URL: https://github.com/freeipa/freeipa/pull/1089 Author: stlaz Title: #1089: [Backport][ipa-4-6] Use TLS for the cert-find operation Action: opened
PR body: """ This PR was opened automatically because PR #1042 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1089/head:pr1089 git checkout pr1089
From af3757367e7b03b7cfac46922dc1a1bd6c19b293 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Tue, 5 Sep 2017 13:14:32 -0400 Subject: [PATCH] Use TLS for the cert-find operation The goal is to avoid using HTTP where possible and use TLS everywhere. This provides not only privacy protection but also integrity protection. We should consider any network except localhost as untrusted. Switch from using urllib.request to dogtag.https_request. https://pagure.io/freeipa/issue/7027 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/plugins/dogtag.py | 42 +++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index f258ad7baa..13b3c507bf 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -248,7 +248,6 @@ import contextlib import six -from six.moves import urllib from ipalib import Backend, api from ipapython.dn import DN @@ -1904,36 +1903,33 @@ def convert_time(value): e = etree.SubElement(page, opt) e.text = str(booloptions[opt]).lower() - payload = etree.tostring(doc, pretty_print=False, xml_declaration=True, encoding='UTF-8') + payload = etree.tostring(doc, pretty_print=False, + xml_declaration=True, encoding='UTF-8') logger.debug('%s.find(): request: %s', type(self).__name__, payload) - url = 'http://%s/ca/rest/certs/search?size=%d' % ( - ipautil.format_netloc(self.ca_host, 80), - options.get('sizelimit', 0x7fffffff)) - - opener = urllib.request.build_opener() - opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), - ('User-Agent', 'IPA')] + # pylint: disable=unused-variable + status, _, data = dogtag.https_request( + self.ca_host, 443, + url='/ca/rest/certs/search?size=%d' % ( + options.get('sizelimit', 0x7fffffff)), + client_certfile=None, + client_keyfile=None, + cafile=self.ca_cert, + method='POST', + headers={'Accept-Encoding': 'gzip, deflate', + 'User-Agent': 'IPA', + 'Content-Type': 'application/xml'}, + body=payload + ) - req = urllib.request.Request(url=url, data=payload, headers={'Content-Type': 'application/xml'}) - try: - response = opener.open(req) - except urllib.error.HTTPError as e: - logger.debug('HTTP Response code: %d', e.getcode()) - if e.getcode() == 501: - self.raise_certificate_operation_error('find', - detail=_('find not supported on CAs upgraded from 9 to 10')) - self.raise_certificate_operation_error('find', - detail=e.msg) - except urllib.error.URLError as e: + if status != 200: self.raise_certificate_operation_error('find', - detail=e.reason) + detail=status) - data = response.readlines() logger.debug('%s.find(): response: %s', type(self).__name__, data) parser = etree.XMLParser() try: - doc = etree.fromstring(data[0], parser) + doc = etree.fromstring(data, parser) except etree.XMLSyntaxError as e: self.raise_certificate_operation_error('find', detail=e.msg)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org