[Xen-API] [PATCH 2 of 2] CA-42836: In the import_raw_vdi HTTP ha

To:	xen-api@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-API] [PATCH 2 of 2] CA-42836: In the import_raw_vdi HTTP handler when issuing an HTTP redirect, use HTTPS if the caller was originally using HTTPS or HTTP otherwise
From:	David Scott <dave.scott@xxxxxxxxxxxxx>
Date:	Mon, 23 Aug 2010 13:03:54 +0100
Delivery-date:	Mon, 23 Aug 2010 05:26:13 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<patchbomb.1282565032@ely>
List-help:	<mailto:xen-api-request@lists.xensource.com?subject=help>
List-id:	Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post:	<mailto:xen-api@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References:	<patchbomb.1282565032@ely>
Sender:	xen-api-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mercurial-patchbomb/1.4.3

# HG changeset patch
# User David Scott <dave.scott@xxxxxxxxxxxxx>
# Date 1282565001 -3600
# Node ID acfa0e8405cb12be60262655c8f21d97284e1a3b
# Parent  838461861723b2801ffc5496df81c55ecbe8ebe9
CA-42836: In the import_raw_vdi HTTP handler when issuing an HTTP redirect, use 
HTTPS if the caller was originally using HTTPS or HTTP otherwise.

Signed-off-by: David Scott <dave.scott@xxxxxxxxxxxxx>

diff -r 838461861723 -r acfa0e8405cb ocaml/idl/ocaml_backend/context.ml
--- a/ocaml/idl/ocaml_backend/context.ml        Mon Aug 23 13:03:21 2010 +0100
+++ b/ocaml/idl/ocaml_backend/context.ml        Mon Aug 23 13:03:21 2010 +0100
@@ -81,6 +81,14 @@
       Unix.ADDR_UNIX _ -> true
     | Unix.ADDR_INET _ -> false
 
+(** Calls coming directly into xapi on port 80 from remote IPs are unencrypted 
*)
+let is_unencrypted s = 
+  match Unix.getpeername s with
+    | Unix.ADDR_UNIX _ -> false
+    | Unix.ADDR_INET (addr, _) when addr = Unix.inet_addr_loopback -> false
+    | Unix.ADDR_INET _ -> true
+
+
 let preauth ~__context =
   match __context.origin with
       Internal -> false
diff -r 838461861723 -r acfa0e8405cb ocaml/idl/ocaml_backend/context.mli
--- a/ocaml/idl/ocaml_backend/context.mli       Mon Aug 23 13:03:21 2010 +0100
+++ b/ocaml/idl/ocaml_backend/context.mli       Mon Aug 23 13:03:21 2010 +0100
@@ -84,6 +84,9 @@
 (** [is_unix_socket fd] *)
 val is_unix_socket : Unix.file_descr -> bool
 
+(** [is_unencrypted fd] returns true if the calling connection is not 
encrypted *)
+val is_unencrypted : Unix.file_descr -> bool
+
 (** [preauth ~__context] *)
 val preauth : __context:t -> bool
 
diff -r 838461861723 -r acfa0e8405cb ocaml/xapi/import_raw_vdi.ml
--- a/ocaml/xapi/import_raw_vdi.ml      Mon Aug 23 13:03:21 2010 +0100
+++ b/ocaml/xapi/import_raw_vdi.ml      Mon Aug 23 13:03:21 2010 +0100
@@ -70,7 +70,7 @@
        raise e)
 
 let return_302_redirect (req: request) s address =
-       let url = Printf.sprintf "https://%s%s?%s"; address req.uri 
(String.concat "&" (List.map (fun (a,b) -> a^"="^b) req.query)) in
+       let url = Printf.sprintf "%s://%s%s?%s" (if Context.is_unencrypted s 
then "http" else "https") address req.uri (String.concat "&" (List.map (fun 
(a,b) -> a^"="^b) req.query)) in
        let headers = Http.http_302_redirect url in
        debug "HTTP 302 redirect to: %s" url;
        Http_svr.headers s headers
 ocaml/idl/ocaml_backend/context.ml  |  8 ++++++++
 ocaml/idl/ocaml_backend/context.mli |  3 +++
 ocaml/xapi/import_raw_vdi.ml        |  2 +-
 3 files changed, 12 insertions(+), 1 deletions(-)

xen-api.hg-2.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

WARNING - OLD ARCHIVES

xen-api

[Xen-API] [PATCH 2 of 2] CA-42836: In the import_raw_vdi HTTP handler wh