[projects/pld-builder.new] Switch to https for client/request handler server and between builders communication. (TODO: certs v
arekm
arekm at pld-linux.org
Mon Nov 10 14:23:05 CET 2014
commit c87a0ffa90f33f5e2b9a582f07f96cc6e9d8cabd
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Mon Nov 10 14:23:00 2014 +0100
Switch to https for client/request handler server and between builders communication. (TODO: certs verification)
PLD_Builder/config.py | 13 ++++++++++---
PLD_Builder/file_sender.py | 2 +-
PLD_Builder/request_handler_server.py | 14 +++++++++++---
client/make-request.sh | 8 ++++----
config/builder.conf.dist | 7 +++++++
5 files changed, 33 insertions(+), 11 deletions(-)
---
diff --git a/PLD_Builder/config.py b/PLD_Builder/config.py
index bb0b594..967f7c3 100644
--- a/PLD_Builder/config.py
+++ b/PLD_Builder/config.py
@@ -37,8 +37,10 @@ class Builder_Conf:
def read(self, builder):
p = ConfigParser.ConfigParser()
- def get(o, d = None):
- if p.has_option(builder, o):
+ def get(o, d = None, sec=None):
+ if p.has_option(sec, o):
+ return string.strip(p.get(sec, o))
+ elif p.has_option(builder, o):
return string.strip(p.get(builder, o))
elif p.has_option("all", o):
return string.strip(p.get("all", o))
@@ -70,7 +72,12 @@ class Builder_Conf:
self.max_keep_time = int(get("max_keep_time", 168))*60*60
self.bot_email = get("bot_email", "")
self.control_url = get("control_url")
- self.request_handler_server_port = int(get("request_handler_server_port", 1234))
+ self.request_handler_server_port = int(get("port", d=1234, sec="request-server"))
+ self.request_handler_server_ssl = get("ssl", d="False", sec="request-server")
+ if self.request_handler_server_ssl:
+ self.request_handler_server_ssl_key = get("ssl_key", d="", sec="request-server")
+ self.request_handler_server_ssl_cert = get("ssl_cert", d="", sec="request-server")
+ self.request_handler_server_ssl_cacert = get("ssl_cacert", d="", sec="request-server")
self.builder_list = get("builder_list", "")
self.gen_upinfo = get("gen_upinfo", "yes")
if self.gen_upinfo == 'no':
diff --git a/PLD_Builder/file_sender.py b/PLD_Builder/file_sender.py
index f8d41f3..7fc585f 100644
--- a/PLD_Builder/file_sender.py
+++ b/PLD_Builder/file_sender.py
@@ -119,7 +119,7 @@ def send_file(src, target):
m = re.match('ssh\+rsync://([^@:]+@[^/:]+)(:|)(.*)', target)
if m:
return not rsync_ssh_file(src, m.group(1) + ":" + m.group(3))
- m = re.match('http://.*', target)
+ m = re.match('(http|https)://.*', target)
if m:
return not post_file(src, target)
log.alert("unsupported protocol: %s" % target)
diff --git a/PLD_Builder/request_handler_server.py b/PLD_Builder/request_handler_server.py
index 02220e9..474ee02 100644
--- a/PLD_Builder/request_handler_server.py
+++ b/PLD_Builder/request_handler_server.py
@@ -5,6 +5,7 @@ import string
import cgi
import time
import log
+import ssl
import sys
import traceback
import os
@@ -90,15 +91,22 @@ def main():
init_conf()
host = ""
port = config.request_handler_server_port
+ srv_ssl = config.request_handler_server_ssl
try:
server = HTTPServer((host, port), MyHandler)
+ if srv_ssl:
+ server.socket = ssl.wrap_socket (server.socket,
+ keyfile = config.request_handler_server_ssl_key,
+ certfile = config.request_handler_server_ssl_cert,
+ ca_certs = config.request_handler_server_ssl_cacert,
+ server_side=True)
except Exception, e:
- log.notice("request_handler_server: can't start server on [%s:%d]: %s" % (host, port, e))
- print >> sys.stderr, "ERROR: Can't start server on [%s:%d]: %s" % (host, port, e)
+ log.notice("request_handler_server: can't start server on [%s:%d], ssl=%s: %s" % (host, port, str(srv_ssl), e))
+ print >> sys.stderr, "ERROR: Can't start server on [%s:%d], ssl=%s: %s" % (host, port, str(srv_ssl), e)
sys.exit(1)
- log.notice('request_handler_server: started on [%s:%d]...' % (host, port))
+ log.notice('request_handler_server: started on [%s:%d], ssl=%s...' % (host, port, str(srv_ssl)))
server.serve_forever()
except KeyboardInterrupt:
log.notice('request_handler_server: ^C received, shutting down server')
diff --git a/client/make-request.sh b/client/make-request.sh
index 156b749..12cbd76 100755
--- a/client/make-request.sh
+++ b/client/make-request.sh
@@ -43,7 +43,7 @@ url="$url"
mailer="/usr/lib/sendmail -t"
gpg_opts=""
dist=th
-url="http://src.th.pld-linux.org:1234/"
+url="https://srcbuilder.pld-linux.org:1234/"
# defaults:
f_upgrade=yes
@@ -540,13 +540,13 @@ ti-dev)
th)
builder_email="builderth at pld-linux.org"
default_builders="th-*"
- url="http://src.th.pld-linux.org:1234/"
- control_url="http://src.th.pld-linux.org"
+ url="https://srcbuilder.pld-linux.org:1234/"
+ control_url="https://srcbuilder.pld-linux.org/th/"
;;
th-java) # fake "dist" for java available th architectures
builder_email="builderth at pld-linux.org"
default_builders="th-x86_64 th-athlon th-i686"
- url="http://src.th.pld-linux.org:1234/"
+ url="https://srcbuilder.pld-linux.org:1234/"
;;
aidath)
builder_email="builderaidath at ep09.pld-linux.org"
diff --git a/config/builder.conf.dist b/config/builder.conf.dist
index 243eafd..18d5caa 100644
--- a/config/builder.conf.dist
+++ b/config/builder.conf.dist
@@ -64,6 +64,13 @@ rpm_cache_dir = /spools/ready
#tag_prefixes = auto- auto-ac- auto-th-
tag_prefixes = auto-th-
+[request-server]
+port = 1234
+ssl = False
+ssl_key = somewhere/srcbuilder.key
+ssl_cert = somewhere/srcbuilder.crt
+ssl_cacert = somewhere/intermediateca.crt
+
# ------ Configs for particular builders:
[th-src]
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/projects/pld-builder.new.git/commitdiff/c87a0ffa90f33f5e2b9a582f07f96cc6e9d8cabd
More information about the pld-cvs-commit
mailing list