Skip to content
This repository was archived by the owner on Apr 1, 2025. It is now read-only.

Added flag for disabling certificate validation #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added flag for disabling certificate validation #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,12 @@ How to use it
AUTH_CROWD_SERVER_REST_URI = 'http://127.0.0.1:8095/crowd/rest/usermanagement/latest'

_Use given certificate file to validate https connection to Crowd server_

AUTH_CROWD_SERVER_TRUSTED_ROOT_CERTS_FILE = None

_Disable validation of server certificate for https connection to Crowd server (This is a security risk and is not recommended for production environments)_

AUTH_CROWD_SERVER_VALIDATE_CERTIFICATE = False

Problems ?
==========
Expand All @@ -97,4 +101,4 @@ Just send me a message. Let's see if I can help.
License
=======

Use this code as you want. Consider it free. Say thank you. Don't blame me if it doesn't work for you.
Use this code as you want. Consider it free. Say thank you. Don't blame me if it doesn't work for you.
27 changes: 20 additions & 7 deletions crowdrest/backend.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,12 +151,19 @@ def connect(self):
if self._tunnel_host:
self.sock = sock
self._tunnel()

# wrap the socket using verification with the root certificates of given file
self.sock = ssl.wrap_socket(sock,
self.key_file,
self.cert_file,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=getattr(settings, "AUTH_CROWD_SERVER_TRUSTED_ROOT_CERTS_FILE", None))
certs = getattr(settings, "AUTH_CROWD_SERVER_TRUSTED_ROOT_CERTS_FILE", None)
validate_certs = getattr(settings, "AUTH_CROWD_SERVER_VALIDATE_CERTIFICATE", True)

if certs and validate_certs:
self.sock = ssl.wrap_socket(sock,
self.key_file,
self.cert_file,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=certs)
elif not validate_certs:
self.sock = ssl.wrap_socket(sock)

# wraps https connections with ssl certificate verification
class VerifiedHTTPSHandler(urllib2.HTTPSHandler):
Expand Down Expand Up @@ -197,8 +204,14 @@ def _createOpener(self):
handlers += [authHandler]

certs = getattr(settings, "AUTH_CROWD_SERVER_TRUSTED_ROOT_CERTS_FILE", None)
if self._url.startswith('https') and certs:
crowd_logger.debug("Validating certificate with " + certs)
validate_certs = getattr(settings, "AUTH_CROWD_SERVER_VALIDATE_CERTIFICATE", True)

if self._url.startswith('https') and (certs or not validate_certs):
if certs:
crowd_logger.debug("Validating certificate with " + certs)
elif not validate_certs:
crowd_logger.warning("Certificate validation is disabled!")

verifyHandler = VerifiedHTTPSHandler()
handlers += [verifyHandler]

Expand Down