Strict-Transport-Security is no longer tied to RedirectHTTPToHTTPS, a…

…nd max-age is configurable, defaulting to 1 week. git-svn-id: https://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk@10165 e27351fd-9f3e-4f54-a53b-843176b1656c
apple · Dec 13, 2012 · 04b0ed243a957605bcd50826f4fac53fccc4108a · 04b0ed2
1 parent bde1667
commit 04b0ed243a957605bcd50826f4fac53fccc4108a
Unified Split

Showing with 24 additions and 38 deletions.

+19 −0 calendarserver/tap/caldav.py

+3 −2 calendarserver/tap/test/test_caldav.py

+0 −24 twext/web2/channel/http.py

+0 −12 twext/web2/test/test_http.py

+2 −0 twistedcaldav/stdconfig.py
diff --git a/calendarserver/tap/caldav.py b/calendarserver/tap/caldav.py
@@ -874,6 +874,22 @@ def queueMasterAvailable(connectionFromMaster):
             def requestFactory(*args, **kw):
                 return SSLRedirectRequest(site=underlyingSite, *args, **kw)
 
+        # Add the Strict-Transport-Security header to all secured requests
+        # if enabled.
+        if config.StrictTransportSecuritySeconds:
+            previousRequestFactory = requestFactory
+            def requestFactory(*args, **kw):
+                request = previousRequestFactory(*args, **kw)
+                def responseFilter(ignored, response):
+                    ignored, secure = request.chanRequest.getHostInfo()
+                    if secure:
+                        response.headers.addRawHeader("Strict-Transport-Security",
+                            "max-age={max_age:d}"
+                            .format(max_age=config.StrictTransportSecuritySeconds))
+                    return response
+                request.addResponseFilter(responseFilter)
+                return request
+
         httpFactory = LimitingHTTPFactory(
             requestFactory,
             maxRequests=config.MaxRequests,
@@ -894,6 +910,9 @@ def updateFactory(configDict, reloading=False):
         connectionService.setName(CalDAVService.connectionServiceName)
         connectionService.setServiceParent(service)
 
+        # For calendarserver.tap.test.test_caldav.BaseServiceMakerTests.getSite():
+        connectionService.underlyingSite = underlyingSite
+
         if config.InheritFDs or config.InheritSSLFDs:
             # Inherit sockets to call accept() on them individually.
 

diff --git a/calendarserver/tap/test/test_caldav.py b/calendarserver/tap/test/test_caldav.py
@@ -380,9 +380,10 @@ def getSite(self):
                 # NOTE: in a database 'single' configuration, PostgresService
                 # will prevent the HTTP services from actually getting added to
                 # the hierarchy until the hierarchy has started.
-                lambda x: hasattr(x, 'args')
+                # 'underlyingSite' assigned in caldav.py
+                lambda x: hasattr(x, 'underlyingSite')
             ):
-            return listeningService.args[1].protocolArgs['requestFactory']
+            return listeningService.underlyingSite
         raise RuntimeError("No site found.")
 
 

diff --git a/twext/web2/channel/http.py b/twext/web2/channel/http.py
@@ -76,26 +76,11 @@ def connectionMade(self):
         self.transport.loseConnection()
 
 
-
 class SSLRedirectRequest(Request):
     """
     An L{SSLRedirectRequest} prevents processing if the request is over plain
     HTTP; instead, it redirects to HTTPS.
-
-    If the request is already secured, it instead sets the
-    Strict-Transport-Security header as documented by the U{HTTP Strict
-    Transport Security specification
-    <http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02>}.
-
-    @ivar maxAge: the number of seconds that a client must wait after receiving
-        an HTTPS response, before they may attempt to make an HTTP request
-        again.
-
-    @type maxAge: C{int}
     """
-
-    maxAge = 600
-
     def process(self):
         ignored, secure = self.chanRequest.getHostInfo()
         if not secure:
@@ -116,15 +101,6 @@ def process(self):
             return super(SSLRedirectRequest, self).process()
 
 
-    def writeResponse(self, response):
-        """
-        Response filter to add HSTS header.
-        """
-        response.headers.addRawHeader("Strict-Transport-Security",
-                                      "max-age={max_age:d}"
-                                      .format(max_age=self.maxAge))
-        return super(SSLRedirectRequest, self).writeResponse(response)
-
 # >%
 
 PERSIST_NO_PIPELINE, PERSIST_PIPELINE = (1,2)

diff --git a/twext/web2/test/test_http.py b/twext/web2/test/test_http.py
@@ -742,18 +742,6 @@ def testHTTP1_1_chunking(self, extraHeaders=""):
         cxn.client.loseConnection()
         self.assertDone(cxn)
 
-
-    def test_http1_1_sts(self):
-        """
-        L{SSLRedirectRequest} uses strict transport security, and will set the
-        appropriate header.
-        """
-        self.requestClass = TestSSLRedirectRequest
-        return self.testHTTP1_1_chunking(
-            "Strict-Transport-Security: max-age=600"
-        )
-
-
     def testHTTP1_1_expect_continue(self):
         cxn = self.connect()
         cmds = [[]]

diff --git a/twistedcaldav/stdconfig.py b/twistedcaldav/stdconfig.py
@@ -250,6 +250,8 @@
     "RedirectHTTPToHTTPS" : False, # If True, all nonSSL requests redirected to an SSL Port
     "SSLMethod" : "SSLv3_METHOD", # SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD
     "SSLCiphers" : "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM",
+    "StrictTransportSecuritySeconds" : 7 * 24 * 60 * 60, # max-age value for
+        # Strict-Transport-Security header; set to 0 to disable header.
 
     #
     # Network address configuration information