[projects/pld-builder.new] Switch to https for client/request handler server and between builders communication. (TODO: certs v

arekm arekm at pld-linux.org
Mon Nov 10 14:23:05 CET 2014


commit c87a0ffa90f33f5e2b9a582f07f96cc6e9d8cabd
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Mon Nov 10 14:23:00 2014 +0100

    Switch to https for client/request handler server and between builders communication. (TODO: certs verification)

 PLD_Builder/config.py                 | 13 ++++++++++---
 PLD_Builder/file_sender.py            |  2 +-
 PLD_Builder/request_handler_server.py | 14 +++++++++++---
 client/make-request.sh                |  8 ++++----
 config/builder.conf.dist              |  7 +++++++
 5 files changed, 33 insertions(+), 11 deletions(-)
---
diff --git a/PLD_Builder/config.py b/PLD_Builder/config.py
index bb0b594..967f7c3 100644
--- a/PLD_Builder/config.py
+++ b/PLD_Builder/config.py
@@ -37,8 +37,10 @@ class Builder_Conf:
 
     def read(self, builder):
         p = ConfigParser.ConfigParser()
-        def get(o, d = None):
-            if p.has_option(builder, o):
+        def get(o, d = None, sec=None):
+            if p.has_option(sec, o):
+                return string.strip(p.get(sec, o))
+            elif p.has_option(builder, o):
                 return string.strip(p.get(builder, o))
             elif p.has_option("all", o):
                 return string.strip(p.get("all", o))
@@ -70,7 +72,12 @@ class Builder_Conf:
         self.max_keep_time = int(get("max_keep_time", 168))*60*60
         self.bot_email = get("bot_email", "")
         self.control_url = get("control_url")
-        self.request_handler_server_port = int(get("request_handler_server_port", 1234))
+        self.request_handler_server_port = int(get("port", d=1234, sec="request-server"))
+        self.request_handler_server_ssl = get("ssl", d="False", sec="request-server")
+        if self.request_handler_server_ssl:
+            self.request_handler_server_ssl_key = get("ssl_key", d="", sec="request-server")
+            self.request_handler_server_ssl_cert = get("ssl_cert", d="", sec="request-server")
+            self.request_handler_server_ssl_cacert = get("ssl_cacert", d="", sec="request-server")
         self.builder_list = get("builder_list", "")
         self.gen_upinfo = get("gen_upinfo", "yes")
         if self.gen_upinfo == 'no':
diff --git a/PLD_Builder/file_sender.py b/PLD_Builder/file_sender.py
index f8d41f3..7fc585f 100644
--- a/PLD_Builder/file_sender.py
+++ b/PLD_Builder/file_sender.py
@@ -119,7 +119,7 @@ def send_file(src, target):
         m = re.match('ssh\+rsync://([^@:]+@[^/:]+)(:|)(.*)', target)
         if m:
             return not rsync_ssh_file(src, m.group(1) + ":" + m.group(3))
-        m = re.match('http://.*', target)
+        m = re.match('(http|https)://.*', target)
         if m:
             return not post_file(src, target)
         log.alert("unsupported protocol: %s" % target)
diff --git a/PLD_Builder/request_handler_server.py b/PLD_Builder/request_handler_server.py
index 02220e9..474ee02 100644
--- a/PLD_Builder/request_handler_server.py
+++ b/PLD_Builder/request_handler_server.py
@@ -5,6 +5,7 @@ import string
 import cgi
 import time
 import log
+import ssl
 import sys
 import traceback
 import os
@@ -90,15 +91,22 @@ def main():
 		init_conf()
 		host = ""
 		port = config.request_handler_server_port
+		srv_ssl = config.request_handler_server_ssl
 
 		try:
 			server = HTTPServer((host, port), MyHandler)
+			if srv_ssl:
+				server.socket = ssl.wrap_socket (server.socket,
+						keyfile = config.request_handler_server_ssl_key,
+						certfile = config.request_handler_server_ssl_cert,
+						ca_certs = config.request_handler_server_ssl_cacert,
+						server_side=True)
 		except Exception, e:
-			log.notice("request_handler_server: can't start server on [%s:%d]: %s" % (host, port, e))
-			print >> sys.stderr, "ERROR: Can't start server on [%s:%d]: %s" % (host, port, e)
+			log.notice("request_handler_server: can't start server on [%s:%d], ssl=%s: %s" % (host, port, str(srv_ssl), e))
+			print >> sys.stderr, "ERROR: Can't start server on [%s:%d], ssl=%s: %s" % (host, port, str(srv_ssl), e)
 			sys.exit(1)
 
-		log.notice('request_handler_server: started on [%s:%d]...' % (host, port))
+		log.notice('request_handler_server: started on [%s:%d], ssl=%s...' % (host, port, str(srv_ssl)))
 		server.serve_forever()
 	except KeyboardInterrupt:
 		log.notice('request_handler_server: ^C received, shutting down server')
diff --git a/client/make-request.sh b/client/make-request.sh
index 156b749..12cbd76 100755
--- a/client/make-request.sh
+++ b/client/make-request.sh
@@ -43,7 +43,7 @@ url="$url"
 mailer="/usr/lib/sendmail -t"
 gpg_opts=""
 dist=th
-url="http://src.th.pld-linux.org:1234/"
+url="https://srcbuilder.pld-linux.org:1234/"
 
 # defaults:
 f_upgrade=yes
@@ -540,13 +540,13 @@ ti-dev)
 th)
 	builder_email="builderth at pld-linux.org"
 	default_builders="th-*"
-	url="http://src.th.pld-linux.org:1234/"
-	control_url="http://src.th.pld-linux.org"
+	url="https://srcbuilder.pld-linux.org:1234/"
+	control_url="https://srcbuilder.pld-linux.org/th/"
 	;;
 th-java) # fake "dist" for java available th architectures
 	builder_email="builderth at pld-linux.org"
 	default_builders="th-x86_64 th-athlon th-i686"
-	url="http://src.th.pld-linux.org:1234/"
+	url="https://srcbuilder.pld-linux.org:1234/"
 	;;
 aidath)
 	builder_email="builderaidath at ep09.pld-linux.org"
diff --git a/config/builder.conf.dist b/config/builder.conf.dist
index 243eafd..18d5caa 100644
--- a/config/builder.conf.dist
+++ b/config/builder.conf.dist
@@ -64,6 +64,13 @@ rpm_cache_dir = /spools/ready
 #tag_prefixes = auto- auto-ac- auto-th-
 tag_prefixes = auto-th-
 
+[request-server]
+port = 1234
+ssl = False
+ssl_key = somewhere/srcbuilder.key
+ssl_cert = somewhere/srcbuilder.crt
+ssl_cacert = somewhere/intermediateca.crt
+
 # ------ Configs for particular builders:
 
 [th-src]
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/projects/pld-builder.new.git/commitdiff/c87a0ffa90f33f5e2b9a582f07f96cc6e9d8cabd



More information about the pld-cvs-commit mailing list