@@ -37,10 +43,10 @@
(6, 2, 2, 2, 2, 6),
(1, 2, 1, 4, 99, 8),
- (2, 1, 2, 2, 2, 2), # 2 cores, 2GB = 2
- (2, 1, 2, 2, 4, 2), # 2 cores, 4GB = 2
- (2, 1, 2, 8, 6, 8), # 8 cores, 6GB = 8
- (2, 1, 2, 8, 16, 8), # 8 cores, 16GB = 8
+ (2, 1, 2, 2, 2, 2), # 2 cores, 2GB = 2
+ (2, 1, 2, 2, 4, 2), # 2 cores, 4GB = 2
+ (2, 1, 2, 8, 6, 8), # 8 cores, 6GB = 8
+ (2, 1, 2, 8, 16, 8), # 8 cores, 16GB = 8
)
for min, perCPU, perGB, cpu, mem, expected in data:
@@ -89,10 +95,10 @@
"""
data = {
# PID : (name, resident memory-in-bytes, virtual memory-in-bytes)
- 101 : ("process #1", 10, 1010),
- 102 : ("process #2", 30, 1030),
- 103 : ("process #3", 50, 1050),
- 99 : ("memcached-Default", 10, 1010),
+ 101: ("process #1", 10, 1010),
+ 102: ("process #2", 30, 1030),
+ 103: ("process #3", 50, 1050),
+ 99: ("memcached-Default", 10, 1010),
}
processes = []
@@ -200,7 +206,7 @@
StepFour(self._record, False)
)
result = (yield self.stepper.start("abc"))
- self.assertEquals(result, "abc") # original result passed through
+ self.assertEquals(result, "abc") # original result passed through
self.assertEquals(
self.history,
['one success', 'two success', 'three success', 'four success'])
@@ -224,7 +230,73 @@
self.stepper.addStep(StepThree(self._record, True))
self.stepper.addStep(StepFour(self._record, False))
result = (yield self.stepper.start("abc"))
- self.assertEquals(result, None) # original result is gone
+ self.assertEquals(result, None) # original result is gone
self.assertEquals(
self.history,
['one success', 'two failure', 'three success', 'four failure'])
+
+
+class PreFlightChecksStepTestCase(TestCase):
+ """
+ Verify that missing, empty, or bogus TLS Certificates are detected
+ """
+
+ @inlineCallbacks
+ def test_missingCertificate(self):
+ step = PreFlightChecksStep(
+ ConfigDict(
+ {
+ "SSLCertificate": "missing",
+ }
+ )
+ )
+ try:
+ yield step.stepWithResult(None)
+ except ConfigurationError as e:
+ self.assertTrue("Missing" in str(e))
+ else:
+ self.fail("Did not raise ConfigurationError")
+
+
+ @inlineCallbacks
+ def test_emptyCertificate(self):
+ certFilePath = FilePath(self.mktemp())
+ certFilePath.setContent("")
+ step = PreFlightChecksStep(
+ ConfigDict(
+ {
+ "SSLCertificate": certFilePath.path,
+ }
+ )
+ )
+ try:
+ yield step.stepWithResult(None)
+ except ConfigurationError as e:
+ self.assertTrue("Empty" in str(e))
+ else:
+ self.fail("Did not raise ConfigurationError")
+
+
+ @inlineCallbacks
+ def test_bogusCertificate(self):
+ certFilePath = FilePath(self.mktemp())
+ certFilePath.setContent("bogus")
+ keyFilePath = FilePath(self.mktemp())
+ keyFilePath.setContent("bogus")
+ step = PreFlightChecksStep(
+ ConfigDict(
+ {
+ "SSLCertificate": certFilePath.path,
+ "SSLPrivateKey": keyFilePath.path,
+ "SSLAuthorityChain": "",
+ "SSLMethod": "SSLv3_METHOD",
+ "SSLCiphers": "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM",
+ }
+ )
+ )
+ try:
+ yield step.stepWithResult(None)
+ except OpenSSL.SSL.Error:
+ pass
+ else:
+ self.fail("Did not raise OpenSSL.SSL.Error")
Modified: CalendarServer/trunk/calendarserver/tap/util.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/util.py 2014-08-21 18:45:59 UTC (rev 13912)
+++ CalendarServer/trunk/calendarserver/tap/util.py 2014-08-22 18:00:16 UTC (rev 13913)
@@ -24,13 +24,19 @@
"getDBPool",
"FakeRequest",
"MemoryLimitService",
+ "PreFlightChecksStep",
+ "getSSLPassphrase",
]
import errno
+import OpenSSL
import os
+import psutil
from socket import fromfd, AF_UNIX, SOCK_STREAM, socketpair
-import psutil
+from subprocess import Popen, PIPE
+
+from twext.internet.ssl import ChainingOpenSSLContextFactory
from twext.python.filepath import CachingFilePath as FilePath
from twext.python.log import Logger
from txweb2.auth.basic import BasicCredentialFactory
@@ -98,6 +104,11 @@
from twext.who.checker import HTTPDigestCredentialChecker
from twisted.cred.error import UnauthorizedLogin
from txweb2.dav.auth import IPrincipalCredentials
+
+from twistedcaldav.config import ConfigurationError
+from twistedcaldav.stdconfig import config
+
+
log = Logger()
@@ -952,7 +963,7 @@
"Server root",
# Require write access because one might not allow editing on /
access=os.W_OK,
- wait=True # Wait in a loop until ServerRoot exists
+ wait=True # Wait in a loop until ServerRoot exists
)
#
@@ -1052,7 +1063,10 @@
def defaultStepWithFailure(self, failure):
- if failure.type != NotAllowedToUpgrade:
+ if failure.type not in (
+ NotAllowedToUpgrade, ConfigurationError,
+ OpenSSL.SSL.Error
+ ):
log.failure("Step failure", failure=failure)
return failure
@@ -1098,3 +1112,130 @@
self.deferred.callback(result)
return self.deferred
+
+
+class PreFlightChecksStep(object):
+ """
+ A place to make any other checks before finishing up the
+ PreProcessingService.
+ """
+
+ def __init__(self, config):
+ self.config = config
+
+
+ def stepWithResult(self, result):
+ self.verifyTLSCertificate()
+ return succeed(None)
+
+
+ def verifyTLSCertificate(self):
+ """
+ If a TLS certificate is configured, make sure it exists, is non empty,
+ and that it's valid.
+ """
+
+ if self.config.SSLCertificate:
+ if not os.path.exists(self.config.SSLCertificate):
+ log.error(
+ "The configured TLS certificate ({cert}) is missing",
+ cert=self.config.SSLCertificate
+ )
+ raise ConfigurationError("Missing certificate file")
+ else:
+ return
+
+ length = os.stat(self.config.SSLCertificate).st_size
+ if length == 0:
+ log.error(
+ "The configured TLS certificate ({cert}) is empty",
+ cert=self.config.SSLCertificate
+ )
+ raise ConfigurationError("Empty certificate file")
+
+ try:
+ ChainingOpenSSLContextFactory(
+ self.config.SSLPrivateKey,
+ self.config.SSLCertificate,
+ certificateChainFile=self.config.SSLAuthorityChain,
+ passwdCallback=getSSLPassphrase,
+ sslmethod=getattr(OpenSSL.SSL, self.config.SSLMethod),
+ ciphers=self.config.SSLCiphers.strip()
+ )
+ except Exception as e:
+ log.error(
+ "The configured TLS certificate ({cert}) cannot be used: {reason}",
+ cert=self.config.SSLCertificate,
+ reason=str(e)
+ )
+ raise
+
+
+def getSSLPassphrase(*ignored):
+
+ if not config.SSLPrivateKey:
+ return None
+
+ if config.SSLCertAdmin and os.path.isfile(config.SSLCertAdmin):
+ child = Popen(
+ args=[
+ "sudo", config.SSLCertAdmin,
+ "--get-private-key-passphrase", config.SSLPrivateKey,
+ ],
+ stdout=PIPE, stderr=PIPE,
+ )
+ output, error = child.communicate()
+
+ if child.returncode:
+ log.error(
+ "Could not get passphrase for {key}: {error}",
+ key=config.SSLPrivateKey, error=error
+ )
+ else:
+ log.info(
+ "Obtained passphrase for {key}", key=config.SSLPrivateKey
+ )
+ return output.strip()
+
+ if (
+ config.SSLPassPhraseDialog and
+ os.path.isfile(config.SSLPassPhraseDialog)
+ ):
+ sslPrivKey = open(config.SSLPrivateKey)
+ try:
+ keyType = None
+ for line in sslPrivKey.readlines():
+ if "-----BEGIN RSA PRIVATE KEY-----" in line:
+ keyType = "RSA"
+ break
+ elif "-----BEGIN DSA PRIVATE KEY-----" in line:
+ keyType = "DSA"
+ break
+ finally:
+ sslPrivKey.close()
+
+ if keyType is None:
+ log.error(
+ "Could not get private key type for {key}",
+ key=config.SSLPrivateKey
+ )
+ else:
+ child = Popen(
+ args=[
+ config.SSLPassPhraseDialog,
+ "{}:{}".format(config.ServerHostName, config.SSLPort),
+ keyType,
+ ],
+ stdout=PIPE, stderr=PIPE,
+ )
+ output, error = child.communicate()
+
+ if child.returncode:
+ log.error(
+ "Could not get passphrase for {key}: {error}",
+ key=config.SSLPrivateKey, error=error
+ )
+ else:
+ return output.strip()
+
+ return None
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20140822/5e1b1c68/attachment-0001.html>
More information about the calendarserver-changes
mailing list