summaryrefslogtreecommitdiff
path: root/app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java
diff options
context:
space:
mode:
Diffstat (limited to 'app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java')
-rw-r--r--app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java187
1 files changed, 127 insertions, 60 deletions
diff --git a/app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java
index fadb03c3..b27c3dca 100644
--- a/app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java
+++ b/app/src/production/java/se/leap/bitmaskclient/ProviderAPI.java
@@ -22,20 +22,15 @@ import android.util.Pair;
import org.json.JSONException;
import org.json.JSONObject;
-import org.thoughtcrime.ssl.pinning.util.PinningHelper;
import java.io.IOException;
import java.net.URL;
import java.util.List;
-import java.util.Scanner;
-
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLHandshakeException;
import okhttp3.OkHttpClient;
import se.leap.bitmaskclient.eip.EIP;
-import static se.leap.bitmaskclient.R.string.error_io_exception_user_message;
+import static se.leap.bitmaskclient.DownloadFailedDialog.DOWNLOAD_ERRORS.ERROR_CORRUPTED_PROVIDER_JSON;
import static se.leap.bitmaskclient.R.string.malformed_url;
/**
@@ -60,72 +55,139 @@ public class ProviderAPI extends ProviderApiBase {
@Override
protected Bundle setUpProvider(Bundle task) {
int progress = 0;
- Bundle current_download = new Bundle();
+ Bundle currentDownload = new Bundle();
- if (task != null && task.containsKey(Provider.MAIN_URL)) {
- last_provider_main_url = task.containsKey(Provider.MAIN_URL) ?
+ if (task != null) {
+ //FIXME: this should be refactored in order to avoid static variables all over here
+ lastProviderMainUrl = task.containsKey(Provider.MAIN_URL) ?
task.getString(Provider.MAIN_URL) :
"";
- provider_ca_cert_fingerprint = task.containsKey(Provider.CA_CERT_FINGERPRINT) ?
+ providerCaCertFingerprint = task.containsKey(Provider.CA_CERT_FINGERPRINT) ?
task.getString(Provider.CA_CERT_FINGERPRINT) :
"";
+ providerCaCert = task.containsKey(Provider.CA_CERT) ?
+ task.getString(Provider.CA_CERT) :
+ "";
- CA_CERT_DOWNLOADED = PROVIDER_JSON_DOWNLOADED = EIP_SERVICE_JSON_DOWNLOADED = false;
+ try {
+ providerDefinition = task.containsKey(Provider.KEY) ?
+ new JSONObject(task.getString(Provider.KEY)) :
+ new JSONObject();
+ } catch (JSONException e) {
+ e.printStackTrace();
+ providerDefinition = new JSONObject();
+ }
+ providerApiUrl = getApiUrlWithVersion(providerDefinition);
+
+ checkPersistedProviderUpdates();
+ currentDownload = validateProviderDetails();
+
+ //provider details invalid
+ if (currentDownload.containsKey(ERRORS)) {
+ return currentDownload;
+ }
+
+ //no provider certificate available
+ if (currentDownload.containsKey(RESULT_KEY) && !currentDownload.getBoolean(RESULT_KEY)) {
+ resetProviderDetails();
+ }
+
+ EIP_SERVICE_JSON_DOWNLOADED = false;
go_ahead = true;
}
if (!PROVIDER_JSON_DOWNLOADED)
- current_download = getAndSetProviderJson(last_provider_main_url, provider_ca_cert_fingerprint);
- if (PROVIDER_JSON_DOWNLOADED || (current_download.containsKey(RESULT_KEY) && current_download.getBoolean(RESULT_KEY))) {
+ currentDownload = getAndSetProviderJson(lastProviderMainUrl, providerCaCert, providerDefinition);
+ if (PROVIDER_JSON_DOWNLOADED || (currentDownload.containsKey(RESULT_KEY) && currentDownload.getBoolean(RESULT_KEY))) {
broadcastProgress(progress++);
PROVIDER_JSON_DOWNLOADED = true;
if (!CA_CERT_DOWNLOADED)
- current_download = downloadCACert();
- if (CA_CERT_DOWNLOADED || (current_download.containsKey(RESULT_KEY) && current_download.getBoolean(RESULT_KEY))) {
+ currentDownload = downloadCACert();
+ if (CA_CERT_DOWNLOADED || (currentDownload.containsKey(RESULT_KEY) && currentDownload.getBoolean(RESULT_KEY))) {
broadcastProgress(progress++);
CA_CERT_DOWNLOADED = true;
- current_download = getAndSetEipServiceJson();
- if (current_download.containsKey(RESULT_KEY) && current_download.getBoolean(RESULT_KEY)) {
+ currentDownload = getAndSetEipServiceJson();
+ if (currentDownload.containsKey(RESULT_KEY) && currentDownload.getBoolean(RESULT_KEY)) {
broadcastProgress(progress++);
EIP_SERVICE_JSON_DOWNLOADED = true;
}
}
}
- return current_download;
+ return currentDownload;
}
- private Bundle getAndSetProviderJson(String provider_main_url, String provider_ca_cert_fingerprint) {
+
+ private Bundle validateProviderDetails() {
+ Bundle result = validateCertificateForProvider(providerCaCert, providerDefinition, lastProviderMainUrl);
+
+ //invalid certificate or no certificate
+ if (result.containsKey(ERRORS) || (result.containsKey(RESULT_KEY) && !result.getBoolean(RESULT_KEY)) ) {
+ return result;
+ }
+
+ //valid certificate: skip download, save loaded provider CA cert and provider definition directly
+ try {
+ preferences.edit().putString(Provider.KEY, providerDefinition.toString()).
+ putBoolean(Constants.PROVIDER_ALLOW_ANONYMOUS, providerDefinition.getJSONObject(Provider.SERVICE).getBoolean(Constants.PROVIDER_ALLOW_ANONYMOUS)).
+ putBoolean(Constants.PROVIDER_ALLOWED_REGISTERED, providerDefinition.getJSONObject(Provider.SERVICE).getBoolean(Constants.PROVIDER_ALLOWED_REGISTERED)).
+ putString(Provider.CA_CERT, providerCaCert).commit();
+ CA_CERT_DOWNLOADED = true;
+ PROVIDER_JSON_DOWNLOADED = true;
+ result.putBoolean(RESULT_KEY, true);
+ } catch (JSONException e) {
+ e.printStackTrace();
+ result.putBoolean(RESULT_KEY, false);
+ result = setErrorResult(result, getString(R.string.warning_corrupted_provider_details), ERROR_CORRUPTED_PROVIDER_JSON.toString());
+ }
+
+ return result;
+ }
+
+ private void checkPersistedProviderUpdates() {
+ String providerDomain = getProviderDomain(providerDefinition);
+ if (hasUpdatedProviderDetails(providerDomain)) {
+ providerCaCert = getPersistedProviderCA(providerDomain);
+ providerDefinition = getPersistedProviderDefinition(providerDomain);
+ providerCaCertFingerprint = getPersistedCaCertFingerprint(providerDomain);
+ providerApiUrl = getApiUrlWithVersion(providerDefinition);
+ }
+ }
+
+
+ private Bundle getAndSetProviderJson(String providerMainUrl, String caCert, JSONObject providerDefinition) {
Bundle result = new Bundle();
if (go_ahead) {
- String provider_dot_json_string;
- if(provider_ca_cert_fingerprint.isEmpty())
- provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json");
- else
- provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json", provider_ca_cert_fingerprint);
+ String providerDotJsonString;
+ if(providerDefinition.length() == 0 || caCert.isEmpty())
+ providerDotJsonString = downloadWithCommercialCA(providerMainUrl + "/provider.json");
+ else {
+ providerDotJsonString = downloadFromApiUrlWithProviderCA("/provider.json", caCert, providerDefinition);
+ }
- if (!isValidJson(provider_dot_json_string)) {
+ if (!isValidJson(providerDotJsonString)) {
result.putString(ERRORS, getString(malformed_url));
result.putBoolean(RESULT_KEY, false);
return result;
}
try {
- JSONObject provider_json = new JSONObject(provider_dot_json_string);
- provider_api_url = provider_json.getString(Provider.API_URL) + "/" + provider_json.getString(Provider.API_VERSION);
- String name = provider_json.getString(Provider.NAME);
+ JSONObject providerJson = new JSONObject(providerDotJsonString);
+ String providerDomain = providerJson.getString(Provider.DOMAIN);
+ providerApiUrl = getApiUrlWithVersion(providerJson);
+ String name = providerJson.getString(Provider.NAME);
//TODO setProviderName(name);
- preferences.edit().putString(Provider.KEY, provider_json.toString()).commit();
- preferences.edit().putBoolean(Constants.PROVIDER_ALLOW_ANONYMOUS, provider_json.getJSONObject(Provider.SERVICE).getBoolean(Constants.PROVIDER_ALLOW_ANONYMOUS)).commit();
- preferences.edit().putBoolean(Constants.PROVIDER_ALLOWED_REGISTERED, provider_json.getJSONObject(Provider.SERVICE).getBoolean(Constants.PROVIDER_ALLOWED_REGISTERED)).commit();
-
+ preferences.edit().putString(Provider.KEY, providerJson.toString()).
+ putBoolean(Constants.PROVIDER_ALLOW_ANONYMOUS, providerJson.getJSONObject(Provider.SERVICE).getBoolean(Constants.PROVIDER_ALLOW_ANONYMOUS)).
+ putBoolean(Constants.PROVIDER_ALLOWED_REGISTERED, providerJson.getJSONObject(Provider.SERVICE).getBoolean(Constants.PROVIDER_ALLOWED_REGISTERED)).
+ putString(Provider.KEY + "." + providerDomain, providerJson.toString()).commit();
result.putBoolean(RESULT_KEY, true);
} catch (JSONException e) {
//TODO Error message should be contained in that provider_dot_json_string
- String reason_to_fail = pickErrorMessage(provider_dot_json_string);
+ String reason_to_fail = pickErrorMessage(providerDotJsonString);
result.putString(ERRORS, reason_to_fail);
result.putBoolean(RESULT_KEY, false);
}
@@ -176,7 +238,7 @@ public class ProviderAPI extends ProviderApiBase {
String cert_string = downloadWithProviderCA(new_cert_string_url.toString());
- if (cert_string == null || cert_string.isEmpty() || ConfigHelper.checkErroneousDownload(cert_string))
+ if (ConfigHelper.checkErroneousDownload(cert_string))
return false;
else
return loadCertificate(cert_string);
@@ -194,13 +256,16 @@ public class ProviderAPI extends ProviderApiBase {
private Bundle downloadCACert() {
Bundle result = new Bundle();
try {
- JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, ""));
- String ca_cert_url = provider_json.getString(Provider.CA_CERT_URI);
- String cert_string = downloadWithCommercialCA(ca_cert_url);
+ JSONObject providerJson = new JSONObject(preferences.getString(Provider.KEY, ""));
+ String caCertUrl = providerJson.getString(Provider.CA_CERT_URI);
+ String providerDomain = providerJson.getString(Provider.DOMAIN);
+
+ String cert_string = downloadWithCommercialCA(caCertUrl);
result.putBoolean(RESULT_KEY, true);
if (validCertificate(cert_string) && go_ahead) {
preferences.edit().putString(Provider.CA_CERT, cert_string).commit();
+ preferences.edit().putString(Provider.CA_CERT + "." + providerDomain, cert_string).commit();
result.putBoolean(RESULT_KEY, true);
} else {
String reason_to_fail = pickErrorMessage(cert_string);
@@ -216,29 +281,6 @@ public class ProviderAPI extends ProviderApiBase {
return result;
}
- //TODO: refactor with ticket #8773
- private String downloadWithCommercialCA(String url_string, String ca_cert_fingerprint) {
- String result = "";
-
- int seconds_of_timeout = 2;
- String[] pins = new String[] {ca_cert_fingerprint};
- try {
- URL url = new URL(url_string);
- HttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(Dashboard.getContext(), pins, url);
- connection.setConnectTimeout(seconds_of_timeout * 1000);
- if (!LeapSRPSession.getToken().isEmpty())
- connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token=" + LeapSRPSession.getToken());
- result = new Scanner(connection.getInputStream()).useDelimiter("\\A").next();
- } catch (IOException e) {
- if(e instanceof SSLHandshakeException)
- result = formatErrorMessage(R.string.error_security_pinnedcertificate);
- else
- result = formatErrorMessage(error_io_exception_user_message);
- }
-
- return result;
- }
-
/**
* Tries to download the contents of the provided url using commercially validated CA certificate from chosen provider.
*
@@ -273,6 +315,31 @@ public class ProviderAPI extends ProviderApiBase {
return responseString;
}
+
+ /**
+ * Tries to download the contents of the provided url using not commercially validated CA certificate from chosen provider.
+ *
+ * @return an empty string if it fails, the response body if not.
+ */
+ protected String downloadFromApiUrlWithProviderCA(String path, String caCert, JSONObject providerDefinition) {
+ String responseString;
+ JSONObject errorJson = new JSONObject();
+ String baseUrl = getApiUrl(providerDefinition);
+ OkHttpClient okHttpClient = initSelfSignedCAHttpClient(errorJson, caCert);
+ if (okHttpClient == null) {
+ return errorJson.toString();
+ }
+
+ String urlString = baseUrl + path;
+ List<Pair<String, String>> headerArgs = getAuthorizationHeader();
+ responseString = sendGetStringToServer(urlString, headerArgs, okHttpClient);
+
+ return responseString;
+
+ }
+
+
+
/**
* Tries to download the contents of the provided url using not commercially validated CA certificate from chosen provider.
*
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 13:32:19 +0000