Apparently one can’t insert two and more ‘<tr>’ elements into a ‘<tbody>’ using PrototypeJS 1.7.0.0 and 1.6.0.3 if there’s also a ‘<br/>’ element involved in the conspiracy so that code simply won’t work at all:
var new_content = '<tr><td>foo</td></tr><br/><tr><td>bar</td></tr>';
$('my-tbody').insert(new_content);One needs to leave out the poor ‘<br/>’ and I guess that applies to inserting ‘<br/>’ in general, not only in this situation but thankfully right now I only need to dynamically add new table rows not line breaks..
So if you have a piece of YUI Javascript code similar to the one shown below
function foo() {
var on_success = function(o) {
alert('Yay!');
};
var on_failure = function(o) {
alert('Oh ones!')
}
var callback = {
success: on_success,
failure: on_failure,
};
var url = '/url/to/invoke';
var transaction = YAHOO.util.Connect.asyncRequest('POST', url, callback);
}and the URL the AJAX call invokes returns the “CSRF verification failed. Request aborted. CSRF token missing or incorrect.” error, the easiest way to properly handle is to set the custom X-CSRFToken HTTP header to the same value the csrftoken cookie has been set by Django to, just like the Django documentation says it can be done.
In code terms, that will do the trick
function foo() {
var on_success = function(o) {
alert('Yay!');
};
var on_failure = function(o) {
alert('Oh ones!')
}
var callback = {
success: on_success,
failure: on_failure,
};
var url = '/url/to/invoke';
YAHOO.util.Connect.initHeader('X-CSRFToken', YAHOO.util.Cookie.get('csrftoken'));
var transaction = YAHOO.util.Connect.asyncRequest('POST', url, callback);
}Hoping this helps someone some day! 
Here’s a minimal lighttpd SSL/TLS reverse proxy configuration that allows for securing the traffic to plain HTTP servers using client certificates.
For easier management, the config has been broken into two modules, the main part and a list of variables. A caveat one needs to be aware of is that even though we’re interested in lighttd’s proxying capabilities only, we still need to configure everything as though lighttpd was going to serve plain HTTP traffic using static files – hence the need for configuring server.port and server.document-root.
The config files as well as the crypto material (courtesy of the Spring Python project) being used below can be also fetched from bitbucket. Of course, being uploaded to a public site, the private key is useless outside of a development environment and should never be used for anything close to production.
Enjoy
# Include necessary modules.
server.modules = ("mod_proxy", "mod_setenv")
# Include config variables.
include "./config-variables.conf"
server.document-root = my-dummy-document-root
server.username = my-username
server.groupname = my-groupname
# IP address or hostname to listen on.
server.bind = my-host
server.port = my-plain-http-port
$SERVER["socket"] == my-host + ":" + my-ssl-client-validation-port {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.username = "enable"
proxy.server = ("" => (("host"=>my-backend-host,
"port"=>my-backend-plain-http-port)))
# Server certificate.
ssl.pemfile = my-ssl-server-certificate-key
# Verify client's certificate.
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = my-verifyclient-depth
ssl.ca-file = my-ca-certificate
}
var.my-host = "localhost"
var.my-ssl-client-validation-port = "17443"
var.my-plain-http-port = "18080"
var.my-backend-host = "localhost"
var.my-backend-plain-http-port = "28080"
var.my-dummy-document-root="./"
var.my-username="dsuch"
var.my-groupname="dsuch"
var.my-ssl-server-certificate-key = "server-pair.pem"
var.my-ca-certificate = "./ca-chain.pem"
var.my-verifyclient-depth = "3"
I had to implement a couple of things related to the validation of client SSL/TLS certificates – as returned by the ssl.SSLSocket.getpeercert(True) method – and I thought I’d share the code with others, I guess there’s never too much of sample code in that area. Turned out that everything went smoothly with ssl and M2Crypto and it’s all below. Note that the code downloads the certificate off the Internet but it will work properly with a client certificate as well – well, maybe except for the fact that getpeercert(True) returns a DER while get_server_certificate gives you a PEM – but otherwise it will work just fine. Cheers!
# -*- coding: utf-8 -*-
from __future__ import absolute_import, division, print_function, unicode_literals
# stdlib
import ssl
# M2Crypto
from M2Crypto import X509
# Grab a certificate from the nearest server ..
cert_pem = ssl.get_server_certificate(('duckduckgo.com', 443))
# .. let's start with converting PEM to DER ..
cert_der = ssl.PEM_cert_to_DER_cert(cert_pem)
# .. how does the DER look like (not too pretty)..
print('\nDER:')
print(cert_der)
# .. M2Crypto has a bunch of useful functions ..
x509 = X509.load_cert_string(cert_pem, X509.FORMAT_PEM)
# .. does the certificate belong to a CA ..
print('\nIs it a CA:')
print(x509.check_ca())
# .. the fingerprint ..
fp = x509.get_fingerprint('sha1')
fp = ':'.join(fp[pos:pos+2] for pos in xrange(0, len(fp), 2))
print('\nSHA1 fingerprint:')
print(fp)
# .. serial number ..
print('\nSerial number:')
print(x509.get_serial_number())
# .. who has it been issued by ..
print('\nIssuer:')
print(x509.get_issuer())
# .. how about the subject's commonName and organization only ..
subject = x509.get_subject()
print('\nSubject\'s commonName and organization:')
print(subject.CN)
print(subject.O)
# .. public key's exponent ..
# inspired by http://mail.python.org/pipermail/python-crypto/2004-August/000683.html
e_data = x509.get_pubkey().get_rsa().e
# First 4 bytes are the length of what then follows
length, e_raw = e_data[:4], e_data[4:]
e = 0
for c in e_raw:
e = (e*256) + ord(c)
print('\nPublic key\'s exponent:')
print(e)
HAProxy exposes some if its statistics through a UNIX socket and it turns out it’s very easy to access it from Python, like below.
I guess the code is pretty self-explanatory – essentially it’s expecting you to give it a path to the socket and then to feed it with commands. Some commands may need an extra argument, like ‘show sess’ does and if you’re particularly impatient – or maybe you’re under a very heavy load – you can also you use the ‘timeout’ parameter to specify how long you’re willing to wait for HAProxy to reply.
The responses are returned as-is and actually I wouldn’t mind it if someone took the code and added a nice OO look’n'feel to it so that it read like here ..
stats = HAProxyStats('/tmp/haproxy-stat.sock')
sess = stats.sess('0x19e8fd0')
print(sess.svname).. that could make for a useful project but for now, here’s some code that works today
# -*- coding: utf-8 -*-
from __future__ import absolute_import, division, print_function, unicode_literals
# stdlib
import logging
import socket
from cStringIO import StringIO
from time import time
from traceback import format_exc
logger = logging.getLogger(__name__)
class HAProxyStats(object):
""" Used for communicating with HAProxy through its local UNIX socket interface.
"""
def __init__(self, socket_name=None):
self.socket_name = socket_name
def execute(self, command, extra="", timeout=200):
""" Executes a HAProxy command by sending a message to a HAProxy's local
UNIX socket and waiting up to 'timeout' milliseconds for the response.
"""
if extra:
command = command + ' ' + extra
buff = StringIO()
end = time() + timeout
client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
try:
client.connect(self.socket_name)
client.send(command + '\n')
while time() <= end:
data = client.recv(4096)
if data:
buff.write(data)
else:
return buff.getvalue()
except Exception, e:
msg = 'An error has occurred, e=[{e}]'.format(e=format_exc(e))
logger.error(msg)
raise
finally:
client.close()
if __name__ == '__main__':
stats = HAProxyStats('/tmp/haproxy-stat.sock')
info = stats.execute('show info')
print(info)
stat = stats.execute('show stat')
print(stat)
sess = stats.execute('show sess', '0x19e8fd0', 20)
print(sess)
I’ve put a new PyYAML mirror online at http://pyyaml-mirror.gefira.pl/simple/ so that it can be used in emergency cases, like now, when the main site http://www.pyyaml.org has apparently been down for some time. Hope it saves someone at least a little bit of time!
I’ve been looking for information on how to get rid of the ‘No Cython, trying Pyrex…’ warning popping up when using things like bzr in zc.builduot config files but there was no clear answer to it so what I’ve finally come up with is below. Essentially, Cython is first downloaded and then compiled so that bzr – or anything that will benefit from there being Cython installed – can freely make use of it.
It isn’t particularly beautiful but does the trick at least, hoping it will save time for someone else!
[buildout]
parts =
cython-src
cython-install
myapp
[config]
cython_version = 0.14
[myapp]
recipe = zc.recipe.egg
interpreter = py
eggs =
bzr
[cython-src]
recipe = hexagonit.recipe.download
url = http://pypi.python.org/packages/source/C/Cython/Cython-${config:cython_version}.tar.gz
[cython-install]
recipe = iw.recipe.cmd
on_install = true
cmds = cd ${buildout:directory}/parts/cython-src/Cython-${config:cython_version}; ../../../bin/python setup.py install
The unstoppable Miguel Landaeta did it again and I’m happy to let you all know that sec-wall, the security proxy, can be now installed on Debian wheezy/sid using nothing but DEBs, like below. The only prerequisite is that you need to visit http://alioth.debian.org/~nomadium-guest/debian/unstable/ to find and download the latest DEB – at the time of this writing it’s sec-wall_1.0.0-0miguel2_all.deb but it sure is going to change shortly because sec-wall 1.1 is about to be released soon.
First, the dependencies:
apt-get install python-springpython python-gevent
apt-get install python-argparse python-lxml
apt-get install python-pesto python-zdaemon
apt-get install python-pkg-resources
Now install sec-wall:
dpkg -i ./sec-wall_1.0.0-0miguel2_all.deb
And that’s all!
Nice folks at www.linuxsecurity.com have just published a new article on using the sec-wall security proxy with cURL and PycURL, the Python interface to the libcurl library, so if you’re looking for information on how to test services secured using sec-wall, either with HTTP Basic/Digest Auth, custom HTTP headers, XPath-based authentication, WS-Security or SSL/TLS client certificates then you won’t be disappointed. Enjoy!
One of the things sec-wall, a featured-packed high performance security proxy, provides is the support for securing access to resources using arbitrary XPath expressions. What is currently missing in the documentation though is an explanation of how one should use XML namespaces. The thing can be done and there’s a bug report regarding it which I’m going to fix and close in a day or two but just thought that in the meantime I’d blog about it.
So how would one go about creating a sec-wall config.py file that should let in only clients that use credentials akin to what’s below?
<?xml version="1.0" encoding="utf-8"?>
<a>
<b>
<username xmlns="http://example.com/myns1">foo</username>
<c xmlns="http://example.com/myns2" password="bar" />
</b>
</a>The answer is pretty simple – etree.XPath objects accept a namespaces argument which ought to be a mapping between prefixes used in expressions and actual namespaces, so the config file should read like below:
# -*- coding: utf-8 -*-
# stdlib
import uuid
# lxml
from lxml import etree
# Don't share it with anyone.
INSTANCE_SECRET = '7bcb90942d994440af05d02b691ae86d'
# May be shared with the outside world.
INSTANCE_UNIQUE = uuid.uuid4().hex
# ##############################################################################
def xpath():
username = 'foo'
password = 'bar'
xpath1 = "/a/b/myns1:username/text() = '{0}'".format(username)
xpath2 = "//myns2:c/@password='{0}'".format(password)
ns_dict = {
'myns1': 'http://example.com/myns1',
'myns2': 'http://example.com/myns2',
}
return {
'xpath': True,
'xpath-1': etree.XPath(xpath1, namespaces=ns_dict),
'xpath-2': etree.XPath(xpath2, namespaces=ns_dict),
'host': 'http://example.com/',
}
urls = [
('/xpath', xpath()),
]Solid, eh?
