URL: https://github.com/freeipa/freeipa/pull/1042 Author: rcritten Title: #1042: Use TLS for the cert-find operation Action: opened
PR body: """ Switch from using urllib.request to dogtag.https_request https://pagure.io/freeipa/issue/7027 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1042/head:pr1042 git checkout pr1042
From 5ebba57176c3b86e6000e12776977633c03bb0ec Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Tue, 5 Sep 2017 13:14:32 -0400 Subject: [PATCH] Use TLS for the cert-find operation Switch from using urllib.request to dogtag.https_request https://pagure.io/freeipa/issue/7027 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/plugins/dogtag.py | 41 ++++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index f258ad7baa..5479556888 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -248,7 +248,6 @@ import contextlib import six -from six.moves import urllib from ipalib import Backend, api from ipapython.dn import DN @@ -1904,36 +1903,32 @@ def convert_time(value): e = etree.SubElement(page, opt) e.text = str(booloptions[opt]).lower() - payload = etree.tostring(doc, pretty_print=False, xml_declaration=True, encoding='UTF-8') + payload = etree.tostring(doc, pretty_print=False, + xml_declaration=True, encoding='UTF-8') logger.debug('%s.find(): request: %s', type(self).__name__, payload) - url = 'http://%s/ca/rest/certs/search?size=%d' % ( - ipautil.format_netloc(self.ca_host, 80), - options.get('sizelimit', 0x7fffffff)) - - opener = urllib.request.build_opener() - opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), - ('User-Agent', 'IPA')] + status, resp_headers, data = dogtag.https_request( + self.ca_host, 443, + url='/ca/rest/certs/search?size=%d' % ( + options.get('sizelimit', 0x7fffffff)), + client_certfile=None, + client_keyfile=None, + cafile=self.ca_cert, + method='POST', + headers={'Accept-Encoding': 'gzip, deflate', + 'User-Agent': 'IPA', + 'Content-Type': 'application/xml'}, + body=payload + ) - req = urllib.request.Request(url=url, data=payload, headers={'Content-Type': 'application/xml'}) - try: - response = opener.open(req) - except urllib.error.HTTPError as e: - logger.debug('HTTP Response code: %d', e.getcode()) - if e.getcode() == 501: - self.raise_certificate_operation_error('find', - detail=_('find not supported on CAs upgraded from 9 to 10')) - self.raise_certificate_operation_error('find', - detail=e.msg) - except urllib.error.URLError as e: + if status != 200: self.raise_certificate_operation_error('find', - detail=e.reason) + detail=status) - data = response.readlines() logger.debug('%s.find(): response: %s', type(self).__name__, data) parser = etree.XMLParser() try: - doc = etree.fromstring(data[0], parser) + doc = etree.fromstring(data, parser) except etree.XMLSyntaxError as e: self.raise_certificate_operation_error('find', detail=e.msg)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
