[ceph.git] / ceph / src / pybind / mgr / dashboard / cherrypy_backports.py

# -*- coding: utf-8 -*-
"""
Copyright © 2004-2019, CherryPy Team (team@cherrypy.org)

All rights reserved.

* * *

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.

* Neither the name of CherryPy nor the names of its
  contributors may be used to endorse or promote products derived from
  this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"""

from distutils.version import StrictVersion

# The SSL code in CherryPy 3.5.0 is buggy.  It was fixed long ago,
# but 3.5.0 is still shipping in major linux distributions
# (Fedora 27, Ubuntu Xenial), so we must monkey patch it to get SSL working.


def patch_http_connection_init(v):
    # It was fixed in 3.7.0.  Exact lower bound version is probably earlier,
    # but 3.5.0 is what this monkey patch is tested on.
    if StrictVersion("3.5.0") <= v < StrictVersion("3.7.0"):
        from cherrypy.wsgiserver.wsgiserver2 import CP_fileobject, HTTPConnection

        def fixed_init(hc_self, server, sock, makefile=CP_fileobject):
            hc_self.server = server
            hc_self.socket = sock
            hc_self.rfile = makefile(sock, "rb", hc_self.rbufsize)
            hc_self.wfile = makefile(sock, "wb", hc_self.wbufsize)
            hc_self.requests_seen = 0

        HTTPConnection.__init__ = fixed_init


# When the CherryPy server in 3.2.2 (and later) starts it attempts to verify
# that the ports its listening on are in fact bound. When using the any address
# "::" it tries both ipv4 and ipv6, and in some environments (e.g. kubernetes)
# ipv6 isn't yet configured / supported and CherryPy throws an uncaught
# exception.
def skip_wait_for_occupied_port(v):
    # the issue was fixed in 3.2.3. it's present in 3.2.2 (current version on
    # centos:7) and back to at least 3.0.0.
    if StrictVersion("3.1.2") <= v < StrictVersion("3.2.3"):
        # https://github.com/cherrypy/cherrypy/issues/1100
        from cherrypy.process import servers
        servers.wait_for_occupied_port = lambda host, port: None


# cherrypy.wsgiserver was extracted wsgiserver into cheroot in cherrypy v9.0.0
def patch_builtin_ssl_wrap(v, new_wrap):
    if v < StrictVersion("9.0.0"):
        from cherrypy.wsgiserver.ssl_builtin import BuiltinSSLAdapter as builtin_ssl
    else:
        from cheroot.ssl.builtin import BuiltinSSLAdapter as builtin_ssl  # type: ignore
    builtin_ssl.wrap = new_wrap(builtin_ssl.wrap)


def accept_exceptions_from_builtin_ssl(v):
    # the fix was included by cheroot v5.2.0, which was included by cherrypy
    # 10.2.0.
    if v < StrictVersion("10.2.0"):
        # see https://github.com/cherrypy/cheroot/pull/4
        import ssl

        def accept_ssl_errors(func):
            def wrapper(self, sock):
                try:
                    return func(self, sock)
                except ssl.SSLError as e:
                    if e.errno == ssl.SSL_ERROR_SSL:
                        # Check if it's one of the known errors
                        # Errors that are caught by PyOpenSSL, but thrown by
                        # built-in ssl
                        _block_errors = ('unknown protocol', 'unknown ca', 'unknown_ca',
                                         'unknown error',
                                         'https proxy request', 'inappropriate fallback',
                                         'wrong version number',
                                         'no shared cipher', 'certificate unknown',
                                         'ccs received early',
                                         'certificate verify failed',  # client cert w/o trusted CA
                                         'version too low',  # caused by SSL3 connections
                                         'unsupported protocol',  # caused by TLS1 connections
                                         'sslv3 alert bad certificate')
                        for error_text in _block_errors:
                            if error_text in e.args[1].lower():
                                # Accepted error, let's pass
                                return None, {}
                        raise
            return wrapper
        patch_builtin_ssl_wrap(v, accept_ssl_errors)


def accept_socket_error_0(v):
    # see https://github.com/cherrypy/cherrypy/issues/1618
    try:
        import cheroot
        cheroot_version = cheroot.__version__
    except ImportError:
        pass

    if v < StrictVersion("9.0.0") or cheroot_version < StrictVersion("6.5.5"):
        generic_socket_error = OSError

        def accept_socket_error_0(func):
            def wrapper(self, sock):
                try:
                    return func(self, sock)
                except generic_socket_error as e:
                    """It is unclear why exactly this happens.

                    It's reproducible only with openssl>1.0 and stdlib ``ssl`` wrapper.
                    In CherryPy it's triggered by Checker plugin, which connects
                    to the app listening to the socket port in TLS mode via plain
                    HTTP during startup (from the same process).

                    Ref: https://github.com/cherrypy/cherrypy/issues/1618
                    """
                    import ssl
                    is_error0 = e.args == (0, 'Error')
                    IS_ABOVE_OPENSSL10 = ssl.OPENSSL_VERSION_INFO >= (1, 1)
                    del ssl
                    if is_error0 and IS_ABOVE_OPENSSL10:
                        return None, {}
                    raise
            return wrapper
        patch_builtin_ssl_wrap(v, accept_socket_error_0)


def patch_request_unique_id(v):
    """
    Older versions of cherrypy don't include request.unique_id field (a lazily
    calculated UUID4).

    Monkey-patching is preferred over alternatives as inheritance, as it'd break
    type checks (cherrypy/lib/cgtools.py: `isinstance(obj, _cprequest.Request)`)
    """
    if v < StrictVersion('11.1.0'):
        import uuid
        from functools import update_wrapper

        from cherrypy._cprequest import Request

        class LazyUUID4(object):
            def __str__(self):
                """Return UUID4 and keep it for future calls."""
                return str(self.uuid4)

            @property
            def uuid4(self):
                """Provide unique id on per-request basis using UUID4.
                It's evaluated lazily on render.
                """
                try:
                    self._uuid4  # type: ignore
                except AttributeError:
                    # evaluate on first access
                    self._uuid4 = uuid.uuid4()

                return self._uuid4

        old_init = Request.__init__

        def init_with_unique_id(self, *args, **kwargs):
            old_init(self, *args, **kwargs)
            self.unique_id = LazyUUID4()

        Request.__init__ = update_wrapper(init_with_unique_id, old_init)


def patch_cherrypy(v):
    patch_http_connection_init(v)
    skip_wait_for_occupied_port(v)
    accept_exceptions_from_builtin_ssl(v)
    accept_socket_error_0(v)
    patch_request_unique_id(v)
Commit	Line	Data
92f5a8d4 TL	1	# -- coding: utf-8 --
	2	"""
	3	Copyright © 2004-2019, CherryPy Team (team@cherrypy.org)
	4
	5	All rights reserved.
	6
	7	* * *
	8
	9	Redistribution and use in source and binary forms, with or without
	10	modification, are permitted provided that the following conditions are met:
	11
	12	* Redistributions of source code must retain the above copyright notice, this
	13	list of conditions and the following disclaimer.
	14
	15	* Redistributions in binary form must reproduce the above copyright notice,
	16	this list of conditions and the following disclaimer in the documentation
	17	and/or other materials provided with the distribution.
	18
	19	* Neither the name of CherryPy nor the names of its
	20	contributors may be used to endorse or promote products derived from
	21	this software without specific prior written permission.
	22
	23	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	24	AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	25	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	26	DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	27	FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	28	DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	29	SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	30	CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	31	OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	32	OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	33	"""
	34
	35	from distutils.version import StrictVersion
	36
	37	# The SSL code in CherryPy 3.5.0 is buggy. It was fixed long ago,
	38	# but 3.5.0 is still shipping in major linux distributions
	39	# (Fedora 27, Ubuntu Xenial), so we must monkey patch it to get SSL working.
	40
	41
	42	def patch_http_connection_init(v):
	43	# It was fixed in 3.7.0. Exact lower bound version is probably earlier,
	44	# but 3.5.0 is what this monkey patch is tested on.
	45	if StrictVersion("3.5.0") <= v < StrictVersion("3.7.0"):
f67539c2	46	from cherrypy.wsgiserver.wsgiserver2 import CP_fileobject, HTTPConnection
92f5a8d4 TL	47
	48	def fixed_init(hc_self, server, sock, makefile=CP_fileobject):
	49	hc_self.server = server
	50	hc_self.socket = sock
	51	hc_self.rfile = makefile(sock, "rb", hc_self.rbufsize)
	52	hc_self.wfile = makefile(sock, "wb", hc_self.wbufsize)
	53	hc_self.requests_seen = 0
	54
	55	HTTPConnection.__init__ = fixed_init
	56
	57
	58	# When the CherryPy server in 3.2.2 (and later) starts it attempts to verify
	59	# that the ports its listening on are in fact bound. When using the any address
	60	# "::" it tries both ipv4 and ipv6, and in some environments (e.g. kubernetes)
	61	# ipv6 isn't yet configured / supported and CherryPy throws an uncaught
	62	# exception.
	63	def skip_wait_for_occupied_port(v):
	64	# the issue was fixed in 3.2.3. it's present in 3.2.2 (current version on
	65	# centos:7) and back to at least 3.0.0.
	66	if StrictVersion("3.1.2") <= v < StrictVersion("3.2.3"):
	67	# https://github.com/cherrypy/cherrypy/issues/1100
	68	from cherrypy.process import servers
	69	servers.wait_for_occupied_port = lambda host, port: None
	70
	71
	72	# cherrypy.wsgiserver was extracted wsgiserver into cheroot in cherrypy v9.0.0
	73	def patch_builtin_ssl_wrap(v, new_wrap):
	74	if v < StrictVersion("9.0.0"):
	75	from cherrypy.wsgiserver.ssl_builtin import BuiltinSSLAdapter as builtin_ssl
	76	else:
20effc67	77	from cheroot.ssl.builtin import BuiltinSSLAdapter as builtin_ssl # type: ignore
92f5a8d4 TL	78	builtin_ssl.wrap = new_wrap(builtin_ssl.wrap)
	79
	80
	81	def accept_exceptions_from_builtin_ssl(v):
	82	# the fix was included by cheroot v5.2.0, which was included by cherrypy
	83	# 10.2.0.
	84	if v < StrictVersion("10.2.0"):
	85	# see https://github.com/cherrypy/cheroot/pull/4
	86	import ssl
	87
	88	def accept_ssl_errors(func):
	89	def wrapper(self, sock):
	90	try:
	91	return func(self, sock)
	92	except ssl.SSLError as e:
	93	if e.errno == ssl.SSL_ERROR_SSL:
	94	# Check if it's one of the known errors
	95	# Errors that are caught by PyOpenSSL, but thrown by
	96	# built-in ssl
adb31ebb TL	97	_block_errors = ('unknown protocol', 'unknown ca', 'unknown_ca',
	98	'unknown error',
	99	'https proxy request', 'inappropriate fallback',
92f5a8d4 TL	100	'wrong version number',
92f5a8d4 TL	101	'no shared cipher', 'certificate unknown',
adb31ebb TL	102	'ccs received early',
	103	'certificate verify failed', # client cert w/o trusted CA
	104	'version too low', # caused by SSL3 connections
	105	'unsupported protocol', # caused by TLS1 connections
	106	'sslv3 alert bad certificate')
92f5a8d4 TL	107	for error_text in _block_errors:
	108	if error_text in e.args[1].lower():
	109	# Accepted error, let's pass
	110	return None, {}
	111	raise
	112	return wrapper
	113	patch_builtin_ssl_wrap(v, accept_ssl_errors)
	114
	115
	116	def accept_socket_error_0(v):
	117	# see https://github.com/cherrypy/cherrypy/issues/1618
	118	try:
	119	import cheroot
	120	cheroot_version = cheroot.__version__
	121	except ImportError:
	122	pass
	123
	124	if v < StrictVersion("9.0.0") or cheroot_version < StrictVersion("6.5.5"):
f67539c2	125	generic_socket_error = OSError
92f5a8d4 TL	126
	127	def accept_socket_error_0(func):
	128	def wrapper(self, sock):
	129	try:
	130	return func(self, sock)
	131	except generic_socket_error as e:
	132	"""It is unclear why exactly this happens.
	133
	134	It's reproducible only with openssl>1.0 and stdlib ``ssl`` wrapper.
	135	In CherryPy it's triggered by Checker plugin, which connects
	136	to the app listening to the socket port in TLS mode via plain
	137	HTTP during startup (from the same process).
	138
	139	Ref: https://github.com/cherrypy/cherrypy/issues/1618
	140	"""
	141	import ssl
	142	is_error0 = e.args == (0, 'Error')
	143	IS_ABOVE_OPENSSL10 = ssl.OPENSSL_VERSION_INFO >= (1, 1)
	144	del ssl
	145	if is_error0 and IS_ABOVE_OPENSSL10:
	146	return None, {}
	147	raise
	148	return wrapper
	149	patch_builtin_ssl_wrap(v, accept_socket_error_0)
	150
	151
	152	def patch_request_unique_id(v):
	153	"""
	154	Older versions of cherrypy don't include request.unique_id field (a lazily
	155	calculated UUID4).
	156
	157	Monkey-patching is preferred over alternatives as inheritance, as it'd break
	158	type checks (cherrypy/lib/cgtools.py: `isinstance(obj, _cprequest.Request)`)
	159	"""
	160	if v < StrictVersion('11.1.0'):
	161	import uuid
	162	from functools import update_wrapper
f67539c2	163
92f5a8d4 TL	164	from cherrypy._cprequest import Request
	165
	166	class LazyUUID4(object):
	167	def __str__(self):
	168	"""Return UUID4 and keep it for future calls."""
	169	return str(self.uuid4)
	170
	171	@property
	172	def uuid4(self):
	173	"""Provide unique id on per-request basis using UUID4.
	174	It's evaluated lazily on render.
	175	"""
	176	try:
9f95a23c	177	self._uuid4 # type: ignore
92f5a8d4 TL	178	except AttributeError:
	179	# evaluate on first access
	180	self._uuid4 = uuid.uuid4()
	181
	182	return self._uuid4
	183
	184	old_init = Request.__init__
	185
	186	def init_with_unique_id(self, args, *kwargs):
	187	old_init(self, args, *kwargs)
	188	self.unique_id = LazyUUID4()
	189
	190	Request.__init__ = update_wrapper(init_with_unique_id, old_init)
	191
	192
	193	def patch_cherrypy(v):
	194	patch_http_connection_init(v)
	195	skip_wait_for_occupied_port(v)
	196	accept_exceptions_from_builtin_ssl(v)
	197	accept_socket_error_0(v)
	198	patch_request_unique_id(v)