1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
|
package FusionInventory::Agent::HTTP::Client;
use strict;
use warnings;
use English qw(-no_match_vars);
use HTTP::Status;
use LWP::UserAgent;
use UNIVERSAL::require;
use FusionInventory::Agent::Logger;
my $log_prefix = "[http client] ";
sub new {
my ($class, %params) = @_;
die "non-existing certificate file $params{ca_cert_file}"
if $params{ca_cert_file} && ! -f $params{ca_cert_file};
die "non-existing certificate directory $params{ca_cert_dir}"
if $params{ca_cert_dir} && ! -d $params{ca_cert_dir};
my $self = {
logger => $params{logger} ||
FusionInventory::Agent::Logger->new(),
user => $params{user},
password => $params{password},
timeout => $params{timeout} || 180,
ssl_set => 0,
no_ssl_check => $params{no_ssl_check},
ca_cert_dir => $params{ca_cert_dir},
ca_cert_file => $params{ca_cert_file}
};
bless $self, $class;
# create user agent
$self->{ua} = LWP::UserAgent->new(
parse_head => 0, # No need to parse HTML
keep_alive => 1,
requests_redirectable => ['POST', 'GET', 'HEAD']
);
if ($params{proxy}) {
$self->{ua}->proxy(['http', 'https'], $params{proxy});
} else {
$self->{ua}->env_proxy();
}
$self->{ua}->agent($FusionInventory::Agent::AGENT_STRING);
$self->{ua}->timeout($self->{timeout});
return $self;
}
sub request {
my ($self, $request, $file) = @_;
my $logger = $self->{logger};
my $url = $request->uri();
my $scheme = $url->scheme();
$self->_setSSLOptions() if $scheme eq 'https' && !$self->{ssl_set};
my $result = HTTP::Response->new( 500 );
eval {
if ($OSNAME eq 'MSWin32' && $scheme eq 'https') {
alarm $self->{timeout};
}
$result = $self->{ua}->request($request, $file);
alarm 0;
};
# check result first
if (!$result->is_success()) {
# authentication required
if ($result->code() == 401) {
if ($self->{user} && $self->{password}) {
$logger->debug(
$log_prefix .
"authentication required, submitting credentials"
);
# compute authentication parameters
my $header = $result->header('www-authenticate');
my ($realm) = $header =~ /^Basic realm="(.*)"/;
my $host = $url->host();
my $port = $url->port() ||
($scheme eq 'https' ? 443 : 80);
$self->{ua}->credentials(
"$host:$port",
$realm,
$self->{user},
$self->{password}
);
# replay request
eval {
if ($OSNAME eq 'MSWin32' && $scheme eq 'https') {
alarm $self->{timeout};
}
$result = $self->{ua}->request($request, $file);
alarm 0;
};
if (!$result->is_success()) {
$logger->error(
$log_prefix .
"authentication required, wrong credentials"
);
}
} else {
# abort
$logger->error(
$log_prefix .
"authentication required, no credentials available"
);
}
} else {
$logger->error(
$log_prefix .
"communication error: " . $result->status_line()
);
}
}
return $result;
}
sub _setSSLOptions {
my ($self) = @_;
# SSL handling
if ($self->{no_ssl_check}) {
# LWP 6 default behaviour is to check hostname
# Fedora also backported this behaviour change in its LWP5 package, so
# just checking on LWP version is not enough
$self->{ua}->ssl_opts(verify_hostname => 0, SSL_verify_mode => 0)
if $self->{ua}->can('ssl_opts');
} else {
# only IO::Socket::SSL can perform full server certificate validation,
# Net::SSL is only able to check certification authority, and not
# certificate hostname
IO::Socket::SSL->require();
die
"failed to load IO::Socket::SSL, " .
"unable to perform SSL certificate validation.\n" .
"You can use 'no-ssl-check' option to disable it."
if $EVAL_ERROR;
if ($self->{logger}{debug} >= 3) {
$Net::SSLeay::trace = 2;
}
if ($LWP::VERSION >= 6) {
$self->{ua}->ssl_opts(SSL_ca_file => $self->{ca_cert_file})
if $self->{ca_cert_file};
$self->{ua}->ssl_opts(SSL_ca_path => $self->{ca_cert_dir})
if $self->{ca_cert_dir};
} else {
# SSL_verifycn_scheme and SSL_verifycn_name are required
die
"IO::Socket::SSL $IO::Socket::SSL::VERSION is too old, " .
"version 1.14 is required for SSL certificate validation.\n" .
" You can use 'no-ssl-check' option to disable SSL it."
if $IO::Socket::SSL::VERSION < 1.14;
# use a custom HTTPS handler to workaround default LWP5 behaviour
FusionInventory::Agent::HTTP::Protocol::https->use(
ca_cert_file => $self->{ca_cert_file},
ca_cert_dir => $self->{ca_cert_dir},
);
die
"failed to load FusionInventory::Agent::HTTP::Protocol::https" .
", unable to perform SSL certificate validation.\n" .
"You can use 'no-ssl-check' option to disable it."
if $EVAL_ERROR;
LWP::Protocol::implementor(
'https', 'FusionInventory::Agent::HTTP::Protocol::https'
);
# abuse user agent internal to pass values to the handler, so
# as to have different behaviors in the same process
$self->{ua}->{ssl_check} = $self->{no_ssl_check} ? 0 : 1;
}
}
$self->{ssl_set} = 1;
}
1;
__END__
=head1 NAME
FusionInventory::Agent::HTTP::Client - An abstract HTTP client
=head1 DESCRIPTION
This is an abstract class for HTTP clients. It can send messages through HTTP
or HTTPS, directly or through a proxy, and validate SSL certificates.
=head1 METHODS
=head2 new(%params)
The constructor. The following parameters are allowed, as keys of the %params
hash:
=over
=item I<logger>
the logger object to use (default: a new stderr logger)
=item I<proxy>
the URL of an HTTP proxy
=item I<user>
the user for HTTP authentication
=item I<password>
the password for HTTP authentication
=item I<no_ssl_check>
a flag allowing to ignore untrusted server certificates (default: false)
=item I<ca_cert_file>
the file containing trusted certificates
=item I<ca_cert_dir>
the directory containing trusted certificates
=back
=head2 request($request)
Send given HTTP::Request object, handling SSL checking and user authentication
automatically if needed.
|
