From 6b7d885a43808f4351c9e581d1a1e53fbd7b3edd Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Thu, 25 Jul 2013 14:57:31 -0300 Subject: Add validation using provider's ca . Closes #3227. --- changes/bug-3227_add-TOFU | 1 + src/leap/services/eip/providerbootstrapper.py | 32 ++++++++++++++++++--------- 2 files changed, 22 insertions(+), 11 deletions(-) create mode 100644 changes/bug-3227_add-TOFU diff --git a/changes/bug-3227_add-TOFU b/changes/bug-3227_add-TOFU new file mode 100644 index 00000000..d918c8d4 --- /dev/null +++ b/changes/bug-3227_add-TOFU @@ -0,0 +1 @@ + o Use the provider CA cert for every request once we have it bootstrapped (TOFU). Closes #3227. diff --git a/src/leap/services/eip/providerbootstrapper.py b/src/leap/services/eip/providerbootstrapper.py index 0be997b2..723475b8 100644 --- a/src/leap/services/eip/providerbootstrapper.py +++ b/src/leap/services/eip/providerbootstrapper.py @@ -132,21 +132,31 @@ class ProviderBootstrapper(AbstractBootstrapper): logger.debug("Downloading provider info for %s" % (self._domain)) headers = {} - mtime = get_mtime(os.path.join(ProviderConfig() - .get_path_prefix(), - "leap", - "providers", - self._domain, - "provider.json")) + + provider_json = os.path.join( + ProviderConfig().get_path_prefix(), "leap", "providers", + self._domain, "provider.json") + mtime = get_mtime(provider_json) + if self._download_if_needed and mtime: headers['if-modified-since'] = mtime - res = self._session.get("https://%s/%s" % (self._domain, - "provider.json"), - headers=headers, - verify=not self._bypass_checks, - timeout=REQUEST_TIMEOUT) + uri = "https://%s/%s" % (self._domain, "provider.json") + verify = not self._bypass_checks + + if mtime: # the provider.json exists + provider_config = ProviderConfig() + provider_config.load(provider_json) + uri = provider_config.get_api_uri() + '/provider.json' + verify = provider_config.get_ca_cert_path() + + logger.debug("Requesting for provider.json... " + "uri: {0}, verify: {1}, headers: {2}".format( + uri, verify, headers)) + res = self._session.get(uri, verify=verify, + headers=headers, timeout=REQUEST_TIMEOUT) res.raise_for_status() + logger.debug("Request status code: {0}".format(res.status_code)) # Not modified if res.status_code == 304: -- cgit v1.2.3