update SSLError handling

Remove old methods for checking certificate state using
subprocess and openssl; replace with new method using
cryptography.x509.
parent a595a758
......@@ -31,7 +31,7 @@ import sys
from .exceptions import HTTPError
from .version import __version__
from .utils import event_or_superevent, safe_netrc, is_expired
from .utils import event_or_superevent, safe_netrc
DEFAULT_SERVICE_URL = "https://gracedb.ligo.org/api/"
......@@ -411,22 +411,17 @@ class GsiRest(object):
if (self.auth_type == 'x509'):
# Check for a valid user proxy cert.
expired, error = is_expired(self.credentials['cert_file'])
if expired is not None:
if expired:
msg = ("\nERROR\n\nYour certificate or proxy has "
"expired. Please run ligo-proxy-init or "
"grid-proxy-init (as appropriate) to generate "
"a fresh one.\n\n")
else:
msg = ("\nERROR\n\nYour certificate appears valid, "
"but there was a problem establishing a secure "
"connection: {e}").format(e=str(e))
expired = self._check_certificate_expiration(reload_buffer=0)
if expired:
msg = ("\nERROR\n\nYour certificate or proxy has "
"expired. Please run ligo-proxy-init or "
"grid-proxy-init (as appropriate) to generate "
"a fresh one.\n\n")
else:
msg = ("\nERROR\n\nUnable to check certificate expiry "
"date: {0}\n\nProblem establishing secure "
"connection: {1}\n\n").format(error, str(e))
msg = ("\nERROR\n\nYour certificate appears valid, "
"but there was a problem establishing a secure "
"connection: {e}").format(e=str(e))
else:
msg = ("\nERROR\n\nProblem establishing secure connection: "
"{e}\n\n").format(e=str(e))
......
import os
import re
import shlex
import six
import stat
from datetime import datetime
from functools import wraps
from netrc import netrc, NetrcParseError
from subprocess import Popen, PIPE
if os.name == 'posix':
import pwd
......@@ -55,53 +52,8 @@ def cleanListInput(list_arg):
return stringified_list
# The following are used to check whether a user has tried to use
# an expired certificate.
# Parse a datetime object out of the openssl output.
# Note that this returns a naive datetime object.
def get_dt_from_openssl_output(s):
dt = None
err = ''
# Openssl spits out a string like "notAfter=Feb 6 15:17:54 2016 GMT"
# So we first have to split off the bit after the equal sign.
try:
date_string = s.split('=')[1].strip()
except Exception as e:
err = 'Openssl output not understood: {0}'.format(e)
return dt, err
# Next, attempt to parse the date with strptime.
try:
dt = datetime.strptime(date_string, "%b %d %H:%M:%S %Y %Z")
except Exception as e:
err = 'Could not parse time string from openssl: {0}'.format(e)
return dt, err
return dt, err
# Given a path to a cert file, check whether it is expired.
def is_expired(cert_file):
cmd = 'openssl x509 -enddate -noout -in %s' % cert_file
p = Popen(shlex.split(cmd), stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
# Decode openssl output for Python 3 compatibility
out = out.decode()
expired = None
if p.returncode == 0:
dt, err = get_dt_from_openssl_output(out)
if dt:
# Note that our naive datetime must be compared with a UTC
# datetime that has been rendered naive.
expired = dt <= datetime.utcnow().replace(tzinfo=None)
return expired, err
class safe_netrc(netrc):
"""The netrc.netrc class from the Python standard library applies access
safety checks (requiring that the netrc file is readable only by the
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment