mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-06 13:51:36 +00:00
TLS min/max config options with sane defaults
This commit is contained in:
36
src/gam.py
36
src/gam.py
@@ -71,9 +71,7 @@ from oauth2client.contrib.dictionary_storage import DictionaryStorage
|
|||||||
import utils
|
import utils
|
||||||
from var import *
|
from var import *
|
||||||
|
|
||||||
# Nasty hack to support StaticX.
|
# Finding path method varies between Python source, PyInstaller and StaticX
|
||||||
# - we do this in gam.py because if we do it in var.py StaticX can't get right path at all.
|
|
||||||
# - StaticX is frozen but it seems to mix up the path checking results.
|
|
||||||
if os.environ.get('STATICX_PROG_PATH', False):
|
if os.environ.get('STATICX_PROG_PATH', False):
|
||||||
# StaticX static executable
|
# StaticX static executable
|
||||||
GM_Globals[GM_GAM_PATH] = os.path.dirname(os.environ['STATICX_PROG_PATH'])
|
GM_Globals[GM_GAM_PATH] = os.path.dirname(os.environ['STATICX_PROG_PATH'])
|
||||||
@@ -84,6 +82,21 @@ else:
|
|||||||
# Source code
|
# Source code
|
||||||
GM_Globals[GM_GAM_PATH] = os.path.dirname(os.path.realpath(__file__))
|
GM_Globals[GM_GAM_PATH] = os.path.dirname(os.path.realpath(__file__))
|
||||||
|
|
||||||
|
# override httplib2._build_ssl_context so we can force min/max TLS values
|
||||||
|
# actual function replacement happens in processGAM command so we have config options set
|
||||||
|
def _build_ssl_context(disable_ssl_certificate_validation, ca_certs, cert_file=None, key_file=None):
|
||||||
|
context = ssl.SSLContext(httplib2.DEFAULT_TLS_VERSION)
|
||||||
|
context.verify_mode = ssl.CERT_REQUIRED
|
||||||
|
context.check_hostname = True
|
||||||
|
context.load_verify_locations(ca_certs)
|
||||||
|
if cert_file:
|
||||||
|
context.load_cert_chain(cert_file, key_file)
|
||||||
|
if GC_Values[GC_TLS_MIN_VERSION]:
|
||||||
|
context.minimum_version = getattr(ssl.TLSVersion, GC_Values[GC_TLS_MIN_VERSION])
|
||||||
|
if GC_Values[GC_TLS_MAX_VERSION]:
|
||||||
|
context.maximum_version = getattr(ssl.TLSVersion, GC_Values[GC_TLS_MAX_VERSION])
|
||||||
|
return context
|
||||||
|
|
||||||
# Override some oauth2client.tools strings saving us a few GAM-specific mods to oauth2client
|
# Override some oauth2client.tools strings saving us a few GAM-specific mods to oauth2client
|
||||||
oauth2client.tools._FAILED_START_MESSAGE = """
|
oauth2client.tools._FAILED_START_MESSAGE = """
|
||||||
Failed to start a local webserver listening on either port 8080
|
Failed to start a local webserver listening on either port 8080
|
||||||
@@ -569,6 +582,8 @@ def SetGlobalVariables():
|
|||||||
_getOldEnvVar(GC_USER_MAX_RESULTS, 'GAM_USER_MAX_RESULTS')
|
_getOldEnvVar(GC_USER_MAX_RESULTS, 'GAM_USER_MAX_RESULTS')
|
||||||
_getOldEnvVar(GC_CSV_HEADER_FILTER, 'GAM_CSV_HEADER_FILTER')
|
_getOldEnvVar(GC_CSV_HEADER_FILTER, 'GAM_CSV_HEADER_FILTER')
|
||||||
_getOldEnvVar(GC_CSV_ROW_FILTER, 'GAM_CSV_ROW_FILTER')
|
_getOldEnvVar(GC_CSV_ROW_FILTER, 'GAM_CSV_ROW_FILTER')
|
||||||
|
_getOldEnvVar(GC_TLS_MIN_VERSION, 'GAM_TLS_MIN_VERSION')
|
||||||
|
_getOldEnvVar(GC_TLS_MAX_VERSION, 'GAM_TLS_MAX_VERSION')
|
||||||
_getOldSignalFile(GC_DEBUG_LEVEL, 'debug.gam', filePresentValue=4, fileAbsentValue=0)
|
_getOldSignalFile(GC_DEBUG_LEVEL, 'debug.gam', filePresentValue=4, fileAbsentValue=0)
|
||||||
_getOldSignalFile(GC_NO_VERIFY_SSL, 'noverifyssl.txt')
|
_getOldSignalFile(GC_NO_VERIFY_SSL, 'noverifyssl.txt')
|
||||||
_getOldSignalFile(GC_NO_BROWSER, 'nobrowser.txt')
|
_getOldSignalFile(GC_NO_BROWSER, 'nobrowser.txt')
|
||||||
@@ -692,12 +707,9 @@ def doGAMVersion(checkForArgs=True):
|
|||||||
doGAMCheckForUpdates(forceCheck=True)
|
doGAMCheckForUpdates(forceCheck=True)
|
||||||
if extended:
|
if extended:
|
||||||
print(ssl.OPENSSL_VERSION)
|
print(ssl.OPENSSL_VERSION)
|
||||||
proot = os.path.dirname(importlib.import_module('httplib2').__file__)
|
httpc = httplib2.Http()
|
||||||
ca_path = os.path.join(proot, 'cacerts.txt')
|
httpc.request('https://www.googleapis.com')
|
||||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
cipher_name, tls_ver, _ = httpc.connections['https:www.googleapis.com'].sock.cipher()
|
||||||
ssl_sock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE, ca_certs=ca_path)
|
|
||||||
ssl_sock.connect(('www.googleapis.com', 443))
|
|
||||||
cipher_name, tls_ver, _ = ssl_sock.cipher()
|
|
||||||
print('www.googleapis.com connects using %s %s' % (tls_ver, cipher_name))
|
print('www.googleapis.com connects using %s %s' % (tls_ver, cipher_name))
|
||||||
|
|
||||||
def handleOAuthTokenError(e, soft_errors):
|
def handleOAuthTokenError(e, soft_errors):
|
||||||
@@ -13252,6 +13264,8 @@ def ProcessGAMCommand(args):
|
|||||||
GM_Globals[GM_SYSEXITRC] = 0
|
GM_Globals[GM_SYSEXITRC] = 0
|
||||||
try:
|
try:
|
||||||
SetGlobalVariables()
|
SetGlobalVariables()
|
||||||
|
# override here so we have GV set
|
||||||
|
httplib2._build_ssl_context = _build_ssl_context
|
||||||
command = sys.argv[1].lower()
|
command = sys.argv[1].lower()
|
||||||
if command == 'batch':
|
if command == 'batch':
|
||||||
i = 2
|
i = 2
|
||||||
@@ -14038,6 +14052,6 @@ if __name__ == "__main__":
|
|||||||
if sys.platform.startswith('win'):
|
if sys.platform.startswith('win'):
|
||||||
freeze_support()
|
freeze_support()
|
||||||
win32_unicode_argv() # cleanup sys.argv on Windows
|
win32_unicode_argv() # cleanup sys.argv on Windows
|
||||||
if sys.version_info[0] < 3 or sys.version_info[1] < 5:
|
if sys.version_info[0] < 3 or sys.version_info[1] < 7:
|
||||||
systemErrorExit(5, 'GAM requires Python 3.5 or newer. You are running %s.%s.%s. Please upgrade your Python version or use one of the binary GAM downloads.' % sys.version_info[:3])
|
systemErrorExit(5, 'GAM requires Python 3.7 or newer. You are running %s.%s.%s. Please upgrade your Python version or use one of the binary GAM downloads.' % sys.version_info[:3])
|
||||||
sys.exit(ProcessGAMCommand(sys.argv))
|
sys.exit(ProcessGAMCommand(sys.argv))
|
||||||
|
|||||||
@@ -17,9 +17,9 @@ if [[ "$dist" == "xenial" ]]; then
|
|||||||
$python -OO -m staticx gam/gam gam/gam-staticx
|
$python -OO -m staticx gam/gam gam/gam-staticx
|
||||||
strip gam/gam-staticx
|
strip gam/gam-staticx
|
||||||
rm gam/gam
|
rm gam/gam
|
||||||
cp staticx-gam.sh gam/gam
|
mv gam/gam-staticx gam/gam
|
||||||
tar cfJ $GAM_LEGACY_ARCHIVE gam/
|
tar cfJ $GAM_LEGACY_ARCHIVE gam/
|
||||||
echo "Legacy StaticX GAM info:"
|
echo "Legacy StaticX GAM info:"
|
||||||
du -h gam/gam-staticx
|
du -h gam/gam
|
||||||
time gam/gam version extended
|
time gam/gam version extended
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -629,6 +629,7 @@ GM_CACHE_DISCOVERY_ONLY = 'gcdo'
|
|||||||
GM_MAP_BUILDING_ID_TO_NAME = 'bi2n'
|
GM_MAP_BUILDING_ID_TO_NAME = 'bi2n'
|
||||||
# Dictionary mapping Building Name to ID
|
# Dictionary mapping Building Name to ID
|
||||||
GM_MAP_BUILDING_NAME_TO_ID = 'bn2i'
|
GM_MAP_BUILDING_NAME_TO_ID = 'bn2i'
|
||||||
|
|
||||||
#
|
#
|
||||||
_DEFAULT_CHARSET = ['mbcs', 'utf-8'][os.name != 'nt']
|
_DEFAULT_CHARSET = ['mbcs', 'utf-8'][os.name != 'nt']
|
||||||
_FN_CLIENT_SECRETS_JSON = 'client_secrets.json'
|
_FN_CLIENT_SECRETS_JSON = 'client_secrets.json'
|
||||||
@@ -720,6 +721,10 @@ GC_USER_MAX_RESULTS = 'user_max_results'
|
|||||||
GC_CSV_HEADER_FILTER = 'csv_header_filter'
|
GC_CSV_HEADER_FILTER = 'csv_header_filter'
|
||||||
# CSV Rows GAM should filter
|
# CSV Rows GAM should filter
|
||||||
GC_CSV_ROW_FILTER = 'csv_row_filter'
|
GC_CSV_ROW_FILTER = 'csv_row_filter'
|
||||||
|
# Minimum TLS Version required for HTTPS connections
|
||||||
|
GC_TLS_MIN_VERSION = 'tls_min_ver'
|
||||||
|
# Maximum TLS Version used for HTTPS connections
|
||||||
|
GC_TLS_MAX_VERSION = 'tls_max_ver'
|
||||||
|
|
||||||
GC_Defaults = {
|
GC_Defaults = {
|
||||||
GC_ACTIVITY_MAX_RESULTS: 100,
|
GC_ACTIVITY_MAX_RESULTS: 100,
|
||||||
@@ -751,6 +756,8 @@ GC_Defaults = {
|
|||||||
GC_USER_MAX_RESULTS: 500,
|
GC_USER_MAX_RESULTS: 500,
|
||||||
GC_CSV_HEADER_FILTER: '',
|
GC_CSV_HEADER_FILTER: '',
|
||||||
GC_CSV_ROW_FILTER: '',
|
GC_CSV_ROW_FILTER: '',
|
||||||
|
GC_TLS_MIN_VERSION: 'TLSv1_2',
|
||||||
|
GC_TLS_MAX_VERSION: None,
|
||||||
}
|
}
|
||||||
|
|
||||||
GC_Values = {}
|
GC_Values = {}
|
||||||
@@ -797,6 +804,8 @@ GC_VAR_INFO = {
|
|||||||
GC_USER_MAX_RESULTS: {GC_VAR_TYPE: GC_TYPE_INTEGER, GC_VAR_LIMITS: (1, 500)},
|
GC_USER_MAX_RESULTS: {GC_VAR_TYPE: GC_TYPE_INTEGER, GC_VAR_LIMITS: (1, 500)},
|
||||||
GC_CSV_HEADER_FILTER: {GC_VAR_TYPE: GC_TYPE_STRING},
|
GC_CSV_HEADER_FILTER: {GC_VAR_TYPE: GC_TYPE_STRING},
|
||||||
GC_CSV_ROW_FILTER: {GC_VAR_TYPE: GC_TYPE_STRING},
|
GC_CSV_ROW_FILTER: {GC_VAR_TYPE: GC_TYPE_STRING},
|
||||||
|
GC_TLS_MIN_VERSION: {GC_VAR_TYPE: GC_TYPE_STRING},
|
||||||
|
GC_TLS_MAX_VERSION: {GC_VAR_TYPE: GC_TYPE_STRING},
|
||||||
}
|
}
|
||||||
# Google API constants
|
# Google API constants
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user