From e896190d159342d9819f0ad6f11fe01deb8eb9e5 Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 27 Aug 2012 07:35:00 +0900 Subject: add stubs for eip.checks will handle pre-init sanity checks for eip connection. some of this will actually end in more general leap-checks, but let's keep it alltogether by now. --- src/leap/eip/checks.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 src/leap/eip/checks.py (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py new file mode 100644 index 00000000..bb588cf7 --- /dev/null +++ b/src/leap/eip/checks.py @@ -0,0 +1,50 @@ +import logging +logger = logging.getLogger(name=__name__) + + +class EIPChecker(object): + """ + Executes all tests needed + to ensure a EIPConnection + can be sucessful + """ + def __init__(self): + pass + + def do_all_checks(self, checker=None): + """ + just runs all tests in a row. + will raise if some error encounter. + catching those exceptions is not + our responsibility at this moment + """ + if not checker: + checker = self + + # let's call all tests + # needed for a sane eip session. + + checker.dump_default_eipconfig() + checker.check_is_there_default_provider() + checker.fetch_definition() + checker.fetch_eip_config() + checker.check_complete_eip_config() + checker.ping_gateway() + + def dump_default_eipconfig(self): + raise NotImplementedError + + def check_is_there_default_provider(self): + raise NotImplementedError + + def fetch_definition(self): + raise NotImplementedError + + def fetch_eip_config(self): + raise NotImplementedError + + def check_complete_eip_config(self): + raise NotImplementedError + + def ping_gateway(self): + raise NotImplementedError -- cgit v1.2.3 From 4a46723219e5284bec21b9dccd6589a670babc63 Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 27 Aug 2012 23:21:43 +0900 Subject: add test_dump_default_eipconfig to eip.test_checks plus a little bit of cleaning around (created constants file). added some notes about inminent deprecation *work in progress* --- src/leap/eip/checks.py | 49 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 9 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index bb588cf7..1726e73a 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,20 +1,26 @@ import logging logger = logging.getLogger(name=__name__) +import os + +from leap.base import config as baseconfig +from leap.eip import config as eipconfig +from leap.eip import constants as eipconstants class EIPChecker(object): """ - Executes all tests needed + Several tests needed to ensure a EIPConnection can be sucessful """ - def __init__(self): - pass + #def __init__(self): + ## no init needed atm.. + #pass - def do_all_checks(self, checker=None): + def run_all(self, checker=None): """ - just runs all tests in a row. - will raise if some error encounter. + runs all checks in a row. + will raise if some error encountered. catching those exceptions is not our responsibility at this moment """ @@ -24,20 +30,32 @@ class EIPChecker(object): # let's call all tests # needed for a sane eip session. - checker.dump_default_eipconfig() + checker.check_default_eipconfig() checker.check_is_there_default_provider() checker.fetch_definition() checker.fetch_eip_config() checker.check_complete_eip_config() checker.ping_gateway() - def dump_default_eipconfig(self): - raise NotImplementedError + # public checks + + def check_default_eipconfig(self): + """ + checks if default eipconfig exists, + and dumps a default file if not + """ + # it *really* does not make sense to + # dump it right now, we can get an in-memory + # config object and dump it to disk in a + # later moment + if not self._is_there_default_eipconfig(): + self._dump_default_eipconfig() def check_is_there_default_provider(self): raise NotImplementedError def fetch_definition(self): + # check_and_get_definition_file raise NotImplementedError def fetch_eip_config(self): @@ -48,3 +66,16 @@ class EIPChecker(object): def ping_gateway(self): raise NotImplementedError + + # private helpers + + def _get_default_eipconfig_path(self): + return baseconfig.get_config_file(eipconstants.EIP_CONFIG) + + def _is_there_default_eipconfig(self): + return os.path.isfile( + self._get_default_eipconfig_path()) + + def _dump_default_eipconfig(self): + eipconfig.dump_default_eipconfig( + self._get_default_eipconfig_path()) -- cgit v1.2.3 From 568d52ccf33e6d7683f36f5fe2e3c32b47892216 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 28 Aug 2012 05:30:38 +0900 Subject: eipchecker.fetch definition and tests deprecated base:test_config.test_complete_file (dup functionality) --- src/leap/eip/checks.py | 93 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 84 insertions(+), 9 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 1726e73a..dbb7d524 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,10 +1,17 @@ +import json import logging -logger = logging.getLogger(name=__name__) import os +logger = logging.getLogger(name=__name__) + +import requests + from leap.base import config as baseconfig +from leap.base import constants as baseconstants from leap.eip import config as eipconfig from leap.eip import constants as eipconstants +from leap.eip import exceptions as eipexceptions +from leap.util.fileutil import mkdir_p class EIPChecker(object): @@ -12,10 +19,17 @@ class EIPChecker(object): Several tests needed to ensure a EIPConnection can be sucessful + use run_all to run all checks. """ - #def __init__(self): - ## no init needed atm.. - #pass + + def __init__(self, fetcher=requests): + """ + we do not want to accept too many + argument on init. we want tests + to be explicitely run. + """ + self.config = None + self.fetcher = fetcher def run_all(self, checker=None): """ @@ -30,7 +44,11 @@ class EIPChecker(object): # let's call all tests # needed for a sane eip session. + # TODO: get rid of check_default. + # check_complete should + # be enough. checker.check_default_eipconfig() + checker.check_is_there_default_provider() checker.fetch_definition() checker.fetch_eip_config() @@ -44,6 +62,10 @@ class EIPChecker(object): checks if default eipconfig exists, and dumps a default file if not """ + # XXX ONLY a transient check + # because some old function still checks + # for eip config at the beginning. + # it *really* does not make sense to # dump it right now, we can get an in-memory # config object and dump it to disk in a @@ -51,12 +73,55 @@ class EIPChecker(object): if not self._is_there_default_eipconfig(): self._dump_default_eipconfig() - def check_is_there_default_provider(self): - raise NotImplementedError - - def fetch_definition(self): + def check_is_there_default_provider(self, config=None): + """ + raises EIPMissingDefaultProvider if no + default provider found on eip config. + This is catched by ui and runs FirstRunWizard (MVS+) + """ + # if config is not None: + # config = config + # else: self.get_eipconfig + # XXX parse EIPConfig. + # XXX get default_provider. + eipcfg = self._get_default_eipconfig_path() + with open(eipcfg, 'r') as fp: + config = json.load(fp) + provider = config.get('provider', None) + if provider is None: + raise eipexceptions.EIPMissingDefaultProvider + if config: + self.config = config + return True + + def fetch_definition(self, skip_download=False, + config=None, uri=None): # check_and_get_definition_file - raise NotImplementedError + if skip_download: + return True + if config is None: + config = self.config + if uri is None: + if config: + domain = config.get('provider', None) + else: + domain = None + uri = self._get_provider_definition_uri( + domain=domain) + + # XXX move to JSONConfig Fetcher + request = self.fetcher.get(uri) + request.raise_for_status() + + definition_file = os.path.join( + baseconfig.get_default_provider_path(), + baseconstants.DEFINITION_EXPECTED_PATH) + + folder, filename = os.path.split(definition_file) + if not os.path.isdir(folder): + mkdir_p(folder) + with open(definition_file, 'wb') as f: + f.write(json.dumps(request.json, indent=4)) def fetch_eip_config(self): raise NotImplementedError @@ -67,7 +132,9 @@ class EIPChecker(object): def ping_gateway(self): raise NotImplementedError + # # private helpers + # def _get_default_eipconfig_path(self): return baseconfig.get_config_file(eipconstants.EIP_CONFIG) @@ -79,3 +146,11 @@ class EIPChecker(object): def _dump_default_eipconfig(self): eipconfig.dump_default_eipconfig( self._get_default_eipconfig_path()) + + def _get_provider_definition_uri(self, domain=None, path=None): + if domain is None: + domain = baseconstants.DEFAULT_TEST_PROVIDER + if path is None: + path = baseconstants.DEFINITION_EXPECTED_PATH + return "https://%s/%s" % (domain, path) + -- cgit v1.2.3 From c469e396bde67db15e486a320b254de0fa6f69df Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 28 Aug 2012 06:08:58 +0900 Subject: checki complete eip_config tests. completed first version of EIPChecks --- src/leap/eip/checks.py | 59 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 5 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index dbb7d524..84a2ba6b 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -53,7 +53,7 @@ class EIPChecker(object): checker.fetch_definition() checker.fetch_eip_config() checker.check_complete_eip_config() - checker.ping_gateway() + #checker.ping_gateway() # public checks @@ -97,6 +97,13 @@ class EIPChecker(object): def fetch_definition(self, skip_download=False, config=None, uri=None): # check_and_get_definition_file + """ + fetches a definition file from server + """ + # TODO: + # - Implement diff + # - overwrite if different. + if skip_download: return True if config is None: @@ -123,11 +130,47 @@ class EIPChecker(object): with open(definition_file, 'wb') as f: f.write(json.dumps(request.json, indent=4)) - def fetch_eip_config(self): - raise NotImplementedError + def fetch_eip_config(self, skip_download=False, + config=None, uri=None): + if skip_download: + return True + if config is None: + config = self.config + if uri is None: + if config: + domain = config.get('provider', None) + else: + domain = None + uri = self._get_eip_service_uri( + domain=domain) - def check_complete_eip_config(self): - raise NotImplementedError + # XXX move to JSONConfig Fetcher + request = self.fetcher.get(uri) + request.raise_for_status() + + definition_file = os.path.join( + baseconfig.get_default_provider_path(), + eipconstants.EIP_SERVICE_EXPECTED_PATH) + + folder, filename = os.path.split(definition_file) + if not os.path.isdir(folder): + mkdir_p(folder) + with open(definition_file, 'wb') as f: + f.write(json.dumps(request.json, indent=4)) + + def check_complete_eip_config(self, config=None): + if config is None: + config = self.config + try: + 'trying assertions' + assert 'provider' in config + assert config['provider'] is not None + except AssertionError: + raise eipexceptions.EIPConfigurationError + + # XXX TODO: + # We should WRITE eip config if missing or + # incomplete at this point def ping_gateway(self): raise NotImplementedError @@ -154,3 +197,9 @@ class EIPChecker(object): path = baseconstants.DEFINITION_EXPECTED_PATH return "https://%s/%s" % (domain, path) + def _get_eip_service_uri(self, domain=None, path=None): + if domain is None: + domain = baseconstants.DEFAULT_TEST_PROVIDER + if path is None: + path = eipconstants.EIP_SERVICE_EXPECTED_PATH + return "https://%s/%s" % (domain, path) -- cgit v1.2.3 From 5ddb2ef5a803cc6c01a90b4c3b33c90a51d2666e Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 28 Aug 2012 22:35:23 +0900 Subject: add todo --- src/leap/eip/checks.py | 1 + 1 file changed, 1 insertion(+) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 84a2ba6b..7ef80cae 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -165,6 +165,7 @@ class EIPChecker(object): 'trying assertions' assert 'provider' in config assert config['provider'] is not None + # XXX assert there is gateway !! except AssertionError: raise eipexceptions.EIPConfigurationError -- cgit v1.2.3 From 06883461f2daa616b2e3c842f53d9422703cd9c7 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 28 Aug 2012 23:08:39 +0900 Subject: eip_checks called from main app. removed "configuration" object. checks are called from conductor. --- src/leap/eip/checks.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 7ef80cae..794e69e1 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -2,7 +2,9 @@ import json import logging import os +logging.basicConfig() logger = logging.getLogger(name=__name__) +logger.setLevel(logging.DEBUG) import requests @@ -31,7 +33,7 @@ class EIPChecker(object): self.config = None self.fetcher = fetcher - def run_all(self, checker=None): + def run_all(self, checker=None, skip_download=False): """ runs all checks in a row. will raise if some error encountered. @@ -50,8 +52,8 @@ class EIPChecker(object): checker.check_default_eipconfig() checker.check_is_there_default_provider() - checker.fetch_definition() - checker.fetch_eip_config() + checker.fetch_definition(skip_download=skip_download) + checker.fetch_eip_config(skip_download=skip_download) checker.check_complete_eip_config() #checker.ping_gateway() @@ -70,6 +72,7 @@ class EIPChecker(object): # dump it right now, we can get an in-memory # config object and dump it to disk in a # later moment + logger.debug('checking default eip config') if not self._is_there_default_eipconfig(): self._dump_default_eipconfig() @@ -84,6 +87,7 @@ class EIPChecker(object): # else: self.get_eipconfig # XXX parse EIPConfig. # XXX get default_provider. + logger.debug('checking default provider') eipcfg = self._get_default_eipconfig_path() with open(eipcfg, 'r') as fp: config = json.load(fp) @@ -103,8 +107,10 @@ class EIPChecker(object): # TODO: # - Implement diff # - overwrite if different. + logger.debug('fetching definition') if skip_download: + logger.debug('(fetching def skipped)') return True if config is None: config = self.config -- cgit v1.2.3 From 7a8f4db1a4743582c34a52ab448eece0e7689bc8 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 28 Aug 2012 23:36:39 +0900 Subject: test for eip_config_checker called from eip_connection run_checks method also: - changed name EIPChecker -> EipConfigChecker - Added class documentation --- src/leap/eip/checks.py | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 794e69e1..27320b1f 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -15,21 +15,40 @@ from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions from leap.util.fileutil import mkdir_p +""" +EIPConfigChecker +---------- +this is the first of 3 consecutive checks that we're implementing. -class EIPChecker(object): +It is used from the eip conductor (a instance of EIPConnection that is +managed from the QtApp), running run_all method before trying to call +`connect` or any other of the state switching methods. + +It checks that the needed files are provided or can be discovered over the +net. Much of these tests are not specific to EIP module, and can be splitted +into base.tests to be invoked by the base leap init routines. +However, I'm testing them alltogether for the sake of having the whole unit +reachable and testable as a whole. + +Other related checkers - not implemented yet -: +* LeapNetworkChecker +* ProviderCertChecker +""" + + +class EIPConfigChecker(object): """ Several tests needed to ensure a EIPConnection - can be sucessful + can be sucessfully established. use run_all to run all checks. """ def __init__(self, fetcher=requests): - """ - we do not want to accept too many - argument on init. we want tests - to be explicitely run. - """ + # we do not want to accept too many + # argument on init. + # we want tests + # to be explicitely run. self.config = None self.fetcher = fetcher @@ -100,7 +119,6 @@ class EIPChecker(object): def fetch_definition(self, skip_download=False, config=None, uri=None): - # check_and_get_definition_file """ fetches a definition file from server """ -- cgit v1.2.3 From ed4ad3a392caf0211e51a48d2d7b6c5a2f7bb17a Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 29 Aug 2012 23:05:38 +0900 Subject: add eipconfig spec and config object --- src/leap/eip/checks.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 27320b1f..e5b8e971 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -52,6 +52,8 @@ class EIPConfigChecker(object): self.config = None self.fetcher = fetcher + #self.eipconfig = eipconfig.EIPConfig() + def run_all(self, checker=None, skip_download=False): """ runs all checks in a row. @@ -208,10 +210,13 @@ class EIPConfigChecker(object): return baseconfig.get_config_file(eipconstants.EIP_CONFIG) def _is_there_default_eipconfig(self): + #XXX + #self.eipconfig.exists() return os.path.isfile( self._get_default_eipconfig_path()) def _dump_default_eipconfig(self): + #XXX self.eipconfig.save() eipconfig.dump_default_eipconfig( self._get_default_eipconfig_path()) -- cgit v1.2.3 From 1263cd7a3cfca81ae3e6976a489e2d3d4013d64b Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 30 Aug 2012 00:36:50 +0900 Subject: add lazy evaluation to config specs now callables are allowed in specs *only at one level depth* to allow for last-minute evaluation on context-sensitive data, like paths affected by os.environ also some minor modifications to make check tests pass after putting the new jsonconfig-based eipconfig in place. aaaaaall green again :) --- src/leap/eip/checks.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index e5b8e971..b92ea706 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -52,7 +52,7 @@ class EIPConfigChecker(object): self.config = None self.fetcher = fetcher - #self.eipconfig = eipconfig.EIPConfig() + self.eipconfig = eipconfig.EIPConfig() def run_all(self, checker=None, skip_download=False): """ @@ -211,14 +211,17 @@ class EIPConfigChecker(object): def _is_there_default_eipconfig(self): #XXX - #self.eipconfig.exists() - return os.path.isfile( - self._get_default_eipconfig_path()) + return self.eipconfig.exists() + #return os.path.isfile( + #self._get_default_eipconfig_path()) def _dump_default_eipconfig(self): #XXX self.eipconfig.save() - eipconfig.dump_default_eipconfig( - self._get_default_eipconfig_path()) + logger.debug('saving eipconfig') + #import ipdb;ipdb.set_trace() + self.eipconfig.save() + #eipconfig.dump_default_eipconfig( + #self._get_default_eipconfig_path()) def _get_provider_definition_uri(self, domain=None, path=None): if domain is None: -- cgit v1.2.3 From e6483d20a5500e86b5fa4e7da63f911641b7e9dd Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 30 Aug 2012 01:11:42 +0900 Subject: fix config load method it was not updating config dict --- src/leap/eip/checks.py | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index b92ea706..4b2326a5 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -21,8 +21,8 @@ EIPConfigChecker this is the first of 3 consecutive checks that we're implementing. It is used from the eip conductor (a instance of EIPConnection that is -managed from the QtApp), running run_all method before trying to call -`connect` or any other of the state switching methods. +managed from the QtApp), running `run_all` method before trying to call +`connect` or any other of the state-changing methods. It checks that the needed files are provided or can be discovered over the net. Much of these tests are not specific to EIP module, and can be splitted @@ -69,7 +69,7 @@ class EIPConfigChecker(object): # TODO: get rid of check_default. # check_complete should - # be enough. + # be enough. but here to make early tests easier. checker.check_default_eipconfig() checker.check_is_there_default_provider() @@ -103,15 +103,9 @@ class EIPConfigChecker(object): default provider found on eip config. This is catched by ui and runs FirstRunWizard (MVS+) """ - # if config is not None: - # config = config - # else: self.get_eipconfig - # XXX parse EIPConfig. - # XXX get default_provider. + if config is None: + config = self.eipconfig.get_config() logger.debug('checking default provider') - eipcfg = self._get_default_eipconfig_path() - with open(eipcfg, 'r') as fp: - config = json.load(fp) provider = config.get('provider', None) if provider is None: raise eipexceptions.EIPMissingDefaultProvider @@ -206,22 +200,11 @@ class EIPConfigChecker(object): # private helpers # - def _get_default_eipconfig_path(self): - return baseconfig.get_config_file(eipconstants.EIP_CONFIG) - def _is_there_default_eipconfig(self): - #XXX return self.eipconfig.exists() - #return os.path.isfile( - #self._get_default_eipconfig_path()) def _dump_default_eipconfig(self): - #XXX self.eipconfig.save() - logger.debug('saving eipconfig') - #import ipdb;ipdb.set_trace() self.eipconfig.save() - #eipconfig.dump_default_eipconfig( - #self._get_default_eipconfig_path()) def _get_provider_definition_uri(self, domain=None, path=None): if domain is None: -- cgit v1.2.3 From d69976caa5070403f81799c79be974241cff7f70 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 30 Aug 2012 03:43:05 +0900 Subject: fetcher moved to baseconfig + eipchecker using eipservice config. --- src/leap/eip/checks.py | 76 ++++++++++++++++---------------------------------- 1 file changed, 24 insertions(+), 52 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 4b2326a5..b57977f0 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -8,12 +8,11 @@ logger.setLevel(logging.DEBUG) import requests -from leap.base import config as baseconfig from leap.base import constants as baseconstants +from leap.base import providers from leap.eip import config as eipconfig from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions -from leap.util.fileutil import mkdir_p """ EIPConfigChecker @@ -49,10 +48,11 @@ class EIPConfigChecker(object): # argument on init. # we want tests # to be explicitely run. - self.config = None self.fetcher = fetcher self.eipconfig = eipconfig.EIPConfig() + self.defaultprovider = providers.LeapProviderDefinition() + self.eipserviceconfig = eipconfig.EIPServiceConfig() def run_all(self, checker=None, skip_download=False): """ @@ -74,7 +74,7 @@ class EIPConfigChecker(object): checker.check_is_there_default_provider() checker.fetch_definition(skip_download=skip_download) - checker.fetch_eip_config(skip_download=skip_download) + checker.fetch_eip_service_config(skip_download=skip_download) checker.check_complete_eip_config() #checker.ping_gateway() @@ -109,8 +109,7 @@ class EIPConfigChecker(object): provider = config.get('provider', None) if provider is None: raise eipexceptions.EIPMissingDefaultProvider - if config: - self.config = config + # XXX raise also if malformed ProviderDefinition? return True def fetch_definition(self, skip_download=False, @@ -120,65 +119,38 @@ class EIPConfigChecker(object): """ # TODO: # - Implement diff - # - overwrite if different. + # - overwrite only if different. + # (attend to serial field different, for instance) + logger.debug('fetching definition') if skip_download: logger.debug('(fetching def skipped)') return True if config is None: - config = self.config + config = self.defaultprovider.get_config() if uri is None: - if config: - domain = config.get('provider', None) - else: - domain = None - uri = self._get_provider_definition_uri( - domain=domain) - - # XXX move to JSONConfig Fetcher - request = self.fetcher.get(uri) - request.raise_for_status() - - definition_file = os.path.join( - baseconfig.get_default_provider_path(), - baseconstants.DEFINITION_EXPECTED_PATH) - - folder, filename = os.path.split(definition_file) - if not os.path.isdir(folder): - mkdir_p(folder) - with open(definition_file, 'wb') as f: - f.write(json.dumps(request.json, indent=4)) - - def fetch_eip_config(self, skip_download=False, - config=None, uri=None): + domain = config.get('provider', None) + uri = self._get_provider_definition_uri(domain=domain) + + self.defaultprovider.load(from_uri=uri, fetcher=self.fetcher) + self.defaultprovider.save() + + def fetch_eip_service_config(self, skip_download=False, + config=None, uri=None): if skip_download: return True if config is None: - config = self.config + config = self.eipserviceconfig.get_config() if uri is None: - if config: - domain = config.get('provider', None) - else: - domain = None - uri = self._get_eip_service_uri( - domain=domain) - - # XXX move to JSONConfig Fetcher - request = self.fetcher.get(uri) - request.raise_for_status() - - definition_file = os.path.join( - baseconfig.get_default_provider_path(), - eipconstants.EIP_SERVICE_EXPECTED_PATH) - - folder, filename = os.path.split(definition_file) - if not os.path.isdir(folder): - mkdir_p(folder) - with open(definition_file, 'wb') as f: - f.write(json.dumps(request.json, indent=4)) + domain = config.get('provider', None) + uri = self._get_eip_service_uri(domain=domain) + + self.eipserviceconfig.load(from_uri=uri, fetcher=self.fetcher) + self.eipserviceconfig.save() def check_complete_eip_config(self, config=None): + # TODO check for gateway if config is None: config = self.config try: -- cgit v1.2.3 From 5e77b77765154850fb708e6ea188fcf7ba99fdce Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 30 Aug 2012 04:37:30 +0900 Subject: add test for JSONLeapConfig metaclass --- src/leap/eip/checks.py | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index b57977f0..1db7158f 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -35,6 +35,14 @@ Other related checkers - not implemented yet -: """ +class LeapNetworkChecker(object): + pass + + +class ProviderCertChecker(object): + pass + + class EIPConfigChecker(object): """ Several tests needed -- cgit v1.2.3 From 396d815e318d03df4e21269aa8c3e6c0e6f7fad0 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 30 Aug 2012 06:00:03 +0900 Subject: working with options only from cli --- src/leap/eip/checks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 1db7158f..c6a7ca72 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -160,7 +160,7 @@ class EIPConfigChecker(object): def check_complete_eip_config(self, config=None): # TODO check for gateway if config is None: - config = self.config + config = self.eipconfig.get_config() try: 'trying assertions' assert 'provider' in config -- cgit v1.2.3 From b612f422bf156a3b3927038472ad885b1afa556e Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 3 Sep 2012 02:51:41 +0900 Subject: providercertchecks:check_https_is_working implementing a https server with its own base testcase for convenience. https is delicate, and I think it's better checking against a real implementation than mocking everything here. --- src/leap/eip/checks.py | 62 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index c6a7ca72..4112ef57 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -40,12 +40,70 @@ class LeapNetworkChecker(object): class ProviderCertChecker(object): - pass + """ + Several checks needed for getting + client certs and checking tls connection + with provider. + """ + def __init__(self, fetcher=requests): + self.fetcher = fetcher + + def run_all(self, checker=None, skip_download=False): + if not checker: + checker = self + + # For MVS+ + # checker.download_ca_cert() + # checker.download_ca_signature() + # checker.get_ca_signatures() + # checker.is_there_trust_path() + + # For MVS + checker.is_there_provider_ca() + checker.is_https_working() + checker.download_new_client_cert() + + def download_ca_cert(self): + # MVS+ + raise NotImplementedError + + def download_ca_signature(self): + # MVS+ + raise NotImplementedError + + def get_ca_signatures(self): + # MVS+ + raise NotImplementedError + + def is_there_trust_path(self): + # MVS+ + raise NotImplementedError + + def is_there_provider_ca(self): + # XXX fake it till you make it! :P + return True + + # enable this when we have + # a custom "branded" bundle + # certs package. + try: + from leap.custom import certs + certs.ca.pemfile + except ImportError: + raise + + def is_https_working(self, uri=None, cacert=None, verify=True): + assert uri.startswith('https') + self.fetcher.get(uri, verify=verify) + return True + + def download_new_client_cert(self): + return True class EIPConfigChecker(object): """ - Several tests needed + Several checks needed to ensure a EIPConnection can be sucessfully established. use run_all to run all checks. -- cgit v1.2.3 From 090aed5e7c569e07b14d74ca71068a277cc39152 Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 3 Sep 2012 04:18:15 +0900 Subject: basic download cert functionality --- src/leap/eip/checks.py | 58 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 5 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 4112ef57..b0fd6323 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,6 +1,7 @@ -import json +#import json import logging -import os +import ssl +#import os logging.basicConfig() logger = logging.getLogger(name=__name__) @@ -13,6 +14,7 @@ from leap.base import providers from leap.eip import config as eipconfig from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions +from leap.eip import specs as eipspecs """ EIPConfigChecker @@ -47,6 +49,7 @@ class ProviderCertChecker(object): """ def __init__(self, fetcher=requests): self.fetcher = fetcher + self.cacert = None def run_all(self, checker=None, skip_download=False): if not checker: @@ -88,18 +91,63 @@ class ProviderCertChecker(object): # certs package. try: from leap.custom import certs - certs.ca.pemfile except ImportError: raise + self.cacert = certs.where('cacert.pem') - def is_https_working(self, uri=None, cacert=None, verify=True): + def is_https_working(self, uri=None, verify=True): + # XXX raise InsecureURI or something better assert uri.startswith('https') + if verify is True and self.cacert is not None: + verify = self.cacert self.fetcher.get(uri, verify=verify) return True - def download_new_client_cert(self): + def download_new_client_cert(self, uri=None, verify=True): + if uri is None: + uri = self._get_client_cert_uri() + # XXX raise InsecureURI or something better + assert uri.startswith('https') + if verify is True and self.cacert is not None: + verify = self.cacert + req = self.fetcher.get(uri, verify=verify) + pemfile_content = req.content + self.validate_pemfile(pemfile_content) + cert_path = self._get_client_cert_path() + self.write_cert(pemfile_content, to=cert_path) return True + def validate_pemfile(self, cert_s): + """ + checks that the passed string + is a valid pem certificate + @param cert_s: string containing pem content + @type cert_s: string + @rtype: bool + """ + try: + # XXX get a real cert validation + # so far this is only checking begin/end + # delimiters :) + ssl.PEM_cert_to_DER_cert(cert_s) + except: + # XXX raise proper exception + raise + return True + + def _get_client_cert_uri(self): + # XXX TODO + # get from provider definition? + pass + + def _get_client_cert_path(self): + # MVS+ : get provider path + return eipspecs.client_cert_path() + + def write_cert(self, pemfile_content, to=None): + with open(to, 'w') as cert_f: + cert_f.write(pemfile_content) + class EIPConfigChecker(object): """ -- cgit v1.2.3 From 37d7e272b7f8a649034a0cf60f6c4a1424bf767a Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 4 Sep 2012 01:08:05 +0900 Subject: better separate cert validation/download logic stubbing out the timestamp validity check (waiting for #507) also some more deep tests are missing, wrote todo in tests. --- src/leap/eip/checks.py | 58 +++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 8 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index b0fd6323..51a7e219 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,7 +1,7 @@ #import json import logging import ssl -#import os +import os logging.basicConfig() logger = logging.getLogger(name=__name__) @@ -64,7 +64,8 @@ class ProviderCertChecker(object): # For MVS checker.is_there_provider_ca() checker.is_https_working() - checker.download_new_client_cert() + checker.check_new_cert_needed() + #checker.download_new_client_cert() def download_ca_cert(self): # MVS+ @@ -103,7 +104,16 @@ class ProviderCertChecker(object): self.fetcher.get(uri, verify=verify) return True - def download_new_client_cert(self, uri=None, verify=True): + def check_new_cert_needed(self, skip_download=False): + if not self.is_cert_valid(do_raise=False): + self.download_new_client_cert(skip_download=skip_download) + return True + return False + + def download_new_client_cert(self, uri=None, verify=True, + skip_download=False): + if skip_download: + return True if uri is None: uri = self._get_client_cert_uri() # XXX raise InsecureURI or something better @@ -112,12 +122,39 @@ class ProviderCertChecker(object): verify = self.cacert req = self.fetcher.get(uri, verify=verify) pemfile_content = req.content - self.validate_pemfile(pemfile_content) + self.is_valid_pemfile(pemfile_content) cert_path = self._get_client_cert_path() self.write_cert(pemfile_content, to=cert_path) return True - def validate_pemfile(self, cert_s): + def is_cert_valid(self, cert_path=None, do_raise=True): + exists = lambda: self.is_certificate_exists() + valid_pemfile = lambda: self.is_valid_pemfile() + not_expired = lambda: self.is_cert_not_expired() + print 'exists?', exists + print 'valid', valid_pemfile + print 'not expired', not_expired + + valid = exists() and valid_pemfile() and not_expired() + if not valid: + if do_raise: + raise Exception('missing cert') + else: + return False + return True + + def is_certificate_exists(self, certfile=None): + if certfile is None: + certfile = self._get_client_cert_path() + return os.path.isfile(certfile) + + def is_cert_not_expired(self): + return True + # XXX TODO + # waiting on #507. If we're not using PyOpenSSL or anything alike + # we will have to roll our own x509 parsing to extract time info. + + def is_valid_pemfile(self, cert_s=None): """ checks that the passed string is a valid pem certificate @@ -125,6 +162,10 @@ class ProviderCertChecker(object): @type cert_s: string @rtype: bool """ + if cert_s is None: + certfile = self._get_client_cert_path() + with open(certfile) as cf: + cert_s = cf.read() try: # XXX get a real cert validation # so far this is only checking begin/end @@ -136,14 +177,15 @@ class ProviderCertChecker(object): return True def _get_client_cert_uri(self): - # XXX TODO - # get from provider definition? - pass + return "https://%s/cert/get" % (baseconstants.DEFAULT_TEST_PROVIDER) def _get_client_cert_path(self): # MVS+ : get provider path return eipspecs.client_cert_path() + def is_cert_still_valid(self): + raise NotImplementedError + def write_cert(self, pemfile_content, to=None): with open(to, 'w') as cert_f: cert_f.write(pemfile_content) -- cgit v1.2.3 From 83a3fed0d38e44e64cec027f9fd2fcd5a894f96a Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 4 Sep 2012 03:18:13 +0900 Subject: fix test_checks: do not mess with real home path! It is really dangerous to mess with expanduser paths in tests without deriving testcases from LeapTestCase. It'd be good to devise a way of checking for that :( --- src/leap/eip/checks.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 51a7e219..1b7c2e1b 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -15,6 +15,7 @@ from leap.eip import config as eipconfig from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions from leap.eip import specs as eipspecs +from leap.util.fileutil import mkdir_p """ EIPConfigChecker @@ -33,7 +34,6 @@ reachable and testable as a whole. Other related checkers - not implemented yet -: * LeapNetworkChecker -* ProviderCertChecker """ @@ -131,9 +131,9 @@ class ProviderCertChecker(object): exists = lambda: self.is_certificate_exists() valid_pemfile = lambda: self.is_valid_pemfile() not_expired = lambda: self.is_cert_not_expired() - print 'exists?', exists - print 'valid', valid_pemfile - print 'not expired', not_expired + #print 'exists?', exists + #print 'valid', valid_pemfile + #print 'not expired', not_expired valid = exists() and valid_pemfile() and not_expired() if not valid: @@ -181,12 +181,13 @@ class ProviderCertChecker(object): def _get_client_cert_path(self): # MVS+ : get provider path + #import ipdb;ipdb.set_trace() return eipspecs.client_cert_path() - def is_cert_still_valid(self): - raise NotImplementedError - def write_cert(self, pemfile_content, to=None): + folder, filename = os.path.split(to) + if not os.path.isdir(folder): + mkdir_p(folder) with open(to, 'w') as cert_f: cert_f.write(pemfile_content) -- cgit v1.2.3 From a2804c3de1470db98d8c6aa8a01e2de1aa1718a1 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 5 Sep 2012 07:42:10 +0900 Subject: app wide logging handler --- src/leap/eip/checks.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 1b7c2e1b..4a2a9599 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,12 +1,7 @@ -#import json import logging import ssl import os -logging.basicConfig() -logger = logging.getLogger(name=__name__) -logger.setLevel(logging.DEBUG) - import requests from leap.base import constants as baseconstants @@ -17,6 +12,8 @@ from leap.eip import exceptions as eipexceptions from leap.eip import specs as eipspecs from leap.util.fileutil import mkdir_p +logger = logging.getLogger(name=__name__) + """ EIPConfigChecker ---------- -- cgit v1.2.3 From ffe551fdbbade14e1a8de84ac48064aa7b45e2c1 Mon Sep 17 00:00:00 2001 From: antialias Date: Mon, 10 Sep 2012 19:59:30 -0400 Subject: Implemented basic networks checks: valid interface, default route, and can ping the listed gateway. --- src/leap/eip/checks.py | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 4a2a9599..412be27b 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,7 +1,10 @@ import logging import ssl +import platform import os +import netifaces +import ping import requests from leap.base import constants as baseconstants @@ -319,8 +322,54 @@ class EIPConfigChecker(object): # We should WRITE eip config if missing or # incomplete at this point - def ping_gateway(self): - raise NotImplementedError + def test_internet_connection(self): + try: + requests.get('http://216.172.161.165') + except (requests.HTTPError, requests.RequestException) as e: + self.error = e.message + except requests.ConenctionError as e: + if e.message == "[Errno 113] No route to host": + if not self.is_internet_up(): + self.error = "No valid internet connection found." + else: + self.error = "Provider server appears to be down." + + def is_internet_up(self): + iface, gateway = self.get_default_interface_gateway() + self.ping_gateway(self) + + def get_default_interface_gateway(self): + """only impletemented for linux so far.""" + if not platform.system() == "Linux": + raise NotImplementedError + + f = open("/proc/net/route") + route_table = f.readlines() + #toss out header + route_table.pop(0) + + default_iface = None + gateway = None + while route_table: + line = route_table.pop(0) + iface, destination, gateway = line.split('\t')[0:3] + if destination == '00000000': + default_iface = iface + break + + if not default_iface: + raise eipexceptions.NoDefaultInterfaceFoundError + + if default_iface not in netifaces.interfaces(): + raise eipexceptions.InterfaceNotFoundError + + return default_iface, gateway + + def ping_gateway(self, gateway): + #TODO: Discuss how much packet loss (%) is acceptable. + packet_loss = ping.quiet_ping(gateway)[0] + if packet_loss > 10: + raise eipexceptions.NoConnectionToGateway # # private helpers -- cgit v1.2.3 From f3b601cb525b2884e7a48c7bfc41b4aef915adf7 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 12 Sep 2012 08:38:36 +0900 Subject: moved network checks to its own class so it can be more easily moved to base.checks and reused when eip is a module. --- src/leap/eip/checks.py | 131 +++++++++++++++++++++++++++++-------------------- 1 file changed, 78 insertions(+), 53 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 412be27b..24e97335 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -20,8 +20,6 @@ logger = logging.getLogger(name=__name__) """ EIPConfigChecker ---------- -this is the first of 3 consecutive checks that we're implementing. - It is used from the eip conductor (a instance of EIPConnection that is managed from the QtApp), running `run_all` method before trying to call `connect` or any other of the state-changing methods. @@ -32,13 +30,87 @@ into base.tests to be invoked by the base leap init routines. However, I'm testing them alltogether for the sake of having the whole unit reachable and testable as a whole. -Other related checkers - not implemented yet -: -* LeapNetworkChecker +LeapNetworkChecker +------------------ +Network checks. To be moved to base. +docs TBD + +ProviderCertChecker +------------------- +Checks on certificates. +docs TBD """ class LeapNetworkChecker(object): - pass + """ + all network related checks + """ + # XXX to be moved to leap.base.checks + # TODO eventually, use a more portable solution + # like psutil + + def run_all(self, checker=None): + if not checker: + checker = self + self.error = None # ? + + # for MVS + checker.test_internet_connection() + checker.is_internet_up() + checker.ping_gateway() + + def test_internet_connection(self): + # XXX we're not passing the error anywhere. + # XXX we probably should raise an exception here? + # unless we use this as smoke test + try: + requests.get('http://216.172.161.165') + except (requests.HTTPError, requests.RequestException) as e: + self.error = e.message + except requests.ConenctionError as e: + if e.message == "[Errno 113] No route to host": + if not self.is_internet_up(): + self.error = "No valid internet connection found." + else: + self.error = "Provider server appears to be down." + + def is_internet_up(self): + iface, gateway = self.get_default_interface_gateway() + self.ping_gateway(self) + + def get_default_interface_gateway(self): + """only impletemented for linux so far.""" + if not platform.system() == "Linux": + raise NotImplementedError + + with open("/proc/net/route") as f: + route_table = f.readlines() + #toss out header + route_table.pop(0) + + default_iface = None + gateway = None + while route_table: + line = route_table.pop(0) + iface, destination, gateway = line.split('\t')[0:3] + if destination == '00000000': + default_iface = iface + break + + if not default_iface: + raise eipexceptions.NoDefaultInterfaceFoundError + + if default_iface not in netifaces.interfaces(): + raise eipexceptions.InterfaceNotFoundError + + return default_iface, gateway + + def ping_gateway(self, gateway): + #TODO: Discuss how much packet loss (%) is acceptable. + packet_loss = ping.quiet_ping(gateway)[0] + if packet_loss > baseconstants.MAX_ICMP_PACKET_LOSS: + raise eipexceptions.NoConnectionToGateway class ProviderCertChecker(object): @@ -153,6 +225,7 @@ class ProviderCertChecker(object): # XXX TODO # waiting on #507. If we're not using PyOpenSSL or anything alike # we will have to roll our own x509 parsing to extract time info. + # XXX use gnutls def is_valid_pemfile(self, cert_s=None): """ @@ -322,54 +395,6 @@ class EIPConfigChecker(object): # We should WRITE eip config if missing or # incomplete at this point - def test_internet_connection(self): - try: - requests.get('http://216.172.161.165') - except (requests.HTTPError, requests.RequestException) as e: - self.error = e.message - except requests.ConenctionError as e: - if e.message == "[Errno 113] No route to host": - if not self.is_internet_up(): - self.error = "No valid internet connection found." - else: - self.error = "Provider server appears to be down." - - def is_internet_up(self): - iface, gateway = self.get_default_interface_gateway() - self.ping_gateway(self) - - def get_default_interface_gateway(self): - """only impletemented for linux so far.""" - if not platform.system() == "Linux": - raise NotImplementedError - - f = open("/proc/net/route") - route_table = f.readlines() - #toss out header - route_table.pop(0) - - default_iface = None - gateway = None - while route_table: - line = route_table.pop(0) - iface, destination, gateway = line.split('\t')[0:3] - if destination == '00000000': - default_iface = iface - break - - if not default_iface: - raise eipexceptions.NoDefaultInterfaceFoundError - - if default_iface not in netifaces.interfaces(): - raise eipexceptions.InterfaceNotFoundError - - return default_iface, gateway - - def ping_gateway(self, gateway): - #TODO: Discuss how much packet loss (%) is acceptable. - packet_loss = ping.quiet_ping(gateway)[0] - if packet_loss > 10: - raise eipexceptions.NoConnectionToGateway # # private helpers -- cgit v1.2.3 From 8b353443d6e4523d9d95cba190daaec564838e72 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 12 Sep 2012 08:58:20 +0900 Subject: close fd. with breaks with StringIO passed in tests. --- src/leap/eip/checks.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 24e97335..4dd4a95c 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -84,8 +84,9 @@ class LeapNetworkChecker(object): if not platform.system() == "Linux": raise NotImplementedError - with open("/proc/net/route") as f: - route_table = f.readlines() + f = open("/proc/net/route") + route_table = f.readlines() + f.close() #toss out header route_table.pop(0) @@ -395,7 +396,6 @@ class EIPConfigChecker(object): # We should WRITE eip config if missing or # incomplete at this point - # # private helpers # -- cgit v1.2.3 From 79764a5624acee85bcd03cd315c3d834a9a25a02 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 12 Sep 2012 10:00:29 +0900 Subject: time boundary check of certificate using gnutls --- src/leap/eip/checks.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 4dd4a95c..f368c551 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,8 +1,10 @@ import logging import ssl import platform +import time import os +from gnutls import crypto import netifaces import ping import requests @@ -221,12 +223,13 @@ class ProviderCertChecker(object): certfile = self._get_client_cert_path() return os.path.isfile(certfile) - def is_cert_not_expired(self): - return True - # XXX TODO - # waiting on #507. If we're not using PyOpenSSL or anything alike - # we will have to roll our own x509 parsing to extract time info. - # XXX use gnutls + def is_cert_not_expired(self, certfile=None, now=time.gmtime): + if certfile is None: + certfile = self._get_client_cert_path() + with open(certfile) as cf: + cert_s = cf.read() + cert = crypto.X509Certificate(cert_s) + return cert.activation_time < now() < cert.expiration_time def is_valid_pemfile(self, cert_s=None): """ @@ -244,6 +247,9 @@ class ProviderCertChecker(object): # XXX get a real cert validation # so far this is only checking begin/end # delimiters :) + # XXX use gnutls for get proper + # validation. + # crypto.X509Certificate(cert_s) ssl.PEM_cert_to_DER_cert(cert_s) except: # XXX raise proper exception -- cgit v1.2.3 From 0d35f2a82bf15504ace2135af3e0c66ae1c16874 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 18 Sep 2012 11:11:43 +0900 Subject: do_branding command added to setup --- src/leap/eip/checks.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index f368c551..aea5a5d7 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -257,7 +257,7 @@ class ProviderCertChecker(object): return True def _get_client_cert_uri(self): - return "https://%s/cert/get" % (baseconstants.DEFAULT_TEST_PROVIDER) + return "https://%s/cert/get" % (baseconstants.DEFAULT_PROVIDER) def _get_client_cert_path(self): # MVS+ : get provider path @@ -414,14 +414,18 @@ class EIPConfigChecker(object): def _get_provider_definition_uri(self, domain=None, path=None): if domain is None: - domain = baseconstants.DEFAULT_TEST_PROVIDER + domain = baseconstants.DEFAULT_PROVIDER if path is None: path = baseconstants.DEFINITION_EXPECTED_PATH - return "https://%s/%s" % (domain, path) + uri = u"https://%s/%s" % (domain, path) + logger.debug('getting provider definition from %s' % uri) + return uri def _get_eip_service_uri(self, domain=None, path=None): if domain is None: - domain = baseconstants.DEFAULT_TEST_PROVIDER + domain = baseconstants.DEFAULT_PROVIDER if path is None: path = eipconstants.EIP_SERVICE_EXPECTED_PATH - return "https://%s/%s" % (domain, path) + uri = "https://%s/%s" % (domain, path) + logger.debug('getting eip service file from %s', uri) + return uri -- cgit v1.2.3 From 89735a5fd3c81e8aba3cb7b1d4836c1bf1e8c098 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 18 Sep 2012 22:55:45 +0900 Subject: cert verification and malformed json checks --- src/leap/eip/checks.py | 65 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 19 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index aea5a5d7..b55f5827 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -9,6 +9,8 @@ import netifaces import ping import requests +from leap import __branding as BRANDING +from leap import certs from leap.base import constants as baseconstants from leap.base import providers from leap.eip import config as eipconfig @@ -20,6 +22,11 @@ from leap.util.fileutil import mkdir_p logger = logging.getLogger(name=__name__) """ +ProviderCertChecker +------------------- +Checks on certificates. To be moved to base. +docs TBD + EIPConfigChecker ---------- It is used from the eip conductor (a instance of EIPConnection that is @@ -36,14 +43,15 @@ LeapNetworkChecker ------------------ Network checks. To be moved to base. docs TBD - -ProviderCertChecker -------------------- -Checks on certificates. -docs TBD """ +def get_ca_cert(): + ca_file = BRANDING.get('provider_ca_file') + if ca_file: + return certs.where(ca_file) + + class LeapNetworkChecker(object): """ all network related checks @@ -67,6 +75,7 @@ class LeapNetworkChecker(object): # XXX we probably should raise an exception here? # unless we use this as smoke test try: + # XXX remove this hardcoded random ip requests.get('http://216.172.161.165') except (requests.HTTPError, requests.RequestException) as e: self.error = e.message @@ -124,7 +133,7 @@ class ProviderCertChecker(object): """ def __init__(self, fetcher=requests): self.fetcher = fetcher - self.cacert = None + self.cacert = get_ca_cert() def run_all(self, checker=None, skip_download=False): if not checker: @@ -159,25 +168,34 @@ class ProviderCertChecker(object): raise NotImplementedError def is_there_provider_ca(self): - # XXX fake it till you make it! :P + from leap import certs + logger.debug('do we have provider_ca?') + cacert_path = BRANDING.get('provider_ca_file', None) + if not cacert_path: + logger.debug('False') + return False + self.cacert = certs.where(cacert_path) + logger.debug('True') return True - # enable this when we have - # a custom "branded" bundle - # certs package. - try: - from leap.custom import certs - except ImportError: - raise - self.cacert = certs.where('cacert.pem') - def is_https_working(self, uri=None, verify=True): + if uri is None: + uri = self._get_root_uri() # XXX raise InsecureURI or something better + logger.debug('is https working?') + logger.debug('uri: %s', uri) + #import ipdb;ipdb.set_trace() assert uri.startswith('https') if verify is True and self.cacert is not None: + logger.debug('verify cert: %s', self.cacert) verify = self.cacert - self.fetcher.get(uri, verify=verify) - return True + try: + self.fetcher.get(uri, verify=verify) + except requests.exceptions.SSLError: + raise eipexceptions.EIPBadCertError + else: + logger.debug('True') + return True def check_new_cert_needed(self, skip_download=False): if not self.is_cert_valid(do_raise=False): @@ -256,7 +274,11 @@ class ProviderCertChecker(object): raise return True + def _get_root_uri(self): + return u"https://%s/" % baseconstants.DEFAULT_PROVIDER + def _get_client_cert_uri(self): + # XXX get the whole thing from constants return "https://%s/cert/get" % (baseconstants.DEFAULT_PROVIDER) def _get_client_cert_path(self): @@ -370,7 +392,12 @@ class EIPConfigChecker(object): domain = config.get('provider', None) uri = self._get_provider_definition_uri(domain=domain) - self.defaultprovider.load(from_uri=uri, fetcher=self.fetcher) + # FIXME! Pass ca path verify!!! + self.defaultprovider.load( + from_uri=uri, + fetcher=self.fetcher, + verify=False) + #import ipdb;ipdb.set_trace() self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, -- cgit v1.2.3 From 79db1d90f617d90cda61a790c92a54afcf30ff16 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 19 Sep 2012 05:02:30 +0900 Subject: checks for certificate --- src/leap/eip/checks.py | 52 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 35 insertions(+), 17 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index b55f5827..cf758314 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -147,9 +147,10 @@ class ProviderCertChecker(object): # For MVS checker.is_there_provider_ca() - checker.is_https_working() - checker.check_new_cert_needed() - #checker.download_new_client_cert() + + # XXX FAKE IT!!! + checker.is_https_working(verify=False) + checker.check_new_cert_needed(verify=False) def download_ca_cert(self): # MVS+ @@ -184,7 +185,6 @@ class ProviderCertChecker(object): # XXX raise InsecureURI or something better logger.debug('is https working?') logger.debug('uri: %s', uri) - #import ipdb;ipdb.set_trace() assert uri.startswith('https') if verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) @@ -192,19 +192,26 @@ class ProviderCertChecker(object): try: self.fetcher.get(uri, verify=verify) except requests.exceptions.SSLError: + logger.debug('False!') raise eipexceptions.EIPBadCertError else: logger.debug('True') return True - def check_new_cert_needed(self, skip_download=False): + def check_new_cert_needed(self, skip_download=False, verify=True): + logger.debug('is new cert needed?') if not self.is_cert_valid(do_raise=False): - self.download_new_client_cert(skip_download=skip_download) + logger.debug('True') + self.download_new_client_cert( + skip_download=skip_download, + verify=verify) return True + logger.debug('False') return False def download_new_client_cert(self, uri=None, verify=True, skip_download=False): + logger.debug('download new client cert') if skip_download: return True if uri is None: @@ -213,20 +220,28 @@ class ProviderCertChecker(object): assert uri.startswith('https') if verify is True and self.cacert is not None: verify = self.cacert - req = self.fetcher.get(uri, verify=verify) - pemfile_content = req.content - self.is_valid_pemfile(pemfile_content) - cert_path = self._get_client_cert_path() - self.write_cert(pemfile_content, to=cert_path) + try: + req = self.fetcher.get(uri, verify=verify) + req.raise_for_status() + except requests.exceptions.SSLError: + logger.warning('SSLError while fetching cert. ' + 'Look below for stack trace.') + # XXX raise better exception + raise + try: + pemfile_content = req.content + self.is_valid_pemfile(pemfile_content) + cert_path = self._get_client_cert_path() + self.write_cert(pemfile_content, to=cert_path) + except: + logger.warning('Error while validating cert') + raise return True def is_cert_valid(self, cert_path=None, do_raise=True): exists = lambda: self.is_certificate_exists() valid_pemfile = lambda: self.is_valid_pemfile() not_expired = lambda: self.is_cert_not_expired() - #print 'exists?', exists - #print 'valid', valid_pemfile - #print 'not expired', not_expired valid = exists() and valid_pemfile() and not_expired() if not valid: @@ -268,6 +283,11 @@ class ProviderCertChecker(object): # XXX use gnutls for get proper # validation. # crypto.X509Certificate(cert_s) + sep = "-" * 5 + "BEGIN CERTIFICATE" + "-" * 5 + # we might have private key and cert in the same file + certparts = cert_s.split(sep) + if len(certparts) > 1: + cert_s = sep + certparts[1] ssl.PEM_cert_to_DER_cert(cert_s) except: # XXX raise proper exception @@ -279,11 +299,10 @@ class ProviderCertChecker(object): def _get_client_cert_uri(self): # XXX get the whole thing from constants - return "https://%s/cert/get" % (baseconstants.DEFAULT_PROVIDER) + return "https://%s/1/cert" % (baseconstants.DEFAULT_PROVIDER) def _get_client_cert_path(self): # MVS+ : get provider path - #import ipdb;ipdb.set_trace() return eipspecs.client_cert_path() def write_cert(self, pemfile_content, to=None): @@ -397,7 +416,6 @@ class EIPConfigChecker(object): from_uri=uri, fetcher=self.fetcher, verify=False) - #import ipdb;ipdb.set_trace() self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, -- cgit v1.2.3 From d1ebe98239fbc2baffa345558d396fa539e79202 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 21 Sep 2012 06:32:40 +0900 Subject: added --no-provider-checks and --no-ca-verify for ease of debugging Close #604 --- src/leap/eip/checks.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index cf758314..ef09a582 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -135,10 +135,12 @@ class ProviderCertChecker(object): self.fetcher = fetcher self.cacert = get_ca_cert() - def run_all(self, checker=None, skip_download=False): + def run_all(self, checker=None, skip_download=False, skip_verify=False): if not checker: checker = self + do_verify = not skip_verify + logger.debug('do_verify: %s', do_verify) # For MVS+ # checker.download_ca_cert() # checker.download_ca_signature() @@ -149,8 +151,8 @@ class ProviderCertChecker(object): checker.is_there_provider_ca() # XXX FAKE IT!!! - checker.is_https_working(verify=False) - checker.check_new_cert_needed(verify=False) + checker.is_https_working(verify=do_verify) + checker.check_new_cert_needed(verify=do_verify) def download_ca_cert(self): # MVS+ @@ -183,17 +185,21 @@ class ProviderCertChecker(object): if uri is None: uri = self._get_root_uri() # XXX raise InsecureURI or something better - logger.debug('is https working?') - logger.debug('uri: %s', uri) assert uri.startswith('https') if verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert + logger.debug('is https working?') + logger.debug('uri: %s (verify:%s)', uri, verify) try: self.fetcher.get(uri, verify=verify) - except requests.exceptions.SSLError: - logger.debug('False!') + except requests.exceptions.SSLError as exc: + logger.warning('False! CERT VERIFICATION FAILED! ' + '(this should be CRITICAL)') + logger.warning('SSLError: %s', exc.message) raise eipexceptions.EIPBadCertError + # XXX get requests.exceptions.ConnectionError Errno 110 + # Connection timed out, and raise ours. else: logger.debug('True') return True -- cgit v1.2.3 From a38e61691a79b20199cdedf23f60a5760bba7a06 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 21 Sep 2012 06:44:19 +0900 Subject: add property to baseconfig config instead of get_config() --- src/leap/eip/checks.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index ef09a582..5ace1479 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -388,7 +388,7 @@ class EIPConfigChecker(object): This is catched by ui and runs FirstRunWizard (MVS+) """ if config is None: - config = self.eipconfig.get_config() + config = self.eipconfig.config logger.debug('checking default provider') provider = config.get('provider', None) if provider is None: @@ -412,7 +412,7 @@ class EIPConfigChecker(object): logger.debug('(fetching def skipped)') return True if config is None: - config = self.defaultprovider.get_config() + config = self.defaultprovider.config if uri is None: domain = config.get('provider', None) uri = self._get_provider_definition_uri(domain=domain) @@ -429,7 +429,7 @@ class EIPConfigChecker(object): if skip_download: return True if config is None: - config = self.eipserviceconfig.get_config() + config = self.eipserviceconfig.config if uri is None: domain = config.get('provider', None) uri = self._get_eip_service_uri(domain=domain) @@ -440,7 +440,7 @@ class EIPConfigChecker(object): def check_complete_eip_config(self, config=None): # TODO check for gateway if config is None: - config = self.eipconfig.get_config() + config = self.eipconfig.config try: 'trying assertions' assert 'provider' in config -- cgit v1.2.3 From 5173c0ee937696782a2f62078a860246ec388c39 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 25 Sep 2012 05:48:06 +0900 Subject: workaround for #638 and fix for eip config check for gateways (we were picking gateway in a wrong way) Closes #610. --- src/leap/eip/checks.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index ef09a582..9b7b1cee 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -197,7 +197,8 @@ class ProviderCertChecker(object): logger.warning('False! CERT VERIFICATION FAILED! ' '(this should be CRITICAL)') logger.warning('SSLError: %s', exc.message) - raise eipexceptions.EIPBadCertError + # XXX RAISE! See #638 + #raise eipexceptions.EIPBadCertError # XXX get requests.exceptions.ConnectionError Errno 110 # Connection timed out, and raise ours. else: @@ -227,7 +228,11 @@ class ProviderCertChecker(object): if verify is True and self.cacert is not None: verify = self.cacert try: - req = self.fetcher.get(uri, verify=verify) + # XXX FIXME!!!! + # verify=verify + # Workaround for #638. return to verification + # when That's done!!! + req = self.fetcher.get(uri, verify=False) req.raise_for_status() except requests.exceptions.SSLError: logger.warning('SSLError while fetching cert. ' @@ -452,6 +457,7 @@ class EIPConfigChecker(object): # XXX TODO: # We should WRITE eip config if missing or # incomplete at this point + #self.eipconfig.save() # # private helpers -- cgit v1.2.3 From ddf5e546916ad94c62b1e42b6f03831f906b2f29 Mon Sep 17 00:00:00 2001 From: antialias Date: Mon, 24 Sep 2012 17:34:25 -0400 Subject: improved network checks on the way to a network checker. --- src/leap/eip/checks.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 9b7b1cee..82940fd3 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -70,21 +70,20 @@ class LeapNetworkChecker(object): checker.is_internet_up() checker.ping_gateway() - def test_internet_connection(self): - # XXX we're not passing the error anywhere. - # XXX we probably should raise an exception here? - # unless we use this as smoke test + def check_internet_connection(self): try: # XXX remove this hardcoded random ip requests.get('http://216.172.161.165') except (requests.HTTPError, requests.RequestException) as e: - self.error = e.message - except requests.ConenctionError as e: + raise eipexceptions.NoInternetConnection(e.message) + except requests.ConnectionError as e: + error = "Unidentified Connection Error" if e.message == "[Errno 113] No route to host": if not self.is_internet_up(): - self.error = "No valid internet connection found." + error = "No valid internet connection found." else: - self.error = "Provider server appears to be down." + error = "Provider server appears to be down." + raise eipexceptions.NoInternetConnection(error) def is_internet_up(self): iface, gateway = self.get_default_interface_gateway() -- cgit v1.2.3 From 4c183e81074066eb2b064896fbb741e99c50286d Mon Sep 17 00:00:00 2001 From: antialias Date: Mon, 24 Sep 2012 17:44:21 -0400 Subject: Missed a renaming of test_internet_connection to check_internet_connection. --- src/leap/eip/checks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 82940fd3..20d1296d 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -66,7 +66,7 @@ class LeapNetworkChecker(object): self.error = None # ? # for MVS - checker.test_internet_connection() + checker.check_internet_connection() checker.is_internet_up() checker.ping_gateway() -- cgit v1.2.3 From 15b017656e6865b7b85ae389ab3b462c562a1e42 Mon Sep 17 00:00:00 2001 From: antialias Date: Tue, 25 Sep 2012 16:05:02 -0400 Subject: moved LeapNetworkChecker and test in base. --- src/leap/eip/checks.py | 76 -------------------------------------------------- 1 file changed, 76 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 20d1296d..9872f8d8 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -39,10 +39,6 @@ into base.tests to be invoked by the base leap init routines. However, I'm testing them alltogether for the sake of having the whole unit reachable and testable as a whole. -LeapNetworkChecker ------------------- -Network checks. To be moved to base. -docs TBD """ @@ -52,78 +48,6 @@ def get_ca_cert(): return certs.where(ca_file) -class LeapNetworkChecker(object): - """ - all network related checks - """ - # XXX to be moved to leap.base.checks - # TODO eventually, use a more portable solution - # like psutil - - def run_all(self, checker=None): - if not checker: - checker = self - self.error = None # ? - - # for MVS - checker.check_internet_connection() - checker.is_internet_up() - checker.ping_gateway() - - def check_internet_connection(self): - try: - # XXX remove this hardcoded random ip - requests.get('http://216.172.161.165') - except (requests.HTTPError, requests.RequestException) as e: - raise eipexceptions.NoInternetConnection(e.message) - except requests.ConnectionError as e: - error = "Unidentified Connection Error" - if e.message == "[Errno 113] No route to host": - if not self.is_internet_up(): - error = "No valid internet connection found." - else: - error = "Provider server appears to be down." - raise eipexceptions.NoInternetConnection(error) - - def is_internet_up(self): - iface, gateway = self.get_default_interface_gateway() - self.ping_gateway(self) - - def get_default_interface_gateway(self): - """only impletemented for linux so far.""" - if not platform.system() == "Linux": - raise NotImplementedError - - f = open("/proc/net/route") - route_table = f.readlines() - f.close() - #toss out header - route_table.pop(0) - - default_iface = None - gateway = None - while route_table: - line = route_table.pop(0) - iface, destination, gateway = line.split('\t')[0:3] - if destination == '00000000': - default_iface = iface - break - - if not default_iface: - raise eipexceptions.NoDefaultInterfaceFoundError - - if default_iface not in netifaces.interfaces(): - raise eipexceptions.InterfaceNotFoundError - - return default_iface, gateway - - def ping_gateway(self, gateway): - #TODO: Discuss how much packet loss (%) is acceptable. - packet_loss = ping.quiet_ping(gateway)[0] - if packet_loss > baseconstants.MAX_ICMP_PACKET_LOSS: - raise eipexceptions.NoConnectionToGateway - - class ProviderCertChecker(object): """ Several checks needed for getting -- cgit v1.2.3 From abf481cab381a86d8a9c5607a131b56636081382 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 25 Sep 2012 05:48:06 +0900 Subject: refactored jsonconfig, included jsonschema validation and type casting. --- src/leap/eip/checks.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 5ace1479..898af2fe 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -197,7 +197,8 @@ class ProviderCertChecker(object): logger.warning('False! CERT VERIFICATION FAILED! ' '(this should be CRITICAL)') logger.warning('SSLError: %s', exc.message) - raise eipexceptions.EIPBadCertError + # XXX RAISE! See #638 + #raise eipexceptions.EIPBadCertError # XXX get requests.exceptions.ConnectionError Errno 110 # Connection timed out, and raise ours. else: @@ -227,7 +228,11 @@ class ProviderCertChecker(object): if verify is True and self.cacert is not None: verify = self.cacert try: - req = self.fetcher.get(uri, verify=verify) + # XXX FIXME!!!! + # verify=verify + # Workaround for #638. return to verification + # when That's done!!! + req = self.fetcher.get(uri, verify=False) req.raise_for_status() except requests.exceptions.SSLError: logger.warning('SSLError while fetching cert. ' @@ -452,6 +457,7 @@ class EIPConfigChecker(object): # XXX TODO: # We should WRITE eip config if missing or # incomplete at this point + #self.eipconfig.save() # # private helpers -- cgit v1.2.3 From 3ad57cfe2851038a6e7231a428f70ea8985f7b1e Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 5 Oct 2012 11:01:55 +0900 Subject: fix cert needed evaluation --- src/leap/eip/checks.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 898af2fe..f79d47f5 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -257,7 +257,7 @@ class ProviderCertChecker(object): valid = exists() and valid_pemfile() and not_expired() if not valid: if do_raise: - raise Exception('missing cert') + raise Exception('missing valid cert') else: return False return True @@ -273,7 +273,9 @@ class ProviderCertChecker(object): with open(certfile) as cf: cert_s = cf.read() cert = crypto.X509Certificate(cert_s) - return cert.activation_time < now() < cert.expiration_time + from_ = time.gmtime(cert.activation_time) + to_ = time.gmtime(cert.expiration_time) + return from_ < now() < to_ def is_valid_pemfile(self, cert_s=None): """ -- cgit v1.2.3 From aee621fbe90016f368c74978d47b15eeb656a853 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 5 Oct 2012 19:52:14 +0900 Subject: todo comments --- src/leap/eip/checks.py | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index f79d47f5..413a3467 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -232,6 +232,9 @@ class ProviderCertChecker(object): # verify=verify # Workaround for #638. return to verification # when That's done!!! + + # XXX HOOK SRP here... + # will have to be more generic in the future. req = self.fetcher.get(uri, verify=False) req.raise_for_status() except requests.exceptions.SSLError: -- cgit v1.2.3 From 6728eb9afb21bad867e4052a6190a9bdb34c928a Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 8 Oct 2012 07:50:24 +0900 Subject: popup dialog error when network error happens we are shutting down for now. we should be acting upon failures in the near future. lowered the recurrent checks interval to 10 seconds. --- src/leap/eip/checks.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 9872f8d8..b68ee23a 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,12 +1,12 @@ import logging import ssl -import platform +#import platform import time import os from gnutls import crypto -import netifaces -import ping +#import netifaces +#import ping import requests from leap import __branding as BRANDING -- cgit v1.2.3 From e1dbfc454180a77ebb38ecae6244ac4abe6d0ac5 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 18 Oct 2012 09:30:53 +0900 Subject: catch cert verification errors and ask user for trust with a little helper function using gnutls --- src/leap/eip/checks.py | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index f739c3e8..c704aef3 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -94,6 +94,7 @@ class ProviderCertChecker(object): raise NotImplementedError def is_there_provider_ca(self): + # XXX remove for generic build from leap import certs logger.debug('do we have provider_ca?') cacert_path = BRANDING.get('provider_ca_file', None) @@ -104,30 +105,46 @@ class ProviderCertChecker(object): logger.debug('True') return True - def is_https_working(self, uri=None, verify=True): + def is_https_working( + self, uri=None, verify=True, + autocacert=False): if uri is None: uri = self._get_root_uri() # XXX raise InsecureURI or something better - assert uri.startswith('https') - if verify is True and self.cacert is not None: + try: + assert uri.startswith('https') + except AssertionError: + raise AssertionError( + "uri passed should start with https") + if autocacert and verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert logger.debug('is https working?') logger.debug('uri: %s (verify:%s)', uri, verify) try: self.fetcher.get(uri, verify=verify) + + except requests.exceptions.SSLError as exc: + logger.error("SSLError") + raise eipexceptions.HttpsBadCertError + + except requests.exceptions.ConnectionError: + logger.error('ConnectionError') + raise eipexceptions.HttpsNotSupported + except requests.exceptions.SSLError as exc: logger.warning('False! CERT VERIFICATION FAILED! ' '(this should be CRITICAL)') logger.warning('SSLError: %s', exc.message) # XXX RAISE! See #638 #raise eipexceptions.EIPBadCertError - # XXX get requests.exceptions.ConnectionError Errno 110 - # Connection timed out, and raise ours. else: logger.debug('True') return True + def get_certificate_fingerprint(self, domain): + pass + def check_new_cert_needed(self, skip_download=False, verify=True): logger.debug('is new cert needed?') if not self.is_cert_valid(do_raise=False): -- cgit v1.2.3 From bc775969e2db31b892526b65a5037470a86b3882 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 06:12:14 +0900 Subject: logic for cert validation widgets in wizard --- src/leap/eip/checks.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index c704aef3..560f7f53 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -142,9 +142,6 @@ class ProviderCertChecker(object): logger.debug('True') return True - def get_certificate_fingerprint(self, domain): - pass - def check_new_cert_needed(self, skip_download=False, verify=True): logger.debug('is new cert needed?') if not self.is_cert_valid(do_raise=False): @@ -347,7 +344,8 @@ class EIPConfigChecker(object): return True def fetch_definition(self, skip_download=False, - config=None, uri=None): + config=None, uri=None, + domain=None): """ fetches a definition file from server """ @@ -364,7 +362,8 @@ class EIPConfigChecker(object): if config is None: config = self.defaultprovider.config if uri is None: - domain = config.get('provider', None) + if not domain: + domain = config.get('provider', None) uri = self._get_provider_definition_uri(domain=domain) # FIXME! Pass ca path verify!!! -- cgit v1.2.3 From 2a01c969e0f8dff575007043996c3b0489e20e75 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 08:18:34 +0900 Subject: download ca cert from provider --- src/leap/eip/checks.py | 53 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 9 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 560f7f53..e925e11c 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -4,13 +4,14 @@ import ssl import time import os -from gnutls import crypto +import gnutls.crypto #import netifaces #import ping import requests from leap import __branding as BRANDING from leap import certs +from leap.base import config as baseconfig from leap.base import constants as baseconstants from leap.base import providers from leap.eip import config as eipconfig @@ -54,18 +55,25 @@ class ProviderCertChecker(object): client certs and checking tls connection with provider. """ - def __init__(self, fetcher=requests): + def __init__(self, fetcher=requests, + domain=None): + self.fetcher = fetcher + self.domain = domain self.cacert = get_ca_cert() - def run_all(self, checker=None, skip_download=False, skip_verify=False): + def run_all( + self, checker=None, + skip_download=False, skip_verify=False): + if not checker: checker = self do_verify = not skip_verify logger.debug('do_verify: %s', do_verify) - # For MVS+ # checker.download_ca_cert() + + # For MVS+ # checker.download_ca_signature() # checker.get_ca_signatures() # checker.is_there_trust_path() @@ -77,9 +85,19 @@ class ProviderCertChecker(object): checker.is_https_working(verify=do_verify) checker.check_new_cert_needed(verify=do_verify) - def download_ca_cert(self): - # MVS+ - raise NotImplementedError + def download_ca_cert(self, uri=None, verify=True): + req = self.fetcher.get(uri, verify=verify) + req.raise_for_status() + + # should check domain exists + capath = self._get_ca_cert_path(self.domain) + with open(capath, 'w') as f: + f.write(req.content) + + def check_ca_cert_fingerprint( + self, hash_type="SHA256", + fingerprint=None): + pass def download_ca_signature(self): # MVS+ @@ -94,11 +112,12 @@ class ProviderCertChecker(object): raise NotImplementedError def is_there_provider_ca(self): - # XXX remove for generic build + # XXX modify for generic build from leap import certs logger.debug('do we have provider_ca?') cacert_path = BRANDING.get('provider_ca_file', None) if not cacert_path: + # XXX look from the domain logger.debug('False') return False self.cacert = certs.where(cacert_path) @@ -212,7 +231,7 @@ class ProviderCertChecker(object): certfile = self._get_client_cert_path() with open(certfile) as cf: cert_s = cf.read() - cert = crypto.X509Certificate(cert_s) + cert = gnutls.crypto.X509Certificate(cert_s) from_ = time.gmtime(cert.activation_time) to_ = time.gmtime(cert.expiration_time) return from_ < now() < to_ @@ -247,6 +266,10 @@ class ProviderCertChecker(object): raise return True + @property + def ca_cert_path(self): + return self._get_ca_cert_path() + def _get_root_uri(self): return u"https://%s/" % baseconstants.DEFAULT_PROVIDER @@ -258,6 +281,18 @@ class ProviderCertChecker(object): # MVS+ : get provider path return eipspecs.client_cert_path() + def _get_ca_cert_path(self, domain): + # XXX this folder path will be broken for win + # and this should be moved to eipspecs.ca_path + + capath = baseconfig.get_config_file( + 'cacert.pem', + folder='providers/%s/certs/ca' % domain) + folder, fname = os.path.split(capath) + if not os.path.isdir(folder): + mkdir_p(folder) + return capath + def write_cert(self, pemfile_content, to=None): folder, filename = os.path.split(to) if not os.path.isdir(folder): -- cgit v1.2.3 From 634030e5bba3fe7c2ea3632fff252a60b471487a Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 09:05:14 +0900 Subject: ca cert fingerprint check + api cert verification --- src/leap/eip/checks.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index e925e11c..1c29dab1 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -10,10 +10,11 @@ import gnutls.crypto import requests from leap import __branding as BRANDING -from leap import certs +from leap import certs as leapcerts from leap.base import config as baseconfig from leap.base import constants as baseconstants from leap.base import providers +from leap.crypto import certs from leap.eip import config as eipconfig from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions @@ -46,7 +47,7 @@ reachable and testable as a whole. def get_ca_cert(): ca_file = BRANDING.get('provider_ca_file') if ca_file: - return certs.where(ca_file) + return leapcerts.where(ca_file) class ProviderCertChecker(object): @@ -97,7 +98,18 @@ class ProviderCertChecker(object): def check_ca_cert_fingerprint( self, hash_type="SHA256", fingerprint=None): - pass + ca_cert_path = self.ca_cert_path + ca_cert_fpr = certs.get_cert_fingerprint( + filepath=ca_cert_path) + return ca_cert_fpr == fingerprint + + def verify_api_https(self, uri): + assert uri.startswith('https://') + cacert = self.ca_cert_path + verify = cacert and cacert or True + req = self.fetcher.get(uri, verify=verify) + req.raise_for_status() + return True def download_ca_signature(self): # MVS+ @@ -268,7 +280,7 @@ class ProviderCertChecker(object): @property def ca_cert_path(self): - return self._get_ca_cert_path() + return self._get_ca_cert_path(self.domain) def _get_root_uri(self): return u"https://%s/" % baseconstants.DEFAULT_PROVIDER -- cgit v1.2.3 From b0be517ed8b2fb9dd0a38dad5b5c06741b6b9b09 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 11:02:44 +0900 Subject: add bug number in log for #638 cases (domain name mismatch) --- src/leap/eip/checks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 1c29dab1..74afd677 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -164,7 +164,7 @@ class ProviderCertChecker(object): raise eipexceptions.HttpsNotSupported except requests.exceptions.SSLError as exc: - logger.warning('False! CERT VERIFICATION FAILED! ' + logger.warning('BUG #638 CERT VERIFICATION FAILED! ' '(this should be CRITICAL)') logger.warning('SSLError: %s', exc.message) # XXX RAISE! See #638 -- cgit v1.2.3 From f791a83ce57cef7010da819d61e7f5132fa4611e Mon Sep 17 00:00:00 2001 From: kali Date: Sat, 20 Oct 2012 06:30:16 +0900 Subject: connecting page and changes to functions having to do with the default path to certs. --- src/leap/eip/checks.py | 67 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 52 insertions(+), 15 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 74afd677..635308bb 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -11,6 +11,7 @@ import requests from leap import __branding as BRANDING from leap import certs as leapcerts +from leap.base.auth import srpauth_protected from leap.base import config as baseconfig from leap.base import constants as baseconstants from leap.base import providers @@ -98,6 +99,17 @@ class ProviderCertChecker(object): def check_ca_cert_fingerprint( self, hash_type="SHA256", fingerprint=None): + """ + compares the fingerprint in + the ca cert with a string + we are passed + returns True if they are equal, False if not. + @param hash_type: digest function + @type hash_type: str + @param fingerprint: the fingerprint to compare with. + @type fingerprint: str (with : separator) + @rtype bool + """ ca_cert_path = self.ca_cert_path ca_cert_fpr = certs.get_cert_fingerprint( filepath=ca_cert_path) @@ -185,7 +197,8 @@ class ProviderCertChecker(object): return False def download_new_client_cert(self, uri=None, verify=True, - skip_download=False): + skip_download=False, + credentials=None): logger.debug('download new client cert') if skip_download: return True @@ -193,18 +206,34 @@ class ProviderCertChecker(object): uri = self._get_client_cert_uri() # XXX raise InsecureURI or something better assert uri.startswith('https') + if verify is True and self.cacert is not None: verify = self.cacert + + fgetfn = self.fetcher.get + + if credentials: + user, passwd = credentials + + @srpauth_protected(user, passwd) + def getfn(*args, **kwargs): + return fgetfn(*args, **kwargs) + + else: + # XXX use magic_srpauth decorator instead, + # merge with the branch above + def getfn(*args, **kwargs): + return fgetfn(*args, **kwargs) try: + # XXX FIXME!!!! # verify=verify # Workaround for #638. return to verification # when That's done!!! - - # XXX HOOK SRP here... - # will have to be more generic in the future. - req = self.fetcher.get(uri, verify=False) + #req = self.fetcher.get(uri, verify=False) + req = getfn(uri, verify=False) req.raise_for_status() + except requests.exceptions.SSLError: logger.warning('SSLError while fetching cert. ' 'Look below for stack trace.') @@ -283,23 +312,26 @@ class ProviderCertChecker(object): return self._get_ca_cert_path(self.domain) def _get_root_uri(self): - return u"https://%s/" % baseconstants.DEFAULT_PROVIDER + return u"https://%s/" % self.domain def _get_client_cert_uri(self): # XXX get the whole thing from constants - return "https://%s/1/cert" % (baseconstants.DEFAULT_PROVIDER) + return "https://%s/1/cert" % self.domain def _get_client_cert_path(self): # MVS+ : get provider path - return eipspecs.client_cert_path() + return eipspecs.client_cert_path(domain=self.domain) def _get_ca_cert_path(self, domain): # XXX this folder path will be broken for win # and this should be moved to eipspecs.ca_path + # XXX use baseconfig.get_provider_path(folder=Foo) + # !!! + capath = baseconfig.get_config_file( 'cacert.pem', - folder='providers/%s/certs/ca' % domain) + folder='providers/%s/keys/ca' % domain) folder, fname = os.path.split(capath) if not os.path.isdir(folder): mkdir_p(folder) @@ -321,16 +353,20 @@ class EIPConfigChecker(object): use run_all to run all checks. """ - def __init__(self, fetcher=requests): + def __init__(self, fetcher=requests, domain=None): # we do not want to accept too many # argument on init. # we want tests # to be explicitely run. + self.fetcher = fetcher - self.eipconfig = eipconfig.EIPConfig() - self.defaultprovider = providers.LeapProviderDefinition() - self.eipserviceconfig = eipconfig.EIPServiceConfig() + # if not domain, get from config + self.domain = domain + + self.eipconfig = eipconfig.EIPConfig(domain=domain) + self.defaultprovider = providers.LeapProviderDefinition(domain=domain) + self.eipserviceconfig = eipconfig.EIPServiceConfig(domain=domain) def run_all(self, checker=None, skip_download=False): """ @@ -421,13 +457,14 @@ class EIPConfigChecker(object): self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, - config=None, uri=None): + config=None, uri=None, domain=None): if skip_download: return True if config is None: config = self.eipserviceconfig.config if uri is None: - domain = config.get('provider', None) + if not domain: + domain = config.get('provider', None) uri = self._get_eip_service_uri(domain=domain) self.eipserviceconfig.load(from_uri=uri, fetcher=self.fetcher) -- cgit v1.2.3 From a85e488ed323ba35b9d12c5cc344bf06337a9a00 Mon Sep 17 00:00:00 2001 From: kali Date: Sat, 20 Oct 2012 07:13:22 +0900 Subject: add bypass for already trusted fingerprints --- src/leap/eip/checks.py | 1 - 1 file changed, 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 635308bb..b335b857 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -319,7 +319,6 @@ class ProviderCertChecker(object): return "https://%s/1/cert" % self.domain def _get_client_cert_path(self): - # MVS+ : get provider path return eipspecs.client_cert_path(domain=self.domain) def _get_ca_cert_path(self, domain): -- cgit v1.2.3 From 0060d3c74adce19fab7215b3788c5197cc05a9ae Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 24 Oct 2012 04:05:19 +0900 Subject: sign up branch ends by triggering eip connection still need to bind signals properly, and block on the validation process until we receive the "connected" signal. but the basic flow is working again, i.e, user should be able to remove the .config/leap folder and get all the needed info from the provider. --- src/leap/eip/checks.py | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index b335b857..44c8f234 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -45,7 +45,8 @@ reachable and testable as a whole. """ -def get_ca_cert(): +def get_branding_ca_cert(domain): + # XXX deprecated ca_file = BRANDING.get('provider_ca_file') if ca_file: return leapcerts.where(ca_file) @@ -62,7 +63,7 @@ class ProviderCertChecker(object): self.fetcher = fetcher self.domain = domain - self.cacert = get_ca_cert() + self.cacert = eipspecs.provider_ca_path(domain) def run_all( self, checker=None, @@ -84,7 +85,7 @@ class ProviderCertChecker(object): checker.is_there_provider_ca() # XXX FAKE IT!!! - checker.is_https_working(verify=do_verify) + checker.is_https_working(verify=do_verify, autocacert=True) checker.check_new_cert_needed(verify=do_verify) def download_ca_cert(self, uri=None, verify=True): @@ -136,17 +137,14 @@ class ProviderCertChecker(object): raise NotImplementedError def is_there_provider_ca(self): - # XXX modify for generic build - from leap import certs - logger.debug('do we have provider_ca?') - cacert_path = BRANDING.get('provider_ca_file', None) - if not cacert_path: - # XXX look from the domain - logger.debug('False') + if not self.cacert: return False - self.cacert = certs.where(cacert_path) - logger.debug('True') - return True + cacert_exists = os.path.isfile(self.cacert) + if cacert_exists: + logger.debug('True') + return True + logger.debug('False!') + return False def is_https_working( self, uri=None, verify=True, @@ -162,6 +160,7 @@ class ProviderCertChecker(object): if autocacert and verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert + #import pdb4qt; pdb4qt.set_trace() logger.debug('is https working?') logger.debug('uri: %s (verify:%s)', uri, verify) try: @@ -169,18 +168,16 @@ class ProviderCertChecker(object): except requests.exceptions.SSLError as exc: logger.error("SSLError") - raise eipexceptions.HttpsBadCertError + # XXX RAISE! See #638 + #raise eipexceptions.HttpsBadCertError + logger.warning('BUG #638 CERT VERIFICATION FAILED! ' + '(this should be CRITICAL)') + logger.warning('SSLError: %s', exc.message) except requests.exceptions.ConnectionError: logger.error('ConnectionError') raise eipexceptions.HttpsNotSupported - except requests.exceptions.SSLError as exc: - logger.warning('BUG #638 CERT VERIFICATION FAILED! ' - '(this should be CRITICAL)') - logger.warning('SSLError: %s', exc.message) - # XXX RAISE! See #638 - #raise eipexceptions.EIPBadCertError else: logger.debug('True') return True -- cgit v1.2.3 From ec888610b0a76cf5d0659e51f36265a4de42b8d7 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 24 Oct 2012 07:41:21 +0900 Subject: fix checks that were getting default provider domain var still --- src/leap/eip/checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 44c8f234..cd9d9972 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -495,7 +495,7 @@ class EIPConfigChecker(object): def _get_provider_definition_uri(self, domain=None, path=None): if domain is None: - domain = baseconstants.DEFAULT_PROVIDER + domain = self.domain or baseconstants.DEFAULT_PROVIDER if path is None: path = baseconstants.DEFINITION_EXPECTED_PATH uri = u"https://%s/%s" % (domain, path) @@ -504,7 +504,7 @@ class EIPConfigChecker(object): def _get_eip_service_uri(self, domain=None, path=None): if domain is None: - domain = baseconstants.DEFAULT_PROVIDER + domain = self.domain or baseconstants.DEFAULT_PROVIDER if path is None: path = eipconstants.EIP_SERVICE_EXPECTED_PATH uri = "https://%s/%s" % (domain, path) -- cgit v1.2.3 From 0590991d7777de473a7df21ed32e1fa7caa9cf4b Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 26 Oct 2012 00:12:08 +0900 Subject: user credentials saved on login/signup branches. cert request is using magick decorator that retrieves the certificates using srp. --- src/leap/eip/checks.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index cd9d9972..ae3634bc 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -11,7 +11,7 @@ import requests from leap import __branding as BRANDING from leap import certs as leapcerts -from leap.base.auth import srpauth_protected +from leap.base.auth import srpauth_protected, magick_srpauth from leap.base import config as baseconfig from leap.base import constants as baseconstants from leap.base import providers @@ -217,8 +217,7 @@ class ProviderCertChecker(object): return fgetfn(*args, **kwargs) else: - # XXX use magic_srpauth decorator instead, - # merge with the branch above + @magick_srpauth def getfn(*args, **kwargs): return fgetfn(*args, **kwargs) try: -- cgit v1.2.3 From b84007d8fec8c949ba4ac1d26695c710a210d797 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 8 Nov 2012 08:37:24 +0900 Subject: more careful error catching during registration. added a twisted server that fakes some of the provider interaction. --- src/leap/eip/checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index ae3634bc..9bd96a1c 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -212,12 +212,12 @@ class ProviderCertChecker(object): if credentials: user, passwd = credentials - @srpauth_protected(user, passwd) + @srpauth_protected(user, passwd, verify) def getfn(*args, **kwargs): return fgetfn(*args, **kwargs) else: - @magick_srpauth + @magick_srpauth(verify) def getfn(*args, **kwargs): return fgetfn(*args, **kwargs) try: -- cgit v1.2.3 From fc857d25025ea07d46a8c8f5ffd4fb2902a76c13 Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 12 Nov 2012 10:04:09 +0900 Subject: fix cert fetching over https --- src/leap/eip/checks.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 9bd96a1c..caaef2ea 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -212,11 +212,16 @@ class ProviderCertChecker(object): if credentials: user, passwd = credentials - @srpauth_protected(user, passwd, verify) + logger.debug('domain = %s', self.domain) + + @srpauth_protected(user, passwd, + server="https://%s" % self.domain, + verify=verify) def getfn(*args, **kwargs): return fgetfn(*args, **kwargs) else: + # XXX FIXME fix decorated args @magick_srpauth(verify) def getfn(*args, **kwargs): return fgetfn(*args, **kwargs) -- cgit v1.2.3 From d2dcf5a1060d60c451570349a6a06ad102d6924c Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 13 Nov 2012 21:54:04 +0900 Subject: fix missing provider parameter in leapconfig objects chain --- src/leap/eip/checks.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index caaef2ea..116c535e 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -450,6 +450,8 @@ class EIPConfigChecker(object): uri = self._get_provider_definition_uri(domain=domain) # FIXME! Pass ca path verify!!! + # BUG #638 + # FIXME FIXME FIXME self.defaultprovider.load( from_uri=uri, fetcher=self.fetcher, @@ -464,7 +466,7 @@ class EIPConfigChecker(object): config = self.eipserviceconfig.config if uri is None: if not domain: - domain = config.get('provider', None) + domain = self.domain or config.get('provider', None) uri = self._get_eip_service_uri(domain=domain) self.eipserviceconfig.load(from_uri=uri, fetcher=self.fetcher) -- cgit v1.2.3 From 53fa2c134ab2c96376276aa1c0ed74db0aaba218 Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 10 Dec 2012 23:20:09 +0900 Subject: get cipher config from eip-service --- src/leap/eip/checks.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 116c535e..a876eea1 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -427,6 +427,7 @@ class EIPConfigChecker(object): return True def fetch_definition(self, skip_download=False, + force_download=False, config=None, uri=None, domain=None): """ @@ -459,6 +460,7 @@ class EIPConfigChecker(object): self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, + force_download=False, config=None, uri=None, domain=None): if skip_download: return True @@ -469,7 +471,10 @@ class EIPConfigChecker(object): domain = self.domain or config.get('provider', None) uri = self._get_eip_service_uri(domain=domain) - self.eipserviceconfig.load(from_uri=uri, fetcher=self.fetcher) + self.eipserviceconfig.load( + from_uri=uri, + fetcher=self.fetcher, + force_download=force_download) self.eipserviceconfig.save() def check_complete_eip_config(self, config=None): -- cgit v1.2.3 From 04d423e2a89034dfb86fe305108162fd2a696079 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 12 Dec 2012 03:29:31 +0900 Subject: tests for openvpn options and make the rest of tests pass after some changes in this branch (dirtyness in config files) --- src/leap/eip/checks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index a876eea1..8d615b94 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -502,7 +502,7 @@ class EIPConfigChecker(object): return self.eipconfig.exists() def _dump_default_eipconfig(self): - self.eipconfig.save() + self.eipconfig.save(force=True) def _get_provider_definition_uri(self, domain=None, path=None): if domain is None: -- cgit v1.2.3 From 4984f2c966d11f529a2a8b722814b748b6a524d2 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 12 Dec 2012 09:16:53 +0900 Subject: changed some values in new style eipconfig --- src/leap/eip/checks.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 8d615b94..92964a9d 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -242,7 +242,9 @@ class ProviderCertChecker(object): raise try: pemfile_content = req.content - self.is_valid_pemfile(pemfile_content) + valid = self.is_valid_pemfile(pemfile_content) + if not valid: + return False cert_path = self._get_client_cert_path() self.write_cert(pemfile_content, to=cert_path) except: @@ -303,6 +305,10 @@ class ProviderCertChecker(object): if len(certparts) > 1: cert_s = sep + certparts[1] ssl.PEM_cert_to_DER_cert(cert_s) + except ValueError: + # valid_pemfile raises a value error if not BEGIN_CERTIFICATE in + # there... + return False except: # XXX raise proper exception raise -- cgit v1.2.3 From d71e05fdefa7cb9699804bc93adba97921ca923f Mon Sep 17 00:00:00 2001 From: kali Date: Sat, 15 Dec 2012 02:23:36 +0900 Subject: workaround for not-yet-valid certs skipping valid_from ts on cert --- src/leap/eip/checks.py | 29 ++++++----------------------- 1 file changed, 6 insertions(+), 23 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 92964a9d..d7f4402b 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -160,7 +160,6 @@ class ProviderCertChecker(object): if autocacert and verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert - #import pdb4qt; pdb4qt.set_trace() logger.debug('is https working?') logger.debug('uri: %s (verify:%s)', uri, verify) try: @@ -278,7 +277,10 @@ class ProviderCertChecker(object): cert = gnutls.crypto.X509Certificate(cert_s) from_ = time.gmtime(cert.activation_time) to_ = time.gmtime(cert.expiration_time) - return from_ < now() < to_ + # FIXME BUG ON LEAP_CLI, certs are not valid on gmtime + # See #1153 + #return from_ < now() < to_ + return now() < to_ def is_valid_pemfile(self, cert_s=None): """ @@ -292,27 +294,8 @@ class ProviderCertChecker(object): certfile = self._get_client_cert_path() with open(certfile) as cf: cert_s = cf.read() - try: - # XXX get a real cert validation - # so far this is only checking begin/end - # delimiters :) - # XXX use gnutls for get proper - # validation. - # crypto.X509Certificate(cert_s) - sep = "-" * 5 + "BEGIN CERTIFICATE" + "-" * 5 - # we might have private key and cert in the same file - certparts = cert_s.split(sep) - if len(certparts) > 1: - cert_s = sep + certparts[1] - ssl.PEM_cert_to_DER_cert(cert_s) - except ValueError: - # valid_pemfile raises a value error if not BEGIN_CERTIFICATE in - # there... - return False - except: - # XXX raise proper exception - raise - return True + valid = certs.can_load_cert_and_pkey(cert_s) + return valid @property def ca_cert_path(self): -- cgit v1.2.3 From 75057e55828accb62beef1f73364edd82a75ed30 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 18 Dec 2012 05:54:50 +0900 Subject: do not pass CA.crt to checks for https also skip temporary errors when previous openvpn process vanishes. --- src/leap/eip/checks.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index d7f4402b..4afba8b6 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -84,8 +84,7 @@ class ProviderCertChecker(object): # For MVS checker.is_there_provider_ca() - # XXX FAKE IT!!! - checker.is_https_working(verify=do_verify, autocacert=True) + checker.is_https_working(verify=do_verify, autocacert=False) checker.check_new_cert_needed(verify=do_verify) def download_ca_cert(self, uri=None, verify=True): -- cgit v1.2.3 From 20f779b644a551bf56cb735868c55cd50d7c3610 Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 18 Dec 2012 21:07:06 +0900 Subject: catch gnutls error while validating pemfile --- src/leap/eip/checks.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 4afba8b6..65596d1c 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -293,7 +293,11 @@ class ProviderCertChecker(object): certfile = self._get_client_cert_path() with open(certfile) as cf: cert_s = cf.read() - valid = certs.can_load_cert_and_pkey(cert_s) + try: + valid = certs.can_load_cert_and_pkey(cert_s) + except certs.BadCertError: + logger.warning("Not valid pemfile") + valid = False return valid @property -- cgit v1.2.3 From e98c3cc5fad75bea038dc67238e5ce85d701b1e1 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 20 Dec 2012 02:50:52 +0900 Subject: fix broken tests --- src/leap/eip/checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 65596d1c..9ae6e5f5 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -278,8 +278,8 @@ class ProviderCertChecker(object): to_ = time.gmtime(cert.expiration_time) # FIXME BUG ON LEAP_CLI, certs are not valid on gmtime # See #1153 - #return from_ < now() < to_ - return now() < to_ + return from_ < now() < to_ + #return now() < to_ def is_valid_pemfile(self, cert_s=None): """ -- cgit v1.2.3 From 460dd7c20408958dda1ca8e77050e9af334b558f Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 9 Jan 2013 05:02:21 +0900 Subject: fix from_login --- src/leap/eip/checks.py | 3 --- 1 file changed, 3 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 9ae6e5f5..a002e2d9 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -276,10 +276,7 @@ class ProviderCertChecker(object): cert = gnutls.crypto.X509Certificate(cert_s) from_ = time.gmtime(cert.activation_time) to_ = time.gmtime(cert.expiration_time) - # FIXME BUG ON LEAP_CLI, certs are not valid on gmtime - # See #1153 return from_ < now() < to_ - #return now() < to_ def is_valid_pemfile(self, cert_s=None): """ -- cgit v1.2.3 From f55dcd717a946651492142ed198853b1c667254b Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 10 Jan 2013 02:00:21 +0900 Subject: renamed connection page --- src/leap/eip/checks.py | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index a002e2d9..b14e5dd3 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -164,13 +164,12 @@ class ProviderCertChecker(object): try: self.fetcher.get(uri, verify=verify) - except requests.exceptions.SSLError as exc: + except requests.exceptions.SSLError: # as exc: logger.error("SSLError") - # XXX RAISE! See #638 - #raise eipexceptions.HttpsBadCertError - logger.warning('BUG #638 CERT VERIFICATION FAILED! ' - '(this should be CRITICAL)') - logger.warning('SSLError: %s', exc.message) + raise eipexceptions.HttpsBadCertError + #logger.warning('BUG #638 CERT VERIFICATION FAILED! ' + #'(this should be CRITICAL)') + #logger.warning('SSLError: %s', exc.message) except requests.exceptions.ConnectionError: logger.error('ConnectionError') @@ -225,12 +224,7 @@ class ProviderCertChecker(object): return fgetfn(*args, **kwargs) try: - # XXX FIXME!!!! - # verify=verify - # Workaround for #638. return to verification - # when That's done!!! - #req = self.fetcher.get(uri, verify=False) - req = getfn(uri, verify=False) + req = getfn(uri, verify=verify) req.raise_for_status() except requests.exceptions.SSLError: @@ -444,8 +438,8 @@ class EIPConfigChecker(object): # FIXME FIXME FIXME self.defaultprovider.load( from_uri=uri, - fetcher=self.fetcher, - verify=False) + fetcher=self.fetcher) + #verify=False) self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, -- cgit v1.2.3 From 6d85c97ddcc8a151b157919e9a7322fba151a551 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 11 Jan 2013 03:00:41 +0900 Subject: all calls except the first one are made to api uri we also parse the port number --- src/leap/eip/checks.py | 85 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 58 insertions(+), 27 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index b14e5dd3..bd158e1e 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,5 +1,5 @@ import logging -import ssl +#import ssl #import platform import time import os @@ -21,6 +21,8 @@ from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions from leap.eip import specs as eipspecs from leap.util.fileutil import mkdir_p +from leap.util.web import get_https_domain_and_port +from leap.util.misc import null_check logger = logging.getLogger(name=__name__) @@ -46,7 +48,7 @@ reachable and testable as a whole. def get_branding_ca_cert(domain): - # XXX deprecated + # deprecated ca_file = BRANDING.get('provider_ca_file') if ca_file: return leapcerts.where(ca_file) @@ -63,6 +65,10 @@ class ProviderCertChecker(object): self.fetcher = fetcher self.domain = domain + #XXX needs some kind of autoinit + #right now we set by hand + #by loading and reading provider config + self.apidomain = None self.cacert = eipspecs.provider_ca_path(domain) def run_all( @@ -159,7 +165,7 @@ class ProviderCertChecker(object): if autocacert and verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert - logger.debug('is https working?') + logger.debug('checking https connection') logger.debug('uri: %s (verify:%s)', uri, verify) try: self.fetcher.get(uri, verify=verify) @@ -167,27 +173,24 @@ class ProviderCertChecker(object): except requests.exceptions.SSLError: # as exc: logger.error("SSLError") raise eipexceptions.HttpsBadCertError - #logger.warning('BUG #638 CERT VERIFICATION FAILED! ' - #'(this should be CRITICAL)') - #logger.warning('SSLError: %s', exc.message) except requests.exceptions.ConnectionError: logger.error('ConnectionError') raise eipexceptions.HttpsNotSupported else: - logger.debug('True') return True def check_new_cert_needed(self, skip_download=False, verify=True): + # XXX add autocacert logger.debug('is new cert needed?') if not self.is_cert_valid(do_raise=False): - logger.debug('True') + logger.debug('cert needed: true') self.download_new_client_cert( skip_download=skip_download, verify=verify) return True - logger.debug('False') + logger.debug('cert needed: false') return False def download_new_client_cert(self, uri=None, verify=True, @@ -199,20 +202,20 @@ class ProviderCertChecker(object): if uri is None: uri = self._get_client_cert_uri() # XXX raise InsecureURI or something better - assert uri.startswith('https') + #assert uri.startswith('https') if verify is True and self.cacert is not None: verify = self.cacert + logger.debug('verify = %s', verify) fgetfn = self.fetcher.get if credentials: user, passwd = credentials - - logger.debug('domain = %s', self.domain) + logger.debug('apidomain = %s', self.apidomain) @srpauth_protected(user, passwd, - server="https://%s" % self.domain, + server="https://%s" % self.apidomain, verify=verify) def getfn(*args, **kwargs): return fgetfn(*args, **kwargs) @@ -231,11 +234,16 @@ class ProviderCertChecker(object): logger.warning('SSLError while fetching cert. ' 'Look below for stack trace.') # XXX raise better exception - raise + return self.fail("SSLError") + except Exception as exc: + return self.fail(exc.message) + try: + logger.debug('validating cert...') pemfile_content = req.content valid = self.is_valid_pemfile(pemfile_content) if not valid: + logger.warning('invalid cert') return False cert_path = self._get_client_cert_path() self.write_cert(pemfile_content, to=cert_path) @@ -299,8 +307,7 @@ class ProviderCertChecker(object): return u"https://%s/" % self.domain def _get_client_cert_uri(self): - # XXX get the whole thing from constants - return "https://%s/1/cert" % self.domain + return "https://%s/1/cert" % self.apidomain def _get_client_cert_path(self): return eipspecs.client_cert_path(domain=self.domain) @@ -327,6 +334,9 @@ class ProviderCertChecker(object): with open(to, 'w') as cert_f: cert_f.write(pemfile_content) + def set_api_domain(self, domain): + self.apidomain = domain + class EIPConfigChecker(object): """ @@ -346,10 +356,15 @@ class EIPConfigChecker(object): # if not domain, get from config self.domain = domain + self.apidomain = None + self.cacert = eipspecs.provider_ca_path(domain) - self.eipconfig = eipconfig.EIPConfig(domain=domain) self.defaultprovider = providers.LeapProviderDefinition(domain=domain) + self.defaultprovider.load() + self.eipconfig = eipconfig.EIPConfig(domain=domain) + self.set_api_domain() self.eipserviceconfig = eipconfig.EIPServiceConfig(domain=domain) + self.eipserviceconfig.load() def run_all(self, checker=None, skip_download=False): """ @@ -433,31 +448,35 @@ class EIPConfigChecker(object): domain = config.get('provider', None) uri = self._get_provider_definition_uri(domain=domain) - # FIXME! Pass ca path verify!!! - # BUG #638 - # FIXME FIXME FIXME self.defaultprovider.load( from_uri=uri, fetcher=self.fetcher) - #verify=False) self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, force_download=False, - config=None, uri=None, domain=None): + config=None, uri=None, # domain=None, + autocacert=True): if skip_download: return True if config is None: + self.eipserviceconfig.load() config = self.eipserviceconfig.config if uri is None: - if not domain: - domain = self.domain or config.get('provider', None) - uri = self._get_eip_service_uri(domain=domain) + #XXX + #if not domain: + #domain = self.domain or config.get('provider', None) + uri = self._get_eip_service_uri( + domain=self.apidomain) + + if autocacert and self.cacert is not None: + verify = self.cacert self.eipserviceconfig.load( from_uri=uri, fetcher=self.fetcher, - force_download=force_download) + force_download=force_download, + verify=verify) self.eipserviceconfig.save() def check_complete_eip_config(self, config=None): @@ -465,7 +484,6 @@ class EIPConfigChecker(object): if config is None: config = self.eipconfig.config try: - 'trying assertions' assert 'provider' in config assert config['provider'] is not None # XXX assert there is gateway !! @@ -504,3 +522,16 @@ class EIPConfigChecker(object): uri = "https://%s/%s" % (domain, path) logger.debug('getting eip service file from %s', uri) return uri + + def set_api_domain(self): + """sets api domain from defaultprovider config object""" + api = self.defaultprovider.config.get('api_uri', None) + # the caller is responsible for having loaded the config + # object at this point + if api: + api_dom = get_https_domain_and_port(api) + self.apidomain = "%s:%s" % api_dom + + def get_api_domain(self): + """gets api domain""" + return self.apidomain -- cgit v1.2.3 From ade0eded09176fd687d1ee30724468c048d15065 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 11 Jan 2013 09:16:49 +0900 Subject: fix for missing cacert bundle frozen app cannot find requests cacert bundle. added to Resources to get us going. --- src/leap/eip/checks.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index bd158e1e..cc395bcb 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -3,6 +3,7 @@ import logging #import platform import time import os +import sys import gnutls.crypto #import netifaces @@ -20,6 +21,7 @@ from leap.eip import config as eipconfig from leap.eip import constants as eipconstants from leap.eip import exceptions as eipexceptions from leap.eip import specs as eipspecs +from leap.util.certs import get_mac_cabundle from leap.util.fileutil import mkdir_p from leap.util.web import get_https_domain_and_port from leap.util.misc import null_check @@ -165,13 +167,15 @@ class ProviderCertChecker(object): if autocacert and verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert + if sys.platform == "darwin": + verify = get_mac_cabundle() logger.debug('checking https connection') logger.debug('uri: %s (verify:%s)', uri, verify) + try: self.fetcher.get(uri, verify=verify) - except requests.exceptions.SSLError: # as exc: - logger.error("SSLError") + except requests.exceptions.SSLError as exc: raise eipexceptions.HttpsBadCertError except requests.exceptions.ConnectionError: @@ -448,9 +452,15 @@ class EIPConfigChecker(object): domain = config.get('provider', None) uri = self._get_provider_definition_uri(domain=domain) + if sys.platform == "darwin": + verify = get_mac_cabundle() + else: + verify = True + self.defaultprovider.load( from_uri=uri, - fetcher=self.fetcher) + fetcher=self.fetcher, + verify=verify) self.defaultprovider.save() def fetch_eip_service_config(self, skip_download=False, -- cgit v1.2.3 From d72b5d9057bcea884c2e828f5e3045920d4c2205 Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 16 Jan 2013 23:31:49 +0900 Subject: pass cacert bundle only in frozen apps --- src/leap/eip/checks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index cc395bcb..9fb13c74 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -167,7 +167,7 @@ class ProviderCertChecker(object): if autocacert and verify is True and self.cacert is not None: logger.debug('verify cert: %s', self.cacert) verify = self.cacert - if sys.platform == "darwin": + if sys.platform == "darwin": verify = get_mac_cabundle() logger.debug('checking https connection') logger.debug('uri: %s (verify:%s)', uri, verify) -- cgit v1.2.3 From d6c8cb0f12e8924820c296a8114a7899f61e5180 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 17 Jan 2013 05:54:16 +0900 Subject: (osx) detect which interface is traffic going thru --- src/leap/eip/checks.py | 1 - 1 file changed, 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 9fb13c74..0d07ef08 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -187,7 +187,6 @@ class ProviderCertChecker(object): def check_new_cert_needed(self, skip_download=False, verify=True): # XXX add autocacert - logger.debug('is new cert needed?') if not self.is_cert_valid(do_raise=False): logger.debug('cert needed: true') self.download_new_client_cert( -- cgit v1.2.3 From 9cdc193c587631986e579c1ba37a8b982be01238 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 24 Jan 2013 18:47:41 +0900 Subject: all tests green again plus: * added soledad test requirements * removed soledad from run_tests run (+1K tests failing) * added option to run All tests to run_tests script * pep8 cleanup --- src/leap/eip/checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 0d07ef08..de738de6 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -451,7 +451,7 @@ class EIPConfigChecker(object): domain = config.get('provider', None) uri = self._get_provider_definition_uri(domain=domain) - if sys.platform == "darwin": + if sys.platform == "darwin": verify = get_mac_cabundle() else: verify = True @@ -465,7 +465,7 @@ class EIPConfigChecker(object): def fetch_eip_service_config(self, skip_download=False, force_download=False, config=None, uri=None, # domain=None, - autocacert=True): + autocacert=True, verify=True): if skip_download: return True if config is None: -- cgit v1.2.3 From 19da34c598ce6db172c1e1a8978bf031fc6db89b Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 24 Jan 2013 20:07:06 +0900 Subject: check cert time_boundaries uses pyOpenSSL I had missed this one while deprecating gnutls --- src/leap/eip/checks.py | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index de738de6..9a34a428 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -1,13 +1,8 @@ import logging -#import ssl -#import platform import time import os import sys -import gnutls.crypto -#import netifaces -#import ping import requests from leap import __branding as BRANDING @@ -24,7 +19,6 @@ from leap.eip import specs as eipspecs from leap.util.certs import get_mac_cabundle from leap.util.fileutil import mkdir_p from leap.util.web import get_https_domain_and_port -from leap.util.misc import null_check logger = logging.getLogger(name=__name__) @@ -276,11 +270,8 @@ class ProviderCertChecker(object): def is_cert_not_expired(self, certfile=None, now=time.gmtime): if certfile is None: certfile = self._get_client_cert_path() - with open(certfile) as cf: - cert_s = cf.read() - cert = gnutls.crypto.X509Certificate(cert_s) - from_ = time.gmtime(cert.activation_time) - to_ = time.gmtime(cert.expiration_time) + from_, to_ = certs.get_time_boundaries(certfile) + return from_ < now() < to_ def is_valid_pemfile(self, cert_s=None): -- cgit v1.2.3 From b1f4715334a1b6559ce35dbfe40cd1e1ad91cf7f Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 12 Feb 2013 08:40:40 +0900 Subject: add debug info --- src/leap/eip/checks.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/leap/eip/checks.py') diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py index 9a34a428..af824c57 100644 --- a/src/leap/eip/checks.py +++ b/src/leap/eip/checks.py @@ -120,7 +120,12 @@ class ProviderCertChecker(object): def verify_api_https(self, uri): assert uri.startswith('https://') cacert = self.ca_cert_path - verify = cacert and cacert or True + verify = cacert or True + + # DEBUG + logger.debug('uri -> %s' % uri) + logger.debug('cacertpath -> %s' % cacert) + req = self.fetcher.get(uri, verify=verify) req.raise_for_status() return True -- cgit v1.2.3