Skip to content

R
re6stnet
Commit 590a9b79 authored by Rafael Monnerat's avatar Rafael Monnerat
Browse files
Options

WIP: Some work

parent bc2aac6d
Hide whitespace changes
Inline Side-by-side
Showing with 76 additions and 5 deletions
re6st/cli/registry.py
View file @ 590a9b79
...@@ -102,7 +102,7 @@ def main(): ...@@ -102,7 +102,7 @@ def main():
" 3=DEBUG, 4=TRACE. Use SIGUSR1 to reopen log.") " 3=DEBUG, 4=TRACE. Use SIGUSR1 to reopen log.")
_('--min-protocol', default=version.min_protocol, type=int, _('--min-protocol', default=version.min_protocol, type=int,
help="Reject nodes that are too old. Current is %s." % version.protocol) help="Reject nodes that are too old. Current is %s." % version.protocol)
_('--disable-token-by-mail', default=False, type=boolen, _('--disable-token-by-mail', action='store_false',
help="Disable send new tokens by Mail.") help="Disable send new tokens by Mail.")
_ = parser.add_argument_group('routing').add_argument _ = parser.add_argument_group('routing').add_argument
_('--hello', type=int, default=15, _('--hello', type=int, default=15,
......
re6st/registry.py
View file @ 590a9b79
...@@ -237,10 +237,14 @@ class RegistryServer(object): ...@@ -237,10 +237,14 @@ class RegistryServer(object):
def handle_request(self, request, method, kw, def handle_request(self, request, method, kw,
_localhost=('127.0.0.1', '::1')): _localhost=('127.0.0.1', '::1')):
m = getattr(self, method) m = getattr(self, method)
authorized_origin = ["10.0.228.20"] + list(_localhost)
if method in ('revoke', 'versions', 'topology', 'requestAddToken'): if method in ('revoke', 'versions', 'topology', 'requestAddToken'):
x_forwarded_for = request.headers.get('X-Forwarded-For') x_forwarded_for = request.headers.get('X-Forwarded-For')
if request.client_address[0] not in _localhost or \ if request.client_address[0] not in authorized_origin or \
x_forwarded_for and x_forwarded_for not in _localhost: x_forwarded_for and x_forwarded_for not in authorized_origin:
logging.warning("X-Forward-For %s " % x_forwarded_for)
logging.warning("request.client_address[0] %s " % request.client_address[0])
return request.send_error(httplib.FORBIDDEN) return request.send_error(httplib.FORBIDDEN)
key = m.getcallargs(**kw).get('cn') key = m.getcallargs(**kw).get('cn')
if key: if key:
...@@ -293,6 +297,7 @@ class RegistryServer(object): ...@@ -293,6 +297,7 @@ class RegistryServer(object):
@rpc @rpc
def requestAddToken(self, email, token): def requestAddToken(self, email, token):
prefix_len = self.config.prefix_length prefix_len = self.config.prefix_length
logging.info('requestAddToken %s %s %s' % ( prefix_len, email, token))
if not prefix_len: if not prefix_len:
raise HTTPError(httplib.FORBIDDEN) raise HTTPError(httplib.FORBIDDEN)
with self.lock: with self.lock:
...@@ -448,6 +453,9 @@ class RegistryServer(object): ...@@ -448,6 +453,9 @@ class RegistryServer(object):
def getDh(self, cn): def getDh(self, cn):
with open(self.config.dh) as f: with open(self.config.dh) as f:
return f.read() return f.read()
@rpc
def getNetworkBin(self):
return x509.networkFromCa(self.cert.ca)
@rpc @rpc
def getNetworkConfig(self, cn): def getNetworkConfig(self, cn):
...@@ -455,6 +463,7 @@ class RegistryServer(object): ...@@ -455,6 +463,7 @@ class RegistryServer(object):
@rpc @rpc
def getBootstrapPeer(self, cn): def getBootstrapPeer(self, cn):
logging.info("Asking for peer")
with self.peers_lock: with self.peers_lock:
age, peers = self.peers age, peers = self.peers
if age < time.time() or not peers: if age < time.time() or not peers:
...@@ -475,7 +484,7 @@ class RegistryServer(object): ...@@ -475,7 +484,7 @@ class RegistryServer(object):
with self.lock: with self.lock:
self.sendto(peer, 1) self.sendto(peer, 1)
s = self.sock, s = self.sock,
timeout = 3 timeout = 10
end = timeout + time.time() end = timeout + time.time()
# Loop because there may be answers from previous requests. # Loop because there may be answers from previous requests.
while select.select(s, (), (), timeout)[0]: while select.select(s, (), (), timeout)[0]:
...@@ -515,6 +524,55 @@ class RegistryServer(object): ...@@ -515,6 +524,55 @@ class RegistryServer(object):
q("INSERT INTO crl VALUES (?,?)", (serial, not_after)) q("INSERT INTO crl VALUES (?,?)", (serial, not_after))
self.updateNetworkConfig() self.updateNetworkConfig()
@rpc
def getIPv6Prefix(self, email):
with self.lock:
with self.db:
q = self.db.execute
try:
cert, = q("SELECT cert FROM cert WHERE email = ?",
(email,)).next()
except StopIteration:
# return HTTPCODE 404 maybe
logging.info("cert not found %s" % email)
cert = None
if cert:
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
cn = x509.subnetFromCert(certificate)
return utils.binFromSubnet(cn)
@rpc
def getIPv6Address(self, email):
ipv6_prefix = self.getIPv6Prefix(email)
if ipv6_prefix is None:
return
return utils.ipFromBin(self.getNetworkBin() + ipv6_prefix)
@rpc
def getIPv4Information(self, peer):
with self.lock:
self.sendto(peer, 1)
s = self.sock,
timeout = 5
end = timeout + time.time()
while select.select(s, (), (), timeout)[0]:
prefix, msg = self.recv(sock, 1)
if prefix == peer:
break
timeout = max(0, end - time.time())
else:
logging.info("Timeout while querying address for %s/%s",
int(peer, 2), len(peer))
return
if "," in msg:
return msg.split(',')[0]
return ipv4
@rpc @rpc
def versions(self): def versions(self):
with self.peers_lock: with self.peers_lock:
......
re6st/utils.py
View file @ 590a9b79
import argparse, errno, hashlib, logging, os, select as _select import argparse, errno, hashlib, logging, os, select as _select
import shlex, signal, socket, sqlite3, struct, subprocess import shlex, signal, socket, sqlite3, struct, subprocess
import sys, textwrap, threading, time, traceback import sys, textwrap, threading, time, traceback
from OpenSSL import crypto
HMAC_LEN = len(hashlib.sha1('').digest()) HMAC_LEN = len(hashlib.sha1('').digest())
...@@ -214,6 +215,9 @@ def ipFromBin(ip, suffix=''): ...@@ -214,6 +215,9 @@ def ipFromBin(ip, suffix=''):
return socket.inet_ntop(socket.AF_INET6, return socket.inet_ntop(socket.AF_INET6,
struct.pack('>QQ', int(ip[:64], 2), int(ip[64:], 2))) struct.pack('>QQ', int(ip[:64], 2), int(ip[64:], 2)))
def loadCert(pem):
return crypto.load_certificate(crypto.FILETYPE_PEM, pem)
def dump_address(address): def dump_address(address):
return ';'.join(map(','.join, address)) return ';'.join(map(','.join, address))
...@@ -226,7 +230,6 @@ def parse_address(address_list): ...@@ -226,7 +230,6 @@ def parse_address(address_list):
except ValueError, e: except ValueError, e:
logging.warning("Failed to parse node address %r (%s)", logging.warning("Failed to parse node address %r (%s)",
address, e) address, e)
def binFromSubnet(subnet): def binFromSubnet(subnet):
p, l = subnet.split('/') p, l = subnet.split('/')
return bin(int(p))[2:].rjust(int(l), '0') return bin(int(p))[2:].rjust(int(l), '0')
...@@ -249,3 +252,13 @@ def sqliteCreateTable(db, name, *columns): ...@@ -249,3 +252,13 @@ def sqliteCreateTable(db, name, *columns):
"table %r already exists with unexpected schema" % name) "table %r already exists with unexpected schema" % name)
db.execute(sql) db.execute(sql)
return True return True
def searchCertFromEmail(db, email):
try:
cert_string, = db.execute("SELECT cert FROM cert WHERE email = ?",
(email,)).next()
except StopIteration:
# Certificates not found
return None
return cert_string
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7