Mercurial > libervia-backend
comparison sat/core/patches.py @ 2687:e9cd473a2f46
core (xmpp): server certificate validation:
XMPP server certificate is now checked, and connection is refused (by default) if it's not valid.
Certificate check can be disabled in the new parameter "Configuration/check_certificate".
If certificate checking is disabled, a warning note is sent on every new connection.
Twisted and Wokkel are temporarly monkey patched in sat.core.tls_patches module, until modifications are merged upstream.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Sat, 10 Nov 2018 10:16:35 +0100 |
| parents | |
| children | 1ecceac3df96 |
comparison
equal
deleted
inserted
replaced
| 2686:ce1e15d59496 | 2687:e9cd473a2f46 |
|---|---|
| 1 from twisted.words.protocols.jabber import xmlstream | |
| 2 from twisted.internet import ssl | |
| 3 from wokkel import client | |
| 4 | |
| 5 """This module apply monkey patches to Twisted and Wokkel to handle certificate validation | |
| 6 during XMPP connection""" | |
| 7 | |
| 8 | |
| 9 class TLSInitiatingInitializer(xmlstream.TLSInitiatingInitializer): | |
| 10 check_certificate = True | |
| 11 | |
| 12 def onProceed(self, obj): | |
| 13 self.xmlstream.removeObserver('/failure', self.onFailure) | |
| 14 trustRoot = ssl.platformTrust() if self.check_certificate else None | |
| 15 ctx = ssl.CertificateOptions(trustRoot=trustRoot) | |
| 16 self.xmlstream.transport.startTLS(ctx) | |
| 17 self.xmlstream.reset() | |
| 18 self.xmlstream.sendHeader() | |
| 19 self._deferred.callback(xmlstream.Reset) | |
| 20 | |
| 21 | |
| 22 class XMPPClient(client.XMPPClient): | |
| 23 | |
| 24 def __init__(self, jid, password, host=None, port=5222, check_certificate=True): | |
| 25 self.jid = jid | |
| 26 self.domain = jid.host.encode('idna') | |
| 27 self.host = host | |
| 28 self.port = port | |
| 29 | |
| 30 factory = HybridClientFactory(jid, password, check_certificate) | |
| 31 | |
| 32 client.StreamManager.__init__(self, factory) | |
| 33 | |
| 34 | |
| 35 def HybridClientFactory(jid, password, check_certificate=True): | |
| 36 a = HybridAuthenticator(jid, password, check_certificate) | |
| 37 | |
| 38 return xmlstream.XmlStreamFactory(a) | |
| 39 | |
| 40 | |
| 41 class HybridAuthenticator(client.HybridAuthenticator): | |
| 42 | |
| 43 def __init__(self, jid, password, check_certificate): | |
| 44 xmlstream.ConnectAuthenticator.__init__(self, jid.host) | |
| 45 self.jid = jid | |
| 46 self.password = password | |
| 47 self.check_certificate = check_certificate | |
| 48 | |
| 49 def associateWithStream(self, xs): | |
| 50 xmlstream.ConnectAuthenticator.associateWithStream(self, xs) | |
| 51 | |
| 52 tlsInit = xmlstream.TLSInitiatingInitializer(xs) | |
| 53 tlsInit.check_certificate = self.check_certificate | |
| 54 xs.initializers = [client.client.CheckVersionInitializer(xs), | |
| 55 tlsInit, | |
| 56 client.CheckAuthInitializer(xs)] | |
| 57 | |
| 58 | |
| 59 def apply(): | |
| 60 xmlstream.TLSInitiatingInitializer = TLSInitiatingInitializer | |
| 61 client.XMPPClient = XMPPClient | |
| 62 client.HybridClientFactory = HybridClientFactory | |
| 63 client.HybridAuthenticator = HybridAuthenticator |