[CalendarServer-changes] [14175] CalendarServer/trunk/txweb2
source_changes at macosforge.org
source_changes at macosforge.org
Sat Nov 15 08:09:33 PST 2014
Revision: 14175
http://trac.calendarserver.org//changeset/14175
Author: cdaboo at apple.com
Date: 2014-11-15 08:09:33 -0800 (Sat, 15 Nov 2014)
Log Message:
-----------
Support ssl reverse proxy client cert auth mode.
Modified Paths:
--------------
CalendarServer/trunk/txweb2/auth/tls.py
CalendarServer/trunk/txweb2/dav/resource.py
Modified: CalendarServer/trunk/txweb2/auth/tls.py
===================================================================
--- CalendarServer/trunk/txweb2/auth/tls.py 2014-11-14 21:08:05 UTC (rev 14174)
+++ CalendarServer/trunk/txweb2/auth/tls.py 2014-11-15 16:09:33 UTC (rev 14175)
@@ -38,14 +38,20 @@
implements(credentials.ICredentials)
- def __init__(self, certificate):
+ CERTIFICATE_HEADER = "X-TLS-Client-Certificate"
+ USERNAME_HEADER = "X-TLS-Client-User-Name"
+ def __init__(self, certificate, username=None):
+
self.certificate = certificate
- try:
- self.username = self.getSubject().emailAddress.split("@")[0]
- except KeyError:
- self.username = None
+ if certificate is not None:
+ try:
+ self.username = self.getSubject().emailAddress.split("@")[0]
+ except KeyError:
+ self.username = None
+ else:
+ self.username = username
def getSubject(self):
Modified: CalendarServer/trunk/txweb2/dav/resource.py
===================================================================
--- CalendarServer/trunk/txweb2/dav/resource.py 2014-11-14 21:08:05 UTC (rev 14174)
+++ CalendarServer/trunk/txweb2/dav/resource.py 2014-11-15 16:09:33 UTC (rev 14175)
@@ -56,6 +56,7 @@
Deferred, maybeDeferred, succeed, inlineCallbacks, returnValue
)
from twisted.internet import reactor
+from twisted.internet._sslverify import Certificate
from twext.python.log import Logger
from txdav.xml import element
@@ -65,7 +66,7 @@
from txdav.xml.element import twisted_dav_namespace, twisted_private_namespace
from txdav.xml.element import registerElement, lookupElement
from txweb2 import responsecode
-from txweb2.auth.tls import TLSCredentialsFactory
+from txweb2.auth.tls import TLSCredentialsFactory, TLSCredentials
from txweb2.http import HTTPError, RedirectResponse, StatusResponse
from txweb2.http_headers import generateContentType
from txweb2.iweb import IResponse
@@ -1020,8 +1021,29 @@
if request.clientCredentials() is not None:
# Make this look as if it is done via the usual HTTP auth header approach
authHeader = (TLSCredentialsFactory.scheme, request.clientCredentials())
+
else:
- authHeader = request.headers.getHeader("authorization")
+ # Check for reverse proxy TLS client auth
+ rproxy_cert = request.headers.getRawHeaders(TLSCredentials.CERTIFICATE_HEADER, ["*"])[0]
+ rproxy_user = request.headers.getRawHeaders(TLSCredentials.USERNAME_HEADER, ["*"])[0]
+ if rproxy_cert != "*":
+ # Make this look as if it is done via the usual HTTP auth header approach
+ try:
+ cert = Certificate.loadPEM(rproxy_cert.replace("\\r", "\r").replace("\\n", "\n"))
+ except:
+ raise HTTPError(responsecode.BAD_REQUEST)
+ authHeader = (
+ TLSCredentialsFactory.scheme,
+ TLSCredentials(cert)
+ )
+ elif rproxy_user != "*":
+ # Make this look as if it is done via the usual HTTP auth header approach
+ authHeader = (
+ TLSCredentialsFactory.scheme,
+ TLSCredentials(None, username=rproxy_user)
+ )
+ else:
+ authHeader = request.headers.getHeader("authorization")
if authHeader is not None:
if authHeader[0] not in request.credentialFactories:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20141115/3ef7c614/attachment.html>
More information about the calendarserver-changes
mailing list