[CalendarServer-changes] [14175] CalendarServer/trunk/txweb2

source_changes at macosforge.org source_changes at macosforge.org
Sat Nov 15 08:09:33 PST 2014


Revision: 14175
          http://trac.calendarserver.org//changeset/14175
Author:   cdaboo at apple.com
Date:     2014-11-15 08:09:33 -0800 (Sat, 15 Nov 2014)
Log Message:
-----------
Support ssl reverse proxy client cert auth mode.

Modified Paths:
--------------
    CalendarServer/trunk/txweb2/auth/tls.py
    CalendarServer/trunk/txweb2/dav/resource.py

Modified: CalendarServer/trunk/txweb2/auth/tls.py
===================================================================
--- CalendarServer/trunk/txweb2/auth/tls.py	2014-11-14 21:08:05 UTC (rev 14174)
+++ CalendarServer/trunk/txweb2/auth/tls.py	2014-11-15 16:09:33 UTC (rev 14175)
@@ -38,14 +38,20 @@
 
     implements(credentials.ICredentials)
 
-    def __init__(self, certificate):
+    CERTIFICATE_HEADER = "X-TLS-Client-Certificate"
+    USERNAME_HEADER = "X-TLS-Client-User-Name"
 
+    def __init__(self, certificate, username=None):
+
         self.certificate = certificate
 
-        try:
-            self.username = self.getSubject().emailAddress.split("@")[0]
-        except KeyError:
-            self.username = None
+        if certificate is not None:
+            try:
+                self.username = self.getSubject().emailAddress.split("@")[0]
+            except KeyError:
+                self.username = None
+        else:
+            self.username = username
 
 
     def getSubject(self):

Modified: CalendarServer/trunk/txweb2/dav/resource.py
===================================================================
--- CalendarServer/trunk/txweb2/dav/resource.py	2014-11-14 21:08:05 UTC (rev 14174)
+++ CalendarServer/trunk/txweb2/dav/resource.py	2014-11-15 16:09:33 UTC (rev 14175)
@@ -56,6 +56,7 @@
     Deferred, maybeDeferred, succeed, inlineCallbacks, returnValue
 )
 from twisted.internet import reactor
+from twisted.internet._sslverify import Certificate
 
 from twext.python.log import Logger
 from txdav.xml import element
@@ -65,7 +66,7 @@
 from txdav.xml.element import twisted_dav_namespace, twisted_private_namespace
 from txdav.xml.element import registerElement, lookupElement
 from txweb2 import responsecode
-from txweb2.auth.tls import TLSCredentialsFactory
+from txweb2.auth.tls import TLSCredentialsFactory, TLSCredentials
 from txweb2.http import HTTPError, RedirectResponse, StatusResponse
 from txweb2.http_headers import generateContentType
 from txweb2.iweb import IResponse
@@ -1020,8 +1021,29 @@
         if request.clientCredentials() is not None:
             # Make this look as if it is done via the usual HTTP auth header approach
             authHeader = (TLSCredentialsFactory.scheme, request.clientCredentials())
+
         else:
-            authHeader = request.headers.getHeader("authorization")
+            # Check for reverse proxy TLS client auth
+            rproxy_cert = request.headers.getRawHeaders(TLSCredentials.CERTIFICATE_HEADER, ["*"])[0]
+            rproxy_user = request.headers.getRawHeaders(TLSCredentials.USERNAME_HEADER, ["*"])[0]
+            if rproxy_cert != "*":
+                # Make this look as if it is done via the usual HTTP auth header approach
+                try:
+                    cert = Certificate.loadPEM(rproxy_cert.replace("\\r", "\r").replace("\\n", "\n"))
+                except:
+                    raise HTTPError(responsecode.BAD_REQUEST)
+                authHeader = (
+                    TLSCredentialsFactory.scheme,
+                    TLSCredentials(cert)
+                )
+            elif rproxy_user != "*":
+                # Make this look as if it is done via the usual HTTP auth header approach
+                authHeader = (
+                    TLSCredentialsFactory.scheme,
+                    TLSCredentials(None, username=rproxy_user)
+                )
+            else:
+                authHeader = request.headers.getHeader("authorization")
 
         if authHeader is not None:
             if authHeader[0] not in request.credentialFactories:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20141115/3ef7c614/attachment.html>


More information about the calendarserver-changes mailing list