Merge remote-tracking branch 'ivan/feature/3227_TOFU-provider' into develop

author: Tomás Touceda <chiiph@leap.se> 2013-07-25 16:12:52 -0300
committer: Tomás Touceda <chiiph@leap.se> 2013-07-25 16:12:52 -0300
commit: 171017b24d9b41f32374da15f182ef948a57bf22 (patch)
tree: 5c5a302074904adec839b056982ddaf605c0f457
parent: 173238b24806b025ba991c0e9a892b1238ea9e15 (diff)
parent: 6b7d885a43808f4351c9e581d1a1e53fbd7b3edd (diff)
2 files changed, 22 insertions, 11 deletions
diff --git a/changes/bug-3227_add-TOFU b/changes/bug-3227_add-TOFU
new file mode 100644
index 00000000..d918c8d4
--- /dev/null
+++ b/changes/bug-3227_add-TOFU
@@ -0,0 +1 @@
+  o Use the provider CA cert for every request once we have it bootstrapped (TOFU). Closes #3227.
diff --git a/src/leap/services/eip/providerbootstrapper.py b/src/leap/services/eip/providerbootstrapper.py
index 0be997b2..723475b8 100644
--- a/src/leap/services/eip/providerbootstrapper.py
+++ b/src/leap/services/eip/providerbootstrapper.py
@@ -132,21 +132,31 @@ class ProviderBootstrapper(AbstractBootstrapper):
         logger.debug("Downloading provider info for %s" % (self._domain))
 
         headers = {}
-        mtime = get_mtime(os.path.join(ProviderConfig()
-                                       .get_path_prefix(),
-                                       "leap",
-                                       "providers",
-                                       self._domain,
-                                       "provider.json"))
+
+        provider_json = os.path.join(
+            ProviderConfig().get_path_prefix(), "leap", "providers",
+            self._domain, "provider.json")
+        mtime = get_mtime(provider_json)
+
         if self._download_if_needed and mtime:
             headers['if-modified-since'] = mtime
 
-        res = self._session.get("https://%s/%s" % (self._domain,
-                                                   "provider.json"),
-                                headers=headers,
-                                verify=not self._bypass_checks,
-                                timeout=REQUEST_TIMEOUT)
+        uri = "https://%s/%s" % (self._domain, "provider.json")
+        verify = not self._bypass_checks
+
+        if mtime:  # the provider.json exists
+            provider_config = ProviderConfig()
+            provider_config.load(provider_json)
+            uri = provider_config.get_api_uri() + '/provider.json'
+            verify = provider_config.get_ca_cert_path()
+
+        logger.debug("Requesting for provider.json... "
+                     "uri: {0}, verify: {1}, headers: {2}".format(
+                         uri, verify, headers))
+        res = self._session.get(uri, verify=verify,
+                                headers=headers, timeout=REQUEST_TIMEOUT)
         res.raise_for_status()
+        logger.debug("Request status code: {0}".format(res.status_code))
 
         # Not modified
         if res.status_code == 304:
author	Tomás Touceda <chiiph@leap.se>	2013-07-25 16:12:52 -0300
committer	Tomás Touceda <chiiph@leap.se>	2013-07-25 16:12:52 -0300
commit	171017b24d9b41f32374da15f182ef948a57bf22 (patch)
tree	5c5a302074904adec839b056982ddaf605c0f457
parent	173238b24806b025ba991c0e9a892b1238ea9e15 (diff)
parent	6b7d885a43808f4351c9e581d1a1e53fbd7b3edd (diff)