|
 |
182b9e |
From c40a11439c738b67471da01ebfbc3d3d66db6311 Mon Sep 17 00:00:00 2001
|
|
|
182b9e |
From: Marek 'marx' Grac <mgrac@redhat.com>
|
|
|
182b9e |
Date: Fri, 7 Mar 2014 15:13:44 +0100
|
|
|
182b9e |
Subject: [PATCH] fence_vmware_soap: Add new options --ssl-secure and
|
|
|
182b9e |
--ssl-insecure
|
|
|
182b9e |
|
|
|
182b9e |
These new options extends current --ssl (same as --ssl-secure). Until now certificate of the fence device
|
|
|
182b9e |
was not validated what can possibly lead to attack on infrastructe. With this patch, user can decide
|
|
|
182b9e |
if certificate should (--ssl-secure) or should not (--ssl-insecure) be verified.
|
|
|
182b9e |
|
|
|
182b9e |
python-suds do not validates SSL certificates at all. It is required to change underlying library to
|
|
|
182b9e |
one that can support that what results in new dependency on python-requests.
|
|
|
182b9e |
---
|
|
|
182b9e |
fence/agents/vmware_soap/fence_vmware_soap.py | 35 +++++++++++++++++++++---
|
|
|
182b9e |
1 files changed, 30 insertions(+), 5 deletions(-)
|
|
|
182b9e |
|
|
|
182b9e |
diff --git a/fence/agents/vmware_soap/fence_vmware_soap.py b/fence/agents/vmware_soap/fence_vmware_soap.py
|
|
|
182b9e |
index bbac1c5..a578662 100644
|
|
|
182b9e |
--- a/fence/agents/vmware_soap/fence_vmware_soap.py
|
|
|
182b9e |
+++ b/fence/agents/vmware_soap/fence_vmware_soap.py
|
|
|
182b9e |
@@ -2,11 +2,13 @@
|
|
|
182b9e |
|
|
|
182b9e |
import sys, exceptions, time
|
|
|
182b9e |
import shutil, tempfile, suds
|
|
|
182b9e |
-import logging
|
|
|
182b9e |
+import logging, requests
|
|
|
182b9e |
sys.path.append("@FENCEAGENTSLIBDIR@")
|
|
|
182b9e |
|
|
|
182b9e |
from suds.client import Client
|
|
|
182b9e |
from suds.sudsobject import Property
|
|
|
182b9e |
+from suds.transport.http import HttpAuthenticated
|
|
|
182b9e |
+from suds.transport import Reply, TransportError
|
|
|
182b9e |
from fencing import *
|
|
|
182b9e |
|
|
|
182b9e |
#BEGIN_VERSION_GENERATION
|
|
|
182b9e |
@@ -15,13 +17,32 @@ REDHAT_COPYRIGHT=""
|
|
|
182b9e |
BUILD_DATE="April, 2011"
|
|
|
182b9e |
#END_VERSION_GENERATION
|
|
|
182b9e |
|
|
|
182b9e |
+class RequestsTransport(HttpAuthenticated):
|
|
|
182b9e |
+ def __init__(self, **kwargs):
|
|
|
182b9e |
+ self.cert = kwargs.pop('cert', None)
|
|
|
182b9e |
+ self.verify = kwargs.pop('verify', True)
|
|
|
182b9e |
+ self.session = requests.Session()
|
|
|
182b9e |
+ # super won't work because not using new style class
|
|
|
182b9e |
+ HttpAuthenticated.__init__(self, **kwargs)
|
|
|
182b9e |
+
|
|
|
182b9e |
+ def send(self, request):
|
|
|
182b9e |
+ self.addcredentials(request)
|
|
|
182b9e |
+ resp = self.session.post(request.url, data = request.message, headers = request.headers, cert = self.cert, verify = self.verify)
|
|
|
182b9e |
+ result = Reply(resp.status_code, resp.headers, resp.content)
|
|
|
182b9e |
+ return result
|
|
|
182b9e |
+
|
|
|
182b9e |
def soap_login(options):
|
|
|
182b9e |
if options["--action"] in ["off", "reboot"]:
|
|
|
182b9e |
time.sleep(int(options["--delay"]))
|
|
|
182b9e |
|
|
|
182b9e |
- if options.has_key("--ssl"):
|
|
|
182b9e |
+ if options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
|
|
|
182b9e |
+ if options.has_key("--ssl-insecure"):
|
|
|
182b9e |
+ verify = False
|
|
|
182b9e |
+ else:
|
|
|
182b9e |
+ verify = True
|
|
|
182b9e |
url = "https://"
|
|
|
182b9e |
else:
|
|
|
182b9e |
+ verify = False
|
|
|
182b9e |
url = "http://"
|
|
|
182b9e |
|
|
|
182b9e |
url += options["--ip"] + ":" + str(options["--ipport"]) + "/sdk"
|
|
|
182b9e |
@@ -29,10 +50,10 @@ def soap_login(options):
|
|
|
182b9e |
tmp_dir = tempfile.mkdtemp()
|
|
|
182b9e |
tempfile.tempdir = tmp_dir
|
|
|
182b9e |
atexit.register(remove_tmp_dir, tmp_dir)
|
|
|
182b9e |
-
|
|
|
182b9e |
+
|
|
|
182b9e |
try:
|
|
|
182b9e |
- conn = Client(url + "/vimService.wsdl")
|
|
|
182b9e |
- conn.set_options(location = url)
|
|
|
182b9e |
+ headers = {"Content-Type" : "text/xml;charset=UTF-8", "SOAPAction" : ""}
|
|
|
182b9e |
+ conn = Client(url + "/vimService.wsdl", location = url, transport = RequestsTransport(verify = verify), headers = headers)
|
|
|
182b9e |
|
|
|
182b9e |
mo_ServiceInstance = Property('ServiceInstance')
|
|
|
182b9e |
mo_ServiceInstance._type = 'ServiceInstance'
|
|
|
182b9e |
@@ -41,6 +62,8 @@ def soap_login(options):
|
|
|
182b9e |
mo_SessionManager._type = 'SessionManager'
|
|
|
182b9e |
|
|
|
182b9e |
SessionManager = conn.service.Login(mo_SessionManager, options["--username"], options["--password"])
|
|
|
182b9e |
+ except requests.exceptions.SSLError, ex:
|
|
|
182b9e |
+ fail_usage("Server side certificate verification failed")
|
|
|
182b9e |
except Exception, ex:
|
|
|
182b9e |
fail(EC_LOGIN_DENIED)
|
|
|
182b9e |
|
|
|
182b9e |
@@ -202,6 +225,8 @@ Alternatively you can always use UUID to access virtual machine."
|
|
|
182b9e |
|
|
|
182b9e |
logging.basicConfig(level=logging.INFO)
|
|
|
182b9e |
logging.getLogger('suds.client').setLevel(logging.CRITICAL)
|
|
|
182b9e |
+ logging.getLogger("requests").setLevel(logging.CRITICAL)
|
|
|
182b9e |
+ logging.getLogger("urllib3").setLevel(logging.CRITICAL)
|
|
|
182b9e |
|
|
|
182b9e |
##
|
|
|
182b9e |
## Operate the fencing device
|
|
|
182b9e |
--
|
|
|
182b9e |
1.7.7.6
|
|
|
182b9e |
|