add main() for ssl-enabled server

authserv/server.py

+import logging
+import optparse
+import os
+import signal
 from authserv import app
 from authserv import auth
 from authserv import protocol
 from authserv.ratelimit import *
+from authserv import ssl
 from flask import Flask, request, abort, make_response
 
 
@@ -65,3 +70,59 @@ def create_app(userdb=None, mc=None):
     app.memcache = mc
 
     return app
+
+
+def main():
+    parser = optparse.OptionParser()
+    parser.add_option('--config',
+                      help='Configuration file')
+    parser.add_option('--port', type='int', default=1616,
+                      help='TCP port to listen on (default: %default)')
+    parser.add_option('--ca', dest='ssl_ca',
+                      default='/etc/ai/internal_ca.pem',
+                      help='SSL CA certificate file (default: %default)')
+    parser.add_option('--ssl-cert', dest='ssl_cert',
+                      default='/etc/ai/localhost_internal.pem',
+                      help='SSL client certificate file (default: %default)')
+    parser.add_option('--ssl-key', dest='ssl_key',
+                      default='/etc/ai/localhost_internal.key',
+                      help='SSL client key file (default: %default)')
+    parser.add_option('--dhparams', dest='dh_params',
+                      default='/etc/ai/dhparams',
+                      help='Diffie-Helmann parameters file')
+    parser.add_option('--debug', action='store_true')
+
+    opts, args = parser.parse_args()
+    if len(args) != 0:
+        parser.error('Too many arguments')
+
+    if opts.debug:
+        logging.basicConfig(level=logging.DEBUG)
+    else:
+        handler = logging.handlers.SysLogHandler(
+            address='/dev/log',
+            facility=logging.handlers.SysLogHandler.LOG_DAEMON)
+        handler.setLevel(logging.INFO)
+        logging.getLogger().addHandler(handler)
+
+    if opts.config:
+        os.setenv('APP_CONFIG', opts.config)
+    app.config.update({'DEBUG': opts.debug})
+
+    def _stopall(signo, frame):
+        logging.info('terminating with signal %d', signo)
+        os._exit(0)
+    signal.signal(signal.SIGINT, _stopall)
+    signal.signal(signal.SIGTERM, _stopall)
+
+    ssl_ctx = None
+    if opts.ssl_ca and os.path.exists(opts.ssl_ca):
+        ssl_ctx = ssl.create_server_context(opts.ssl_cert, opts.ssl_key,
+                                            opts.ssl_ca, opts.dh_params)
+
+    app.run(host='0.0.0.0', port=opts.port, use_reloader=False,
+            ssl_context=ssl_ctx)
+
+
+if __name__ == '__main__':
+    main()

authserv/ssl.py

+from OpenSSL import crypto, SSL
+
+
+def create_server_context(ssl_cert, ssl_key, ssl_ca, dhparams):
+    ctx = SSL.Context(SSL.TLSv1_METHOD)
+    ctx.use_privatekey_file(ssl_key)
+    ctx.use_certificate_file(ssl_cert)
+    if dhparams and os.path.exists(dhparams):
+        ctx.load_tmp_dh(dhparams)
+    #ctx.set_cipher_list('ECDHE-ECDSA-AES256-SHA384')
+    #ctx.set_cipher_list('DHE-RSA-AES256-SHA')
+
+    with open(ssl_ca) as fd:
+        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, fd.read())
+        ctx.get_cert_store().add_cert(ca_cert)
+
+    def verify_callback(connection, x509, errnum, errdepth, ok):
+        # Nothing else to do, valid CA signature has already been verified.
+        #print 'verify_callback(%s, %s, %s, %s, %s)' % (
+        #    connection, x509, errnum, errdepth, ok)
+        return ok
+
+    ctx.set_verify(SSL.VERIFY_PEER
+                   | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
+                   | SSL.VERIFY_CLIENT_ONCE,
+                   verify_callback)
+    return ctx
+
+

setup.py

@@ -9,7 +9,7 @@ setup(
     author="Autistici/Inventati",
     author_email="info@autistici.org",
     url="https://git.autistici.org/ai/authserv",
-    install_requires=["python-ldap", "Flask", "python-memcached", "nose"],
+    install_requires=["python-ldap", "PyOpenSSL", "Flask", "python-memcached", "nose"],
     setup_requires=[],
     zip_safe=False,
     packages=find_packages(),