Add validation using provider's ca . Closes #3227.

author: Ivan Alejandro <ivanalejandro0@gmail.com> 2013-07-25 14:57:31 -0300
committer: Ivan Alejandro <ivanalejandro0@gmail.com> 2013-07-25 14:57:31 -0300
commit: 6b7d885a43808f4351c9e581d1a1e53fbd7b3edd (patch)
tree: 4d1afc6ee45ee86602766f176fe43f712b21c280
parent: c715e5fbd3f48f9a3555be659ccfe859f97c9d7c (diff)
2 files changed, 22 insertions, 11 deletions
diff --git a/changes/bug-3227_add-TOFU b/changes/bug-3227_add-TOFU
new file mode 100644
index 00000000..d918c8d4
--- /dev/null
+++ b/changes/bug-3227_add-TOFU
@@ -0,0 +1 @@
+  o Use the provider CA cert for every request once we have it bootstrapped (TOFU). Closes #3227.
diff --git a/src/leap/services/eip/providerbootstrapper.py b/src/leap/services/eip/providerbootstrapper.py
index 0be997b2..723475b8 100644
--- a/src/leap/services/eip/providerbootstrapper.py
+++ b/src/leap/services/eip/providerbootstrapper.py
@@ -132,21 +132,31 @@ class ProviderBootstrapper(AbstractBootstrapper):
         logger.debug("Downloading provider info for %s" % (self._domain))
 
         headers = {}
-        mtime = get_mtime(os.path.join(ProviderConfig()
-                                       .get_path_prefix(),
-                                       "leap",
-                                       "providers",
-                                       self._domain,
-                                       "provider.json"))
+
+        provider_json = os.path.join(
+            ProviderConfig().get_path_prefix(), "leap", "providers",
+            self._domain, "provider.json")
+        mtime = get_mtime(provider_json)
+
         if self._download_if_needed and mtime:
             headers['if-modified-since'] = mtime
 
-        res = self._session.get("https://%s/%s" % (self._domain,
-                                                   "provider.json"),
-                                headers=headers,
-                                verify=not self._bypass_checks,
-                                timeout=REQUEST_TIMEOUT)
+        uri = "https://%s/%s" % (self._domain, "provider.json")
+        verify = not self._bypass_checks
+
+        if mtime:  # the provider.json exists
+            provider_config = ProviderConfig()
+            provider_config.load(provider_json)
+            uri = provider_config.get_api_uri() + '/provider.json'
+            verify = provider_config.get_ca_cert_path()
+
+        logger.debug("Requesting for provider.json... "
+                     "uri: {0}, verify: {1}, headers: {2}".format(
+                         uri, verify, headers))
+        res = self._session.get(uri, verify=verify,
+                                headers=headers, timeout=REQUEST_TIMEOUT)
         res.raise_for_status()
+        logger.debug("Request status code: {0}".format(res.status_code))
 
         # Not modified
         if res.status_code == 304:
author	Ivan Alejandro <ivanalejandro0@gmail.com>	2013-07-25 14:57:31 -0300
committer	Ivan Alejandro <ivanalejandro0@gmail.com>	2013-07-25 14:57:31 -0300
commit	6b7d885a43808f4351c9e581d1a1e53fbd7b3edd (patch)
tree	4d1afc6ee45ee86602766f176fe43f712b21c280
parent	c715e5fbd3f48f9a3555be659ccfe859f97c9d7c (diff)