libervia-web: libervia_server/__init_

comparison libervia_server/init.py @ 415:fadbba1d793f

server_side: added support for SSL and related parameters: Full parameters list: -t, --connection_type= 'http', 'https' or 'both' (to launch both servers). [default: both] -p, --port= The port number to listen HTTP on. [default: 8080] -s, --port_https= The port number to listen HTTPS on. [default: 8443] -c, --ssl_certificate= PEM certificate with both private and public parts. [default: libervia.pem] -r, --redirect_to_https= automatically redirect from HTTP to HTTPS. [default: 0] -w, --security_warning= warn user that he is about to connect on HTTP. [default: 1]

author	souliane <souliane@mailoo.org>
date	Tue, 18 Mar 2014 15:59:38 +0100
parents	7a8991cda2fa
children	2bd609d7dd65

comparison

equal deleted inserted replaced

-:ae598511850d
+:fadbba1d793f
 from twisted.internet import reactor, defer
 from twisted.web import server
 from twisted.web import error as weberror
 from twisted.web.static import File
 from twisted.web.resource import Resource, NoResource
-from twisted.web.util import Redirect
+from twisted.web.util import Redirect, redirectTo
 from twisted.python.components import registerAdapter
 from twisted.python.failure import Failure
 from twisted.words.protocols.jabber.jid import JID
 from txjsonrpc.web import jsonrpc
 from txjsonrpc import jsonrpclib
 from logging import debug, info, warning, error
-import re, glob
+import re
-import os.path, sys
+import glob
-import tempfile, shutil, uuid
+import os.path
+import sys
+import tempfile
+import shutil
+import uuid
 from zope.interface import Interface, Attribute, implements
 from xml.dom import minidom
+from httplib import HTTPS_PORT
 from constants import Const
 from libervia_server.blog import MicroBlog
 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService
 from sat.core.i18n import _, D_
 from sat.tools.xml_tools import paramsXML2XMLUI
+try:
+import OpenSSL
+from twisted.internet import ssl
+ssl_available = True
+except:
+ssl_available = False
 class ISATSession(Interface):
 profile = Attribute("Sat profile")
 jid = Attribute("JID associated with the profile")
 def render(self, request):
 """
 Render method with some hacks:
 - if login is requested, try to login with form data
 - except login, every method is jsonrpc
-- user doesn't need to be authentified for isRegistered or registerParams, but must be for all other methods
+- user doesn't need to be authentified for explicitely listed methods, but must be for all others
 """
 if request.postpath==['login']:
 return self.login(request)
 _session = request.getSession()
 parsed = jsonrpclib.loads(request.content.read())
 method = parsed.get("method")
-if  method not in ['isRegistered',  'registerParams', 'getMenus']:
+if  method not in ['isRegistered', 'registerParams', 'getMenus']:
 #if we don't call these methods, we need to be identified
 profile = ISATSession(_session).profile
 if not profile:
 #user is not identified, we return a jsonrpc fault
 fault = jsonrpclib.Fault(Const.ERRNUM_LIBERVIA, "Not allowed") #FIXME: define some standard error codes for libervia
 self.profiles_waiting[profile] = self.request
 self.sat_host.bridge.connect(profile)
 return server.NOT_DONE_YET
 def jsonrpc_isRegistered(self):
-"""Tell if the user is already registered"""
+"""
+@return: a couple (registered, message) with:
+- registered: True if the user is already registered, False otherwise
+- message: a security warning message if registered is False *and* the connection is unsecure, None otherwise
+"""
 _session = self.request.getSession()
 profile = ISATSession(_session).profile
-return bool(profile)
+if bool(profile):
+return (True, None)
+return (False, self.__getSecurityWarning())
 def jsonrpc_registerParams(self):
 """Register the frontend specific parameters"""
 params = """
 <params>
 def jsonrpc_getMenus(self):
 """Return the parameters XML for profile"""
 # XXX: we put this method in Register because we get menus before being logged
 return self.sat_host.bridge.getMenus('', Const.SECURITY_LIMIT)
+def __getSecurityWarning(self):
+"""@return: a security warning message, or None if the connection is secure"""
+if self.request.URLPath().scheme == 'https' or not self.sat_host.security_warning:
+return None
+text = D_("You are about to connect to an unsecured service.")
+if self.sat_host.connection_type == 'both':
+new_port = (':%s' % self.sat_host.port_https) if self.sat_host.port_https != HTTPS_PORT else ''
+url = "https://%s" % self.request.URLPath().netloc.replace(':%s' % self.sat_host.port, new_port)
+text += D_('<br />Secure version of this website: <a href="%(url)s">%(url)s</a>') % {'url': url}
+return text
 class SignalHandler(jsonrpc.JSONRPC):
 def __init__(self, sat_host):
 """
 profile = ISATSession(request.getSession()).profile
 return ("setAvatar", filepath, profile)
+def coerceConnectionType(value):  # called from Libervia.OPT_PARAMETERS
+allowed_values = ('http', 'https', 'both')
+if value not in allowed_values:
+raise ValueError("Invalid parameter value, not in %s" % str(allowed_values))
+return value
 class Libervia(service.Service):
-def __init__(self, port=8080):
+OPT_PARAMETERS = [['connection_type', 't', 'https', "'http', 'https' or 'both' (to launch both servers).", coerceConnectionType],
+['port', 'p', 8080, 'The port number to listen HTTP on.', int],
+['port_https', 's', 8443, 'The port number to listen HTTPS on.', int],
+['ssl_certificate', 'c', 'libervia.pem', 'PEM certificate with both private and public parts.', str],
+['redirect_to_https', 'r', 1, 'automatically redirect from HTTP to HTTPS.', int],
+['security_warning', 'w', 1, 'warn user that he is about to connect on HTTP.', int],
+]
+def __init__(self, *args, **kwargs):
+if not kwargs:
+# During the loading of the twisted plugins, we just need the default values.
+# This part is not executed when the plugin is actually started.
+for name, value in [(option[0], option[2]) for option in self.OPT_PARAMETERS]:
+kwargs[name] = value
+self.connection_type = kwargs['connection_type']
+self.port = kwargs['port']
+self.port_https = kwargs['port_https']
+self.ssl_certificate = kwargs['ssl_certificate']
+self.redirect_to_https = kwargs['redirect_to_https']
+self.security_warning = kwargs['security_warning']
 self._cleanup = []
-self.port = port
 root = ProtectedFile(Const.LIBERVIA_DIR)
 self.signal_handler = SignalHandler(self)
 _register = Register(self)
 _upload_radiocol = UploadManagerRadioCol(self)
 _upload_avatar = UploadManagerAvatar(self)
 @param *args: list of arguments of the callback
 @param **kwargs: list of keyword arguments of the callback"""
 self._cleanup.insert(0, (callback, args, kwargs))
 def startService(self):
-reactor.listenTCP(self.port, self.site)
+if self.connection_type in ('https', 'both'):
+if not ssl_available:
+raise(ImportError(_("Python module pyOpenSSL is not installed!")))
+try:
+with open(self.ssl_certificate) as keyAndCert:
+try:
+cert = ssl.PrivateCertificate.loadPEM(keyAndCert.read())
+except OpenSSL.crypto.Error as e:
+error(_("The file '%s' must contain both private and public parts of the certificate") % self.ssl_certificate)
+raise e
+except IOError as e:
+error(_("The file '%s' doesn't exist") % self.ssl_certificate)
+raise e
+reactor.listenSSL(self.port_https, self.site, cert.options())
+if self.connection_type in ('http', 'both'):
+if self.connection_type == 'both' and self.redirect_to_https:
+reactor.listenTCP(self.port, server.Site(RedirectToHTTPS(self.port, self.port_https)))
+else:
+reactor.listenTCP(self.port, self.site)
 def stopService(self):
 print "launching cleaning methods"
 for callback, args, kwargs in self._cleanup:
 callback(*args, **kwargs)
 reactor.run()
 def stop(self):
 reactor.stop()
+class RedirectToHTTPS(Resource):
+def __init__(self, old_port, new_port):
+Resource.__init__(self)
+self.isLeaf = True
+self.old_port = old_port
+self.new_port = new_port
+def render(self, request):
+netloc = request.URLPath().netloc.replace(':%s' % self.old_port, ':%s' % self.new_port)
+url = "https://" + netloc + request.uri
+return redirectTo(url, request)
 registerAdapter(SATSession, server.Session, ISATSession)
 application = service.Application(Const.APP_NAME)
 service = Libervia()
 service.setServiceParent(application)

Mercurial > libervia-web

comparison libervia_server/__init__.py @ 415:fadbba1d793f

comparison libervia_server/init.py @ 415:fadbba1d793f