mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-25 19:15:51 +03:00
Share SSL options for well-known requests
This commit is contained in:
parent
d4f91e7e9f
commit
a9bcae9f50
3 changed files with 19 additions and 17 deletions
|
@ -31,6 +31,7 @@ from twisted.internet.ssl import (
|
||||||
platformTrust,
|
platformTrust,
|
||||||
)
|
)
|
||||||
from twisted.python.failure import Failure
|
from twisted.python.failure import Failure
|
||||||
|
from twisted.web.iweb import IPolicyForHTTPS
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -74,6 +75,7 @@ class ServerContextFactory(ContextFactory):
|
||||||
return self._context
|
return self._context
|
||||||
|
|
||||||
|
|
||||||
|
@implementer(IPolicyForHTTPS)
|
||||||
class ClientTLSOptionsFactory(object):
|
class ClientTLSOptionsFactory(object):
|
||||||
"""Factory for Twisted SSLClientConnectionCreators that are used to make connections
|
"""Factory for Twisted SSLClientConnectionCreators that are used to make connections
|
||||||
to remote servers for federation.
|
to remote servers for federation.
|
||||||
|
@ -146,6 +148,12 @@ class ClientTLSOptionsFactory(object):
|
||||||
f = Failure()
|
f = Failure()
|
||||||
tls_protocol.failVerification(f)
|
tls_protocol.failVerification(f)
|
||||||
|
|
||||||
|
def creatorForNetloc(self, hostname, port):
|
||||||
|
"""Implements the IPolicyForHTTPS interace so that this can be passed
|
||||||
|
directly to agents.
|
||||||
|
"""
|
||||||
|
return self.get_options(hostname)
|
||||||
|
|
||||||
|
|
||||||
@implementer(IOpenSSLClientConnectionCreator)
|
@implementer(IOpenSSLClientConnectionCreator)
|
||||||
class SSLClientConnectionCreator(object):
|
class SSLClientConnectionCreator(object):
|
||||||
|
|
|
@ -64,10 +64,6 @@ class MatrixFederationAgent(object):
|
||||||
tls_client_options_factory (ClientTLSOptionsFactory|None):
|
tls_client_options_factory (ClientTLSOptionsFactory|None):
|
||||||
factory to use for fetching client tls options, or none to disable TLS.
|
factory to use for fetching client tls options, or none to disable TLS.
|
||||||
|
|
||||||
_well_known_tls_policy (IPolicyForHTTPS|None):
|
|
||||||
TLS policy to use for fetching .well-known files. None to use a default
|
|
||||||
(browser-like) implementation.
|
|
||||||
|
|
||||||
_srv_resolver (SrvResolver|None):
|
_srv_resolver (SrvResolver|None):
|
||||||
SRVResolver impl to use for looking up SRV records. None to use a default
|
SRVResolver impl to use for looking up SRV records. None to use a default
|
||||||
implementation.
|
implementation.
|
||||||
|
@ -81,7 +77,6 @@ class MatrixFederationAgent(object):
|
||||||
self,
|
self,
|
||||||
reactor,
|
reactor,
|
||||||
tls_client_options_factory,
|
tls_client_options_factory,
|
||||||
_well_known_tls_policy=None,
|
|
||||||
_srv_resolver=None,
|
_srv_resolver=None,
|
||||||
_well_known_cache=well_known_cache,
|
_well_known_cache=well_known_cache,
|
||||||
):
|
):
|
||||||
|
@ -98,13 +93,12 @@ class MatrixFederationAgent(object):
|
||||||
self._pool.maxPersistentPerHost = 5
|
self._pool.maxPersistentPerHost = 5
|
||||||
self._pool.cachedConnectionTimeout = 2 * 60
|
self._pool.cachedConnectionTimeout = 2 * 60
|
||||||
|
|
||||||
agent_args = {}
|
|
||||||
if _well_known_tls_policy is not None:
|
|
||||||
# the param is called 'contextFactory', but actually passing a
|
|
||||||
# contextfactory is deprecated, and it expects an IPolicyForHTTPS.
|
|
||||||
agent_args["contextFactory"] = _well_known_tls_policy
|
|
||||||
_well_known_agent = RedirectAgent(
|
_well_known_agent = RedirectAgent(
|
||||||
Agent(self._reactor, pool=self._pool, **agent_args)
|
Agent(
|
||||||
|
self._reactor,
|
||||||
|
pool=self._pool,
|
||||||
|
contextFactory=tls_client_options_factory,
|
||||||
|
)
|
||||||
)
|
)
|
||||||
self._well_known_agent = _well_known_agent
|
self._well_known_agent = _well_known_agent
|
||||||
|
|
||||||
|
|
|
@ -75,7 +75,6 @@ class MatrixFederationAgentTests(TestCase):
|
||||||
|
|
||||||
config_dict = default_config("test", parse=False)
|
config_dict = default_config("test", parse=False)
|
||||||
config_dict["federation_custom_ca_list"] = [get_test_ca_cert_file()]
|
config_dict["federation_custom_ca_list"] = [get_test_ca_cert_file()]
|
||||||
# config_dict["trusted_key_servers"] = []
|
|
||||||
|
|
||||||
self._config = config = HomeServerConfig()
|
self._config = config = HomeServerConfig()
|
||||||
config.parse_config_dict(config_dict, "", "")
|
config.parse_config_dict(config_dict, "", "")
|
||||||
|
@ -83,7 +82,6 @@ class MatrixFederationAgentTests(TestCase):
|
||||||
self.agent = MatrixFederationAgent(
|
self.agent = MatrixFederationAgent(
|
||||||
reactor=self.reactor,
|
reactor=self.reactor,
|
||||||
tls_client_options_factory=ClientTLSOptionsFactory(config),
|
tls_client_options_factory=ClientTLSOptionsFactory(config),
|
||||||
_well_known_tls_policy=TrustingTLSPolicyForHTTPS(),
|
|
||||||
_srv_resolver=self.mock_resolver,
|
_srv_resolver=self.mock_resolver,
|
||||||
_well_known_cache=self.well_known_cache,
|
_well_known_cache=self.well_known_cache,
|
||||||
)
|
)
|
||||||
|
@ -691,16 +689,18 @@ class MatrixFederationAgentTests(TestCase):
|
||||||
not signed by a CA
|
not signed by a CA
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# we use the same test server as the other tests, but use an agent
|
# we use the same test server as the other tests, but use an agent with
|
||||||
# with _well_known_tls_policy left to the default, which will not
|
# the config left to the default, which will not trust it (since the
|
||||||
# trust it (since the presented cert is signed by a test CA)
|
# presented cert is signed by a test CA)
|
||||||
|
|
||||||
self.mock_resolver.resolve_service.side_effect = lambda _: []
|
self.mock_resolver.resolve_service.side_effect = lambda _: []
|
||||||
self.reactor.lookups["testserv"] = "1.2.3.4"
|
self.reactor.lookups["testserv"] = "1.2.3.4"
|
||||||
|
|
||||||
|
config = default_config("test", parse=True)
|
||||||
|
|
||||||
agent = MatrixFederationAgent(
|
agent = MatrixFederationAgent(
|
||||||
reactor=self.reactor,
|
reactor=self.reactor,
|
||||||
tls_client_options_factory=ClientTLSOptionsFactory(self._config),
|
tls_client_options_factory=ClientTLSOptionsFactory(config),
|
||||||
_srv_resolver=self.mock_resolver,
|
_srv_resolver=self.mock_resolver,
|
||||||
_well_known_cache=self.well_known_cache,
|
_well_known_cache=self.well_known_cache,
|
||||||
)
|
)
|
||||||
|
|
Loading…
Reference in a new issue