diff libervia_server/__init__.py @ 415:fadbba1d793f

server_side: added support for SSL and related parameters: Full parameters list: -t, --connection_type= 'http', 'https' or 'both' (to launch both servers). [default: both] -p, --port= The port number to listen HTTP on. [default: 8080] -s, --port_https= The port number to listen HTTPS on. [default: 8443] -c, --ssl_certificate= PEM certificate with both private and public parts. [default: libervia.pem] -r, --redirect_to_https= automatically redirect from HTTP to HTTPS. [default: 0] -w, --security_warning= warn user that he is about to connect on HTTP. [default: 1]
author souliane <souliane@mailoo.org>
date Tue, 18 Mar 2014 15:59:38 +0100
parents 7a8991cda2fa
children 2bd609d7dd65
line wrap: on
line diff
--- a/libervia_server/__init__.py	Fri Mar 21 09:20:27 2014 +0100
+++ b/libervia_server/__init__.py	Tue Mar 18 15:59:38 2014 +0100
@@ -25,7 +25,7 @@
 from twisted.web import error as weberror
 from twisted.web.static import File
 from twisted.web.resource import Resource, NoResource
-from twisted.web.util import Redirect
+from twisted.web.util import Redirect, redirectTo
 from twisted.python.components import registerAdapter
 from twisted.python.failure import Failure
 from twisted.words.protocols.jabber.jid import JID
@@ -33,17 +33,28 @@
 from txjsonrpc import jsonrpclib
 from logging import debug, info, warning, error
-import re, glob
-import os.path, sys
-import tempfile, shutil, uuid
+import re
+import glob
+import os.path
+import sys
+import tempfile
+import shutil
+import uuid
 from zope.interface import Interface, Attribute, implements
 from xml.dom import minidom
+from httplib import HTTPS_PORT
 from constants import Const
 from libervia_server.blog import MicroBlog
 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService
 from sat.core.i18n import _, D_
 from sat.tools.xml_tools import paramsXML2XMLUI
+    import OpenSSL
+    from twisted.internet import ssl
+    ssl_available = True
+    ssl_available = False
 class ISATSession(Interface):
@@ -553,14 +564,14 @@
         Render method with some hacks:
            - if login is requested, try to login with form data
            - except login, every method is jsonrpc
-           - user doesn't need to be authentified for isRegistered or registerParams, but must be for all other methods
+           - user doesn't need to be authentified for explicitely listed methods, but must be for all others
         if request.postpath==['login']:
             return self.login(request)
         _session = request.getSession()
         parsed = jsonrpclib.loads(request.content.read())
         method = parsed.get("method")
-        if  method not in ['isRegistered',  'registerParams', 'getMenus']:
+        if  method not in ['isRegistered', 'registerParams', 'getMenus']:
             #if we don't call these methods, we need to be identified
             profile = ISATSession(_session).profile
             if not profile:
@@ -737,10 +748,16 @@
         return server.NOT_DONE_YET
     def jsonrpc_isRegistered(self):
-        """Tell if the user is already registered"""
+        """
+        @return: a couple (registered, message) with:
+        - registered: True if the user is already registered, False otherwise
+        - message: a security warning message if registered is False *and* the connection is unsecure, None otherwise
+        """
         _session = self.request.getSession()
         profile = ISATSession(_session).profile
-        return bool(profile)
+        if bool(profile):
+            return (True, None)
+        return (False, self.__getSecurityWarning())
     def jsonrpc_registerParams(self):
         """Register the frontend specific parameters"""
@@ -766,6 +783,17 @@
         # XXX: we put this method in Register because we get menus before being logged
         return self.sat_host.bridge.getMenus('', Const.SECURITY_LIMIT)
+    def __getSecurityWarning(self):
+        """@return: a security warning message, or None if the connection is secure"""
+        if self.request.URLPath().scheme == 'https' or not self.sat_host.security_warning:
+            return None
+        text = D_("You are about to connect to an unsecured service.")
+        if self.sat_host.connection_type == 'both':
+            new_port = (':%s' % self.sat_host.port_https) if self.sat_host.port_https != HTTPS_PORT else ''
+            url = "https://%s" % self.request.URLPath().netloc.replace(':%s' % self.sat_host.port, new_port)
+            text += D_('<br />Secure version of this website: <a href="%(url)s">%(url)s</a>') % {'url': url}
+        return text
 class SignalHandler(jsonrpc.JSONRPC):
@@ -957,11 +985,37 @@
         return ("setAvatar", filepath, profile)
+def coerceConnectionType(value):  # called from Libervia.OPT_PARAMETERS
+    allowed_values = ('http', 'https', 'both')
+    if value not in allowed_values:
+        raise ValueError("Invalid parameter value, not in %s" % str(allowed_values))
+    return value
 class Libervia(service.Service):
-    def __init__(self, port=8080):
+    OPT_PARAMETERS = [['connection_type', 't', 'https', "'http', 'https' or 'both' (to launch both servers).", coerceConnectionType],
+                      ['port', 'p', 8080, 'The port number to listen HTTP on.', int],
+                      ['port_https', 's', 8443, 'The port number to listen HTTPS on.', int],
+                      ['ssl_certificate', 'c', 'libervia.pem', 'PEM certificate with both private and public parts.', str],
+                      ['redirect_to_https', 'r', 1, 'automatically redirect from HTTP to HTTPS.', int],
+                      ['security_warning', 'w', 1, 'warn user that he is about to connect on HTTP.', int],
+                      ]
+    def __init__(self, *args, **kwargs):
+        if not kwargs:
+            # During the loading of the twisted plugins, we just need the default values.
+            # This part is not executed when the plugin is actually started.
+            for name, value in [(option[0], option[2]) for option in self.OPT_PARAMETERS]:
+                kwargs[name] = value
+        self.connection_type = kwargs['connection_type']
+        self.port = kwargs['port']
+        self.port_https = kwargs['port_https']
+        self.ssl_certificate = kwargs['ssl_certificate']
+        self.redirect_to_https = kwargs['redirect_to_https']
+        self.security_warning = kwargs['security_warning']
         self._cleanup = []
-        self.port = port
         root = ProtectedFile(Const.LIBERVIA_DIR)
         self.signal_handler = SignalHandler(self)
         _register = Register(self)
@@ -1015,7 +1069,25 @@
         self._cleanup.insert(0, (callback, args, kwargs))
     def startService(self):
-        reactor.listenTCP(self.port, self.site)
+        if self.connection_type in ('https', 'both'):
+            if not ssl_available:
+                raise(ImportError(_("Python module pyOpenSSL is not installed!")))
+            try:
+                with open(self.ssl_certificate) as keyAndCert:
+                    try:
+                        cert = ssl.PrivateCertificate.loadPEM(keyAndCert.read())
+                    except OpenSSL.crypto.Error as e:
+                        error(_("The file '%s' must contain both private and public parts of the certificate") % self.ssl_certificate)
+                        raise e
+            except IOError as e:
+                error(_("The file '%s' doesn't exist") % self.ssl_certificate)
+                raise e
+            reactor.listenSSL(self.port_https, self.site, cert.options())
+        if self.connection_type in ('http', 'both'):
+            if self.connection_type == 'both' and self.redirect_to_https:
+                reactor.listenTCP(self.port, server.Site(RedirectToHTTPS(self.port, self.port_https)))
+            else:
+                reactor.listenTCP(self.port, self.site)
     def stopService(self):
         print "launching cleaning methods"
@@ -1028,6 +1100,21 @@
     def stop(self):
+class RedirectToHTTPS(Resource):
+    def __init__(self, old_port, new_port):
+        Resource.__init__(self)
+        self.isLeaf = True
+        self.old_port = old_port
+        self.new_port = new_port
+    def render(self, request):
+        netloc = request.URLPath().netloc.replace(':%s' % self.old_port, ':%s' % self.new_port)
+        url = "https://" + netloc + request.uri
+        return redirectTo(url, request)
 registerAdapter(SATSession, server.Session, ISATSession)
 application = service.Application(Const.APP_NAME)
 service = Libervia()