summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkali <kali@leap.se>2012-09-19 05:02:30 +0900
committerkali <kali@leap.se>2012-09-19 05:02:30 +0900
commit79db1d90f617d90cda61a790c92a54afcf30ff16 (patch)
treee00fd31fcd392675caea4b597e86b5eb6ffd59c5
parent89735a5fd3c81e8aba3cb7b1d4836c1bf1e8c098 (diff)
checks for certificate
-rw-r--r--src/leap/eip/checks.py52
-rw-r--r--src/leap/eip/constants.py2
2 files changed, 36 insertions, 18 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index b55f5827..cf758314 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -147,9 +147,10 @@ class ProviderCertChecker(object):
# For MVS
checker.is_there_provider_ca()
- checker.is_https_working()
- checker.check_new_cert_needed()
- #checker.download_new_client_cert()
+
+ # XXX FAKE IT!!!
+ checker.is_https_working(verify=False)
+ checker.check_new_cert_needed(verify=False)
def download_ca_cert(self):
# MVS+
@@ -184,7 +185,6 @@ class ProviderCertChecker(object):
# XXX raise InsecureURI or something better
logger.debug('is https working?')
logger.debug('uri: %s', uri)
- #import ipdb;ipdb.set_trace()
assert uri.startswith('https')
if verify is True and self.cacert is not None:
logger.debug('verify cert: %s', self.cacert)
@@ -192,19 +192,26 @@ class ProviderCertChecker(object):
try:
self.fetcher.get(uri, verify=verify)
except requests.exceptions.SSLError:
+ logger.debug('False!')
raise eipexceptions.EIPBadCertError
else:
logger.debug('True')
return True
- def check_new_cert_needed(self, skip_download=False):
+ def check_new_cert_needed(self, skip_download=False, verify=True):
+ logger.debug('is new cert needed?')
if not self.is_cert_valid(do_raise=False):
- self.download_new_client_cert(skip_download=skip_download)
+ logger.debug('True')
+ self.download_new_client_cert(
+ skip_download=skip_download,
+ verify=verify)
return True
+ logger.debug('False')
return False
def download_new_client_cert(self, uri=None, verify=True,
skip_download=False):
+ logger.debug('download new client cert')
if skip_download:
return True
if uri is None:
@@ -213,20 +220,28 @@ class ProviderCertChecker(object):
assert uri.startswith('https')
if verify is True and self.cacert is not None:
verify = self.cacert
- req = self.fetcher.get(uri, verify=verify)
- pemfile_content = req.content
- self.is_valid_pemfile(pemfile_content)
- cert_path = self._get_client_cert_path()
- self.write_cert(pemfile_content, to=cert_path)
+ try:
+ req = self.fetcher.get(uri, verify=verify)
+ req.raise_for_status()
+ except requests.exceptions.SSLError:
+ logger.warning('SSLError while fetching cert. '
+ 'Look below for stack trace.')
+ # XXX raise better exception
+ raise
+ try:
+ pemfile_content = req.content
+ self.is_valid_pemfile(pemfile_content)
+ cert_path = self._get_client_cert_path()
+ self.write_cert(pemfile_content, to=cert_path)
+ except:
+ logger.warning('Error while validating cert')
+ raise
return True
def is_cert_valid(self, cert_path=None, do_raise=True):
exists = lambda: self.is_certificate_exists()
valid_pemfile = lambda: self.is_valid_pemfile()
not_expired = lambda: self.is_cert_not_expired()
- #print 'exists?', exists
- #print 'valid', valid_pemfile
- #print 'not expired', not_expired
valid = exists() and valid_pemfile() and not_expired()
if not valid:
@@ -268,6 +283,11 @@ class ProviderCertChecker(object):
# XXX use gnutls for get proper
# validation.
# crypto.X509Certificate(cert_s)
+ sep = "-" * 5 + "BEGIN CERTIFICATE" + "-" * 5
+ # we might have private key and cert in the same file
+ certparts = cert_s.split(sep)
+ if len(certparts) > 1:
+ cert_s = sep + certparts[1]
ssl.PEM_cert_to_DER_cert(cert_s)
except:
# XXX raise proper exception
@@ -279,11 +299,10 @@ class ProviderCertChecker(object):
def _get_client_cert_uri(self):
# XXX get the whole thing from constants
- return "https://%s/cert/get" % (baseconstants.DEFAULT_PROVIDER)
+ return "https://%s/1/cert" % (baseconstants.DEFAULT_PROVIDER)
def _get_client_cert_path(self):
# MVS+ : get provider path
- #import ipdb;ipdb.set_trace()
return eipspecs.client_cert_path()
def write_cert(self, pemfile_content, to=None):
@@ -397,7 +416,6 @@ class EIPConfigChecker(object):
from_uri=uri,
fetcher=self.fetcher,
verify=False)
- #import ipdb;ipdb.set_trace()
self.defaultprovider.save()
def fetch_eip_service_config(self, skip_download=False,
diff --git a/src/leap/eip/constants.py b/src/leap/eip/constants.py
index ce50f5e0..9af5a947 100644
--- a/src/leap/eip/constants.py
+++ b/src/leap/eip/constants.py
@@ -1,3 +1,3 @@
# not used anymore with the new JSONConfig.slug
EIP_CONFIG = "eip.json"
-EIP_SERVICE_EXPECTED_PATH = "eip-service.json"
+EIP_SERVICE_EXPECTED_PATH = "1/config/eip-service.json"