- 13 Dec, 2018 4 commits
-
-
Vincent Pelletier authored
More consistent with address extraction.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 14 Nov, 2018 1 commit
-
-
Vincent Pelletier authored
-
- 09 Nov, 2018 2 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 05 Nov, 2018 3 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Python was unexpectedly binding utils.until to this class, causing "self" argument to be automatically generated, which is not expected by this function. Tests do not exercise this code path because they are overriding this property, precisely to check that it gets called... Also, add docstring.
-
Vincent Pelletier authored
Not sure what this is doing here. There are not any failure masked by this.
-
- 02 Nov, 2018 4 commits
-
-
Vincent Pelletier authored
stdout is supposed to accept bytes, not unicode objects. And byte-ify all printed values to satisfy python3.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 19 Oct, 2018 8 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
toHTTPS was only taking care of scheme, which is not enough. So use self._https_url directly.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Avoids hardcoding newline char.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Otherwise, verification against IP-only CA certificate will fail, as common name is sometimes used to contain a domain name (which is deprecated in favour of alternative names, but still checked).
-
- 26 Sep, 2018 8 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
What was not picked up by 2to3.
-
Vincent Pelletier authored
Using only 2to3 conversions which are python2-compatible.
-
Vincent Pelletier authored
Self-describe site structure in application/hal+json format. Add Cross-Origin Resource Sharing support: pre-flight request support, same-origin-only origin access control minimal html page. Access control decision is stored client-side in a signed & time-limited cookie supporting multiple concurrent origins. Origins may be pre-allowed (ex: when caucase GUI is served from a trusted server).
-
Vincent Pelletier authored
This makes it safer to trust this CA certificate in general-purpose https clients, like web browsers, as it prevents such trusted CA certificate from issuing rogue certificates. Bump pyOpenSSL to latest version (and, as a consequence of pyOpenSSL 18.0.0 itself requiring cryptography 2.1.1, bump it as well) as it seems to fix a bug related to validating NameConstraints - and anyway fixes worrying use-after-free errors.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
This is a step in the direction of being browser-friendly: if caucased https certificate is issued by CAS CA, then for a browser to trust that certificate it would have to trust all certificates emitted by CAS CA certificate. This would be very dangerous, as CAS CA does not constrain the certificates it may sign, so it exposes users of that caucased to rogue certificates. Alone, this step is insufficient, as the new internal "http_cas" does not constrain certificates yet. This will happen in a separate commit, to ease review and regression testing. As a consequence of this step, by default client will not check server certificate in https. This is consistent with how trust is bootstrapped with plain http: maybe client is accessing an unexpected/malicious caucased, but in such case issued certificates will be worthless to a party which could access the correct caucased. Also, the client certificate presented to caucased does not allow that caucased to fake being that user, so there is no privilege escalation possible for server.
-
Vincent Pelletier authored
-
- 21 Sep, 2018 10 commits
-
-
Łukasz Nowak authored
/reviewed-on nexedi/caucase!3
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Maybe name resolution is flapping, or server is unreachable or misbehaving... This must not cause caucase-update to exit.
-
Vincent Pelletier authored
So they can be customised in subclasses.
-
Vincent Pelletier authored
So that they do not hardcode the class to instanciate. This prepares further class tweaking. Also, update users.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-