From: David Scott <dave.scott@eu.citrix.com>
Date: Mon, 23 Aug 2010 12:03:21 +0000 (+0100)
Subject: CA-42836: In the import_raw_vdi HTTP handler when issuing an HTTP redirect, use HTTPS... 
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=353cb80d9d8c6218473e348116b78cc38230d38a;p=xcp%2Fxen-api.git

CA-42836: In the import_raw_vdi HTTP handler when issuing an HTTP redirect, use HTTPS if the caller was originally using HTTPS or HTTP otherwise.

Signed-off-by: David Scott <dave.scott@eu.citrix.com>
---

diff --git a/ocaml/idl/ocaml_backend/context.ml b/ocaml/idl/ocaml_backend/context.ml
index 43e34116..119463c4 100644
--- a/ocaml/idl/ocaml_backend/context.ml
+++ b/ocaml/idl/ocaml_backend/context.ml
@@ -81,6 +81,14 @@ let is_unix_socket s =
       Unix.ADDR_UNIX _ -> true
     | Unix.ADDR_INET _ -> false
 
+(** Calls coming directly into xapi on port 80 from remote IPs are unencrypted *)
+let is_unencrypted s = 
+  match Unix.getpeername s with
+    | Unix.ADDR_UNIX _ -> false
+    | Unix.ADDR_INET (addr, _) when addr = Unix.inet_addr_loopback -> false
+    | Unix.ADDR_INET _ -> true
+
+
 let preauth ~__context =
   match __context.origin with
       Internal -> false
diff --git a/ocaml/idl/ocaml_backend/context.mli b/ocaml/idl/ocaml_backend/context.mli
index 80ab71ce..9bc387e1 100644
--- a/ocaml/idl/ocaml_backend/context.mli
+++ b/ocaml/idl/ocaml_backend/context.mli
@@ -84,6 +84,9 @@ val destroy : t -> unit
 (** [is_unix_socket fd] *)
 val is_unix_socket : Unix.file_descr -> bool
 
+(** [is_unencrypted fd] returns true if the calling connection is not encrypted *)
+val is_unencrypted : Unix.file_descr -> bool
+
 (** [preauth ~__context] *)
 val preauth : __context:t -> bool
 
diff --git a/ocaml/xapi/import_raw_vdi.ml b/ocaml/xapi/import_raw_vdi.ml
index 38aed6d4..dd28c169 100644
--- a/ocaml/xapi/import_raw_vdi.ml
+++ b/ocaml/xapi/import_raw_vdi.ml
@@ -70,7 +70,7 @@ let localhost_handler rpc session_id (req: request) (s: Unix.file_descr) =
 	raise e)
 
 let return_302_redirect (req: request) s address =
-	let url = Printf.sprintf "https://%s%s?%s" address req.uri (String.concat "&" (List.map (fun (a,b) -> a^"="^b) req.query)) in
+	let url = Printf.sprintf "%s://%s%s?%s" (if Context.is_unencrypted s then "http" else "https") address req.uri (String.concat "&" (List.map (fun (a,b) -> a^"="^b) req.query)) in
 	let headers = Http.http_302_redirect url in
 	debug "HTTP 302 redirect to: %s" url;
 	Http_svr.headers s headers