yola / opensrs Goto Github PK

View Code? Open in Web Editor NEW

10.0 34.0 14.0 109 KB

A Python client for OpenSRS

License: MIT License

Python 99.95% Shell 0.05%

opensrs's Introduction

OpenSRS

Usage

Looking up statuses of domains

>>> from opensrs import OpenSRS
>>> client = OpenSRS(host, port, username, private_key, default_timeout)
>>> client.suggest_domains('foo', ['.COM', '.ORG', '.NET', '.INFO'], 4))
{
    'lookup': [
        {'status': 'taken', 'domain': 'foo.com'},
        {'status': 'taken', 'domain': 'foo.net'},
        {'status': 'taken', 'domain': 'foo.org'},
        {'status': 'taken', 'domain': 'foo.info'},
    ],
    'suggestion': [
        {'status': 'available', 'domain': 'fooonline.com'},
        {'status': 'available', 'domain': 'fooonline.net'},
        {'status': 'available', 'domain': 'fooonline.org'},
        {'status': 'available', 'domain': 'fooonline.info'},
    ]
}

Configuration

The service client is configured on initialization.

from opensrs import OpenSRS
client = OpenSRS(host, port, username, private_key, default_timeout)

Testing

Install requirements:

pip install -r requirements.txt

Create the test_settings.py file in the root directory with properly populated CONNECTION_OPTIONS. Use test_settings.py.example as an example.

Run the tests with:

nosetests

Or you can easily run tests on Python 2.7 with tox:

tox

opensrs's People

Contributors

Stargazers

Watchers

Forkers

digideskio shellleyma jlvcm gianbisso trunet noodlebreak simongreen-net titan-research davidc bonline mtingers its-webhosting nineprimes

opensrs's Issues

OpenSRS Production endpoint leading to exception: http.client.BadStatusLine

I just started to do some tests, but whenever I change from test API endpoint to production endpoint, I got:
http.client.BadStatusLine:

This is due to the production environment not returning any HTTP header leading to the library unusable, as httplib (python2) and http.client (python3) checks for HTTP/ on the first HTTP line or this is not HTTP protocol as defined in RFC.

The README example is failing.

I have some workarounds, just want to check if this is happening to you guys as well.

Error 104: Connection reset by peer

/home/ash/.virtualenvs/lite/local/lib/python2.7/site-packages/opensrs/opensrsapi.py in suggest_domains(self, search_string, tlds, maximum, max_wait_time, search_key)
    470                         max_wait_time=None, search_key=None):
    471         rsp = self._name_suggest_domain(search_string, tlds, maximum,
--> 472                                         max_wait_time, search_key)
    473         data = rsp.get_data()
    474         domains = {}

/home/ash/.virtualenvs/lite/local/lib/python2.7/site-packages/opensrs/opensrsapi.py in _name_suggest_domain(self, search_string, tlds, maximum, max_wait_time, search_key)
    253         return self._req(action='NAME_SUGGEST',
    254                          object='DOMAIN',
--> 255                          attributes=attributes)
    256 
    257     def _process_pending(self, order_id, cancel=False):

/home/ash/.virtualenvs/lite/local/lib/python2.7/site-packages/opensrs/opensrsapi.py in _req(self, action, object, attributes, **kw)
    133     def _req(self, action, object, attributes, **kw):
    134         msg = XCPMessage(action, object, attributes, **kw)
--> 135         return self._get_channel().make_request(msg)
    136 
    137     def make_contact(self, user, domain, **kw):

/home/ash/.virtualenvs/lite/local/lib/python2.7/site-packages/opensrs/xcp.py in make_request(self, message)
    154     def make_request(self, message):
    155         log.debug('OpenSRS Request: %s' % repr(message.get_content()))
--> 156         response = self._make_call(message)
    157         log.debug('OpenSRS Response: %s' % repr(response.message_xml))
    158         if response.get_data()['is_success'] == '0':

/home/ash/.virtualenvs/lite/local/lib/python2.7/site-packages/opensrs/xcp.py in _make_call(self, message)
    140         request = Request('https://%s:%s/' % (self.host, self.port))
    141         import ipdb; ipdb.set_trace()
--> 142         headers = {
    143             'Content-Type': 'text/xml',
    144             'X-Username': self.username,

/usr/lib/python2.7/socket.pyc in read(self, size)
    349             while True:
    350                 try:
--> 351                     data = self._sock.recv(rbufsize)
    352                 except error, e:
    353                     if e.args[0] == EINTR:

/usr/lib/python2.7/httplib.pyc in read(self, amt)
    600         # connection, and the user is reading more bytes than will be provided
    601         # (for example, reading in 1k chunks)
--> 602         s = self.fp.read(amt)
    603         if not s and amt:
    604             # Ideally, we would raise IncompleteRead if the content-length

/usr/lib/python2.7/httplib.pyc in read(self, amt)
   1355                 return s + self._file.read()
   1356             else:
-> 1357                 return s + self._file.read(amt - len(s))
   1358         else:
   1359             assert amt <= self._line_left

/usr/lib/python2.7/socket.pyc in read(self, size)
    378                 # fragmentation issues on many platforms.
    379                 try:
--> 380                     data = self._sock.recv(left)
    381                 except error, e:
    382                     if e.args[0] == EINTR:

/usr/lib/python2.7/ssl.pyc in recv(self, buflen, flags)
    339                     "non-zero flags not allowed in calls to recv() on %s" %
    340                     self.__class__)
--> 341             return self.read(buflen)
    342         else:
    343             return self._sock.recv(buflen, flags)

/usr/lib/python2.7/ssl.pyc in read(self, len)
    258 
    259         try:
--> 260             return self._sslobj.read(len)
    261         except SSLError, x:
    262             if x.args[0] == SSL_ERROR_EOF and self.suppress_ragged_eofs:

error: [Errno 104] Connection reset by

Add methods to change domain's expire_action (toggle auto-renewal)

We need to be able to switch auto-renewal off/on on a registrar side.

Implementation suggestion: New OpenSRS methods might look like: enable_domain_auto_renewal() / disable_domain_auto_renewal() (or any better names). And have a common protected_toggle_domain_auto_renewal(enable=True/False) method.

OpenSRS spec: https://opensrs.com/docs/opensrs_xmlapi.pdf (we're interested in modify (domain) action, expire_action part)

Support as_subreseller flag

Motivation:

We would like to use API on behalf of a sub-reseller (https://domains.opensrs.guide/docs/acting-on-behalf-of-sub-resellers)

Open Questions:

We need to identify API calls where we want to support it

ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1056)

OpenSRS have recently mucked up their server configuration so it is sending a preferred cipher list with INVALID ciphers first*. This means every correctly configured client is refusing to connect after attempting to use the server's preferred cipher and finding its key is smaller than the certificate key.

Their support response was literally to refuse to accept responsibility for this misconfiguration and insist that every single client has to hack around and avoid the invalid ciphers. I am not even joking, I have been back and forth with them repeatedly and they will not fix this, they consider fixing their production servers to work correctly again to be a feature request and that I should submit it on their feature request forum (which has evidently not even been looked at in years judging from the amount of spam on it)..

This patch will hack around the issue on the client side:

diff --git a/opensrs/xcp.py b/opensrs/xcp.py
index cc590fc..70119f0 100644
--- a/opensrs/xcp.py
+++ b/opensrs/xcp.py
@@ -5,6 +5,7 @@ try:
 except ImportError:
     from urllib2 import urlopen, Request
 from xml.etree import ElementTree as ET
+from ssl import SSLContext

 from opensrs.errors import XCPError

@@ -149,7 +150,10 @@ class XCPChannel(object):

         timeout = message.timeout or self.default_timeout
         log.debug('Making XCP call with timeout = %s', timeout)
-        xml = urlopen(request, message.get_content(), timeout).read()
+
+        ctx = SSLContext()
+        ctx.set_ciphers('DEFAULT:!DH')
+        xml = urlopen(request, message.get_content(), timeout, context=ctx).read()
         return OPSMessage(xml=xml)

     def make_request(self, message):

* snipped debug:

$ openssl s_client -tls1_2  rr-n1-tor.opensrs.net:55443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
verify return:1
depth=0 C = CA, ST = Ontario, L = Toronto, O = Tucows.Com Co., CN = *.opensrs.net
verify return:1
139947124814976:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
[snip]

$ nmap --script ssl-enum-ciphers -p 55443 rr-n1-tor.opensrs.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 11:21 GMT
Nmap scan report for rr-n1-tor.opensrs.net (216.40.33.39)
Host is up (0.088s latency).

PORT      STATE SERVICE
55443/tcp open  unknown
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds

Needs to be renamed

There is an OpenSRS in PyPI: https://pypi.python.org/pypi/OpenSRS

Break integration tests into a separate test suite

It'd be nice to hook this into Travis CI. But we can't really do that, while the tests require passwords.

If we separate the unit tests from the integration tests, we can at least do some useful testing.