From 809b909651118c06d2ab48d7911bbee2e512e478 Mon Sep 17 00:00:00 2001
From: Marek 'marx' Grac <mgrac@redhat.com>
Date: Mon, 1 Sep 2014 15:05:20 +0200
Subject: [PATCH 1/2] fencing: Add new options --ssl-secure and --ssl-insecure
These new options extends current --ssl (same as --ssl-secure). Until now certificate of the fence device
was not validated what can possibly lead to attack on infrastructe. With this patch, user can decide
if certificate should (--ssl-secure) or should not (--ssl-insecure) be verified.
The default option is to validate certificate.
Resolves: rhbz#1072564
---
fence/agents/cisco_ucs/fence_cisco_ucs.py | 9 ++++++--
fence/agents/lib/fencing.py.py | 28 ++++++++++++++++++++---
fence/agents/rhevm/fence_rhevm.py | 9 ++++++--
fence/agents/vmware_soap/fence_vmware_soap.py | 33 +++++++++++++++++++++++----
4 files changed, 68 insertions(+), 11 deletions(-)
diff --git a/fence/agents/cisco_ucs/fence_cisco_ucs.py b/fence/agents/cisco_ucs/fence_cisco_ucs.py
index f72e696..888d689 100644
--- a/fence/agents/cisco_ucs/fence_cisco_ucs.py
+++ b/fence/agents/cisco_ucs/fence_cisco_ucs.py
@@ -90,8 +90,13 @@ def send_command(opt, command, timeout):
conn.setopt(pycurl.POSTFIELDS, command)
conn.setopt(pycurl.WRITEFUNCTION, web_buffer.write)
conn.setopt(pycurl.TIMEOUT, timeout)
- conn.setopt(pycurl.SSL_VERIFYPEER, 0)
- conn.setopt(pycurl.SSL_VERIFYHOST, 0)
+ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
+ conn.setopt(pycurl.SSL_VERIFYPEER, 1)
+ conn.setopt(pycurl.SSL_VERIFYHOST, 2)
+
+ if opt.has_key("--ssl-insecure"):
+ conn.setopt(pycurl.SSL_VERIFYPEER, 0)
+ conn.setopt(pycurl.SSL_VERIFYHOST, 0)
conn.perform()
result = web_buffer.getvalue()
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
index d1d5aae..557358a 100644
--- a/fence/agents/lib/fencing.py.py
+++ b/fence/agents/lib/fencing.py.py
@@ -179,6 +179,21 @@ all_opt = {
"required" : "0",
"shortdesc" : "SSL connection",
"order" : 1},
+ "ssl_insecure" : {
+ "getopt" : "9",
+ "longopt" : "ssl-insecure",
+ "help" : "--ssl-insecure Use ssl connection without verifying certificate",
+ "required" : "0",
+ "shortdesc" : "SSL connection without verifying fence device's certificate",
+ "order" : 1},
+ "ssl_secure" : {
+ "getopt" : "9",
+ "longopt" : "ssl-secure",
+ "help" : "--ssl-secure Use ssl connection with verifying certificate",
+ "required" : "0",
+ "shortdesc" : "SSL connection with verifying fence device's certificate",
+ "order" : 1},
+
"notls" : {
"getopt" : "t",
"longopt" : "notls",
@@ -385,6 +400,7 @@ DEPENDENCY_OPT = {
"secure" : ["identity_file", "ssh_options"],
"ipaddr" : ["ipport", "inet4_only", "inet6_only"],
"port" : ["separator"],
+ "ssl" : ["ssl_secure", "ssl_insecure"],
"community" : ["snmp_auth_prot", "snmp_sec_level", "snmp_priv_prot", \
"snmp_priv_passwd", "snmp_priv_passwd_script"]
}
@@ -662,7 +678,7 @@ def check_input(device_opt, opt):
elif options.has_key("--ssh") or (all_opt["secure"].has_key("default") and all_opt["secure"]["default"] == '1'):
all_opt["ipport"]["default"] = 22
all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 22)"
- elif options.has_key("--ssl") or (all_opt["ssl"].has_key("default") and all_opt["ssl"]["default"] == '1'):
+ elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure") or (all_opt["ssl"].has_key("default") and all_opt["ssl"]["default"] == '1'):
all_opt["ipport"]["default"] = 443
all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 443)"
elif device_opt.count("web"):
@@ -972,11 +988,17 @@ def fence_login(options, re_login_string=r"(login\s*: )|(Login Name: )|(usernam
if options.has_key("--ssl"):
gnutls_opts = ""
+ ssl_opts = ""
+
if options.has_key("--notls"):
gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
- command = '%s %s --insecure --crlf -p %s %s' % \
- (SSL_PATH, gnutls_opts, options["--ipport"], options["--ip"])
+ # --ssl is same as the --ssl-secure
+ if options.has_key("--ssl-insecure"):
+ ssl_opts = "--insecure"
+
+ command = '%s %s %s --insecure --crlf -p %s %s' % \
+ (SSL_PATH, gnutls_opts, ssl_opts, options["--ipport"], options["--ip"])
try:
conn = fspawn(options, command)
except pexpect.ExceptionPexpect, ex:
diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py
index a0d8d59..444fb56 100644
--- a/fence/agents/rhevm/fence_rhevm.py
+++ b/fence/agents/rhevm/fence_rhevm.py
@@ -91,8 +91,13 @@ def send_command(opt, command, method="GET"):
conn.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
conn.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"])
conn.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
- conn.setopt(pycurl.SSL_VERIFYPEER, 0)
- conn.setopt(pycurl.SSL_VERIFYHOST, 0)
+ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
+ conn.setopt(pycurl.SSL_VERIFYPEER, 1)
+ conn.setopt(pycurl.SSL_VERIFYHOST, 2)
+
+ if opt.has_key("--ssl-insecure"):
+ conn.setopt(pycurl.SSL_VERIFYPEER, 0)
+ conn.setopt(pycurl.SSL_VERIFYHOST, 0)
if method == "POST":
conn.setopt(pycurl.POSTFIELDS, "<action />")
diff --git a/fence/agents/vmware_soap/fence_vmware_soap.py b/fence/agents/vmware_soap/fence_vmware_soap.py
index 53fd9ea..3217c6b 100644
--- a/fence/agents/vmware_soap/fence_vmware_soap.py
+++ b/fence/agents/vmware_soap/fence_vmware_soap.py
@@ -2,12 +2,14 @@
import sys
import shutil, tempfile, suds
-import logging
+import logging, requests
import atexit
sys.path.append("@FENCEAGENTSLIBDIR@")
from suds.client import Client
from suds.sudsobject import Property
+from suds.transport.http import HttpAuthenticated
+from suds.transport import Reply, TransportError
from fencing import *
from fencing import fail, EC_STATUS, EC_LOGIN_DENIED, EC_INVALID_PRIVILEGES, EC_WAITING_ON, EC_WAITING_OFF
from fencing import run_delay
@@ -18,12 +20,31 @@ REDHAT_COPYRIGHT=""
BUILD_DATE="April, 2011"
#END_VERSION_GENERATION
+class RequestsTransport(HttpAuthenticated):
+ def __init__(self, **kwargs):
+ self.cert = kwargs.pop('cert', None)
+ self.verify = kwargs.pop('verify', True)
+ self.session = requests.Session()
+ # super won't work because not using new style class
+ HttpAuthenticated.__init__(self, **kwargs)
+
+ def send(self, request):
+ self.addcredentials(request)
+ resp = self.session.post(request.url, data = request.message, headers = request.headers, cert = self.cert, verify = self.verify)
+ result = Reply(resp.status_code, resp.headers, resp.content)
+ return result
+
def soap_login(options):
run_delay(options)
- if options.has_key("--ssl"):
+ if options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
+ if options.has_key("--ssl-insecure"):
+ verify = False
+ else:
+ verify = True
url = "https://"
else:
+ verify = False
url = "http://"
url += options["--ip"] + ":" + str(options["--ipport"]) + "/sdk"
@@ -33,8 +54,8 @@ def soap_login(options):
atexit.register(remove_tmp_dir, tmp_dir)
try:
- conn = Client(url + "/vimService.wsdl")
- conn.set_options(location=url)
+ headers = {"Content-Type" : "text/xml;charset=UTF-8", "SOAPAction" : ""}
+ conn = Client(url + "/vimService.wsdl", location = url, transport = RequestsTransport(verify = verify), headers = headers)
mo_ServiceInstance = Property('ServiceInstance')
mo_ServiceInstance._type = 'ServiceInstance'
@@ -43,6 +64,8 @@ def soap_login(options):
mo_SessionManager._type = 'SessionManager'
conn.service.Login(mo_SessionManager, options["--username"], options["--password"])
+ except requests.exceptions.SSLError, ex:
+ fail_usage("Server side certificate verification failed")
except Exception:
fail(EC_LOGIN_DENIED)
@@ -205,6 +228,8 @@ Alternatively you can always use UUID to access virtual machine."
logging.basicConfig(level=logging.INFO)
logging.getLogger('suds.client').setLevel(logging.CRITICAL)
+ logging.getLogger("requests").setLevel(logging.CRITICAL)
+ logging.getLogger("urllib3").setLevel(logging.CRITICAL)
##
## Operate the fencing device
--
1.9.3