summaryrefslogtreecommitdiff
path: root/src/leap/eip/checks.py
blob: af824c57b68f2827d39cc7f3a2c1230dfcf5b1f7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
import logging
import time
import os
import sys

import requests

from leap import __branding as BRANDING
from leap import certs as leapcerts
from leap.base.auth import srpauth_protected, magick_srpauth
from leap.base import config as baseconfig
from leap.base import constants as baseconstants
from leap.base import providers
from leap.crypto import certs
from leap.eip import config as eipconfig
from leap.eip import constants as eipconstants
from leap.eip import exceptions as eipexceptions
from leap.eip import specs as eipspecs
from leap.util.certs import get_mac_cabundle
from leap.util.fileutil import mkdir_p
from leap.util.web import get_https_domain_and_port

logger = logging.getLogger(name=__name__)

"""
ProviderCertChecker
-------------------
Checks on certificates. To be moved to base.
docs TBD

EIPConfigChecker
----------
It is used from the eip conductor (a instance of EIPConnection that is
managed from the QtApp), running `run_all` method before trying to call
`connect` or any other of the state-changing methods.

It checks that the needed files are provided or can be discovered over the
net. Much of these tests are not specific to EIP module, and can be splitted
into base.tests to be invoked by the base leap init routines.
However, I'm testing them alltogether for the sake of having the whole unit
reachable and testable as a whole.

"""


def get_branding_ca_cert(domain):
    # deprecated
    ca_file = BRANDING.get('provider_ca_file')
    if ca_file:
        return leapcerts.where(ca_file)


class ProviderCertChecker(object):
    """
    Several checks needed for getting
    client certs and checking tls connection
    with provider.
    """
    def __init__(self, fetcher=requests,
                 domain=None):

        self.fetcher = fetcher
        self.domain = domain
        #XXX needs some kind of autoinit
        #right now we set by hand
        #by loading and reading provider config
        self.apidomain = None
        self.cacert = eipspecs.provider_ca_path(domain)

    def run_all(
            self, checker=None,
            skip_download=False, skip_verify=False):

        if not checker:
            checker = self

        do_verify = not skip_verify
        logger.debug('do_verify: %s', do_verify)
        # checker.download_ca_cert()

        # For MVS+
        # checker.download_ca_signature()
        # checker.get_ca_signatures()
        # checker.is_there_trust_path()

        # For MVS
        checker.is_there_provider_ca()

        checker.is_https_working(verify=do_verify, autocacert=False)
        checker.check_new_cert_needed(verify=do_verify)

    def download_ca_cert(self, uri=None, verify=True):
        req = self.fetcher.get(uri, verify=verify)
        req.raise_for_status()

        # should check domain exists
        capath = self._get_ca_cert_path(self.domain)
        with open(capath, 'w') as f:
            f.write(req.content)

    def check_ca_cert_fingerprint(
            self, hash_type="SHA256",
            fingerprint=None):
        """
        compares the fingerprint in
        the ca cert with a string
        we are passed
        returns True if they are equal, False if not.
        @param hash_type: digest function
        @type hash_type: str
        @param fingerprint: the fingerprint to compare with.
        @type fingerprint: str (with : separator)
        @rtype bool
        """
        ca_cert_path = self.ca_cert_path
        ca_cert_fpr = certs.get_cert_fingerprint(
            filepath=ca_cert_path)
        return ca_cert_fpr == fingerprint

    def verify_api_https(self, uri):
        assert uri.startswith('https://')
        cacert = self.ca_cert_path
        verify = cacert or True

        # DEBUG
        logger.debug('uri -> %s' % uri)
        logger.debug('cacertpath -> %s' % cacert)

        req = self.fetcher.get(uri, verify=verify)
        req.raise_for_status()
        return True

    def download_ca_signature(self):
        # MVS+
        raise NotImplementedError

    def get_ca_signatures(self):
        # MVS+
        raise NotImplementedError

    def is_there_trust_path(self):
        # MVS+
        raise NotImplementedError

    def is_there_provider_ca(self):
        if not self.cacert:
            return False
        cacert_exists = os.path.isfile(self.cacert)
        if cacert_exists:
            logger.debug('True')
            return True
        logger.debug('False!')
        return False

    def is_https_working(
            self, uri=None, verify=True,
            autocacert=False):
        if uri is None:
            uri = self._get_root_uri()
        # XXX raise InsecureURI or something better
        try:
            assert uri.startswith('https')
        except AssertionError:
            raise AssertionError(
                "uri passed should start with https")
        if autocacert and verify is True and self.cacert is not None:
            logger.debug('verify cert: %s', self.cacert)
            verify = self.cacert
        if sys.platform == "darwin":
            verify = get_mac_cabundle()
        logger.debug('checking https connection')
        logger.debug('uri: %s (verify:%s)', uri, verify)

        try:
            self.fetcher.get(uri, verify=verify)

        except requests.exceptions.SSLError as exc:
            raise eipexceptions.HttpsBadCertError

        except requests.exceptions.ConnectionError:
            logger.error('ConnectionError')
            raise eipexceptions.HttpsNotSupported

        else:
            return True

    def check_new_cert_needed(self, skip_download=False, verify=True):
        # XXX add autocacert
        if not self.is_cert_valid(do_raise=False):
            logger.debug('cert needed: true')
            self.download_new_client_cert(
                skip_download=skip_download,
                verify=verify)
            return True
        logger.debug('cert needed: false')
        return False

    def download_new_client_cert(self, uri=None, verify=True,
                                 skip_download=False,
                                 credentials=None):
        logger.debug('download new client cert')
        if skip_download:
            return True
        if uri is None:
            uri = self._get_client_cert_uri()
        # XXX raise InsecureURI or something better
        #assert uri.startswith('https')

        if verify is True and self.cacert is not None:
            verify = self.cacert
            logger.debug('verify = %s', verify)

        fgetfn = self.fetcher.get

        if credentials:
            user, passwd = credentials
            logger.debug('apidomain = %s', self.apidomain)

            @srpauth_protected(user, passwd,
                               server="https://%s" % self.apidomain,
                               verify=verify)
            def getfn(*args, **kwargs):
                return fgetfn(*args, **kwargs)

        else:
            # XXX FIXME fix decorated args
            @magick_srpauth(verify)
            def getfn(*args, **kwargs):
                return fgetfn(*args, **kwargs)
        try:

            req = getfn(uri, verify=verify)
            req.raise_for_status()

        except requests.exceptions.SSLError:
            logger.warning('SSLError while fetching cert. '
                           'Look below for stack trace.')
            # XXX raise better exception
            return self.fail("SSLError")
        except Exception as exc:
            return self.fail(exc.message)

        try:
            logger.debug('validating cert...')
            pemfile_content = req.content
            valid = self.is_valid_pemfile(pemfile_content)
            if not valid:
                logger.warning('invalid cert')
                return False
            cert_path = self._get_client_cert_path()
            self.write_cert(pemfile_content, to=cert_path)
        except:
            logger.warning('Error while validating cert')
            raise
        return True

    def is_cert_valid(self, cert_path=None, do_raise=True):
        exists = lambda: self.is_certificate_exists()
        valid_pemfile = lambda: self.is_valid_pemfile()
        not_expired = lambda: self.is_cert_not_expired()

        valid = exists() and valid_pemfile() and not_expired()
        if not valid:
            if do_raise:
                raise Exception('missing valid cert')
            else:
                return False
        return True

    def is_certificate_exists(self, certfile=None):
        if certfile is None:
            certfile = self._get_client_cert_path()
        return os.path.isfile(certfile)

    def is_cert_not_expired(self, certfile=None, now=time.gmtime):
        if certfile is None:
            certfile = self._get_client_cert_path()
        from_, to_ = certs.get_time_boundaries(certfile)

        return from_ < now() < to_

    def is_valid_pemfile(self, cert_s=None):
        """
        checks that the passed string
        is a valid pem certificate
        @param cert_s: string containing pem content
        @type cert_s: string
        @rtype: bool
        """
        if cert_s is None:
            certfile = self._get_client_cert_path()
            with open(certfile) as cf:
                cert_s = cf.read()
        try:
            valid = certs.can_load_cert_and_pkey(cert_s)
        except certs.BadCertError:
            logger.warning("Not valid pemfile")
            valid = False
        return valid

    @property
    def ca_cert_path(self):
        return self._get_ca_cert_path(self.domain)

    def _get_root_uri(self):
        return u"https://%s/" % self.domain

    def _get_client_cert_uri(self):
        return "https://%s/1/cert" % self.apidomain

    def _get_client_cert_path(self):
        return eipspecs.client_cert_path(domain=self.domain)

    def _get_ca_cert_path(self, domain):
        # XXX this folder path will be broken for win
        # and this should be moved to eipspecs.ca_path

        # XXX use baseconfig.get_provider_path(folder=Foo)
        # !!!

        capath = baseconfig.get_config_file(
            'cacert.pem',
            folder='providers/%s/keys/ca' % domain)
        folder, fname = os.path.split(capath)
        if not os.path.isdir(folder):
            mkdir_p(folder)
        return capath

    def write_cert(self, pemfile_content, to=None):
        folder, filename = os.path.split(to)
        if not os.path.isdir(folder):
            mkdir_p(folder)
        with open(to, 'w') as cert_f:
            cert_f.write(pemfile_content)

    def set_api_domain(self, domain):
        self.apidomain = domain


class EIPConfigChecker(object):
    """
    Several checks needed
    to ensure a EIPConnection
    can be sucessfully established.
    use run_all to run all checks.
    """

    def __init__(self, fetcher=requests, domain=None):
        # we do not want to accept too many
        # argument on init.
        # we want tests
        # to be explicitely run.

        self.fetcher = fetcher

        # if not domain, get from config
        self.domain = domain
        self.apidomain = None
        self.cacert = eipspecs.provider_ca_path(domain)

        self.defaultprovider = providers.LeapProviderDefinition(domain=domain)
        self.defaultprovider.load()
        self.eipconfig = eipconfig.EIPConfig(domain=domain)
        self.set_api_domain()
        self.eipserviceconfig = eipconfig.EIPServiceConfig(domain=domain)
        self.eipserviceconfig.load()

    def run_all(self, checker=None, skip_download=False):
        """
        runs all checks in a row.
        will raise if some error encountered.
        catching those exceptions is not
        our responsibility at this moment
        """
        if not checker:
            checker = self

        # let's call all tests
        # needed for a sane eip session.

        # TODO: get rid of check_default.
        # check_complete should
        # be enough. but here to make early tests easier.
        checker.check_default_eipconfig()

        checker.check_is_there_default_provider()
        checker.fetch_definition(skip_download=skip_download)
        checker.fetch_eip_service_config(skip_download=skip_download)
        checker.check_complete_eip_config()
        #checker.ping_gateway()

    # public checks

    def check_default_eipconfig(self):
        """
        checks if default eipconfig exists,
        and dumps a default file if not
        """
        # XXX ONLY a transient check
        # because some old function still checks
        # for eip config at the beginning.

        # it *really* does not make sense to
        # dump it right now, we can get an in-memory
        # config object and dump it to disk in a
        # later moment
        logger.debug('checking default eip config')
        if not self._is_there_default_eipconfig():
            self._dump_default_eipconfig()

    def check_is_there_default_provider(self, config=None):
        """
        raises EIPMissingDefaultProvider if no
        default provider found on eip config.
        This is catched by ui and runs FirstRunWizard (MVS+)
        """
        if config is None:
            config = self.eipconfig.config
        logger.debug('checking default provider')
        provider = config.get('provider', None)
        if provider is None:
            raise eipexceptions.EIPMissingDefaultProvider
        # XXX raise also if malformed ProviderDefinition?
        return True

    def fetch_definition(self, skip_download=False,
                         force_download=False,
                         config=None, uri=None,
                         domain=None):
        """
        fetches a definition file from server
        """
        # TODO:
        # - Implement diff
        # - overwrite only if different.
        #   (attend to serial field different, for instance)

        logger.debug('fetching definition')

        if skip_download:
            logger.debug('(fetching def skipped)')
            return True
        if config is None:
            config = self.defaultprovider.config
        if uri is None:
            if not domain:
                domain = config.get('provider', None)
            uri = self._get_provider_definition_uri(domain=domain)

        if sys.platform == "darwin":
            verify = get_mac_cabundle()
        else:
            verify = True

        self.defaultprovider.load(
            from_uri=uri,
            fetcher=self.fetcher,
            verify=verify)
        self.defaultprovider.save()

    def fetch_eip_service_config(self, skip_download=False,
                                 force_download=False,
                                 config=None, uri=None,  # domain=None,
                                 autocacert=True, verify=True):
        if skip_download:
            return True
        if config is None:
            self.eipserviceconfig.load()
            config = self.eipserviceconfig.config
        if uri is None:
            #XXX
            #if not domain:
                #domain = self.domain or config.get('provider', None)
            uri = self._get_eip_service_uri(
                domain=self.apidomain)

        if autocacert and self.cacert is not None:
            verify = self.cacert

        self.eipserviceconfig.load(
            from_uri=uri,
            fetcher=self.fetcher,
            force_download=force_download,
            verify=verify)
        self.eipserviceconfig.save()

    def check_complete_eip_config(self, config=None):
        # TODO check for gateway
        if config is None:
            config = self.eipconfig.config
        try:
            assert 'provider' in config
            assert config['provider'] is not None
            # XXX assert there is gateway !!
        except AssertionError:
            raise eipexceptions.EIPConfigurationError

        # XXX TODO:
        # We should WRITE eip config if missing or
        # incomplete at this point
        #self.eipconfig.save()

    #
    # private helpers
    #

    def _is_there_default_eipconfig(self):
        return self.eipconfig.exists()

    def _dump_default_eipconfig(self):
        self.eipconfig.save(force=True)

    def _get_provider_definition_uri(self, domain=None, path=None):
        if domain is None:
            domain = self.domain or baseconstants.DEFAULT_PROVIDER
        if path is None:
            path = baseconstants.DEFINITION_EXPECTED_PATH
        uri = u"https://%s/%s" % (domain, path)
        logger.debug('getting provider definition from %s' % uri)
        return uri

    def _get_eip_service_uri(self, domain=None, path=None):
        if domain is None:
            domain = self.domain or baseconstants.DEFAULT_PROVIDER
        if path is None:
            path = eipconstants.EIP_SERVICE_EXPECTED_PATH
        uri = "https://%s/%s" % (domain, path)
        logger.debug('getting eip service file from %s', uri)
        return uri

    def set_api_domain(self):
        """sets api domain from defaultprovider config object"""
        api = self.defaultprovider.config.get('api_uri', None)
        # the caller is responsible for having loaded the config
        # object at this point
        if api:
            api_dom = get_https_domain_and_port(api)
            self.apidomain = "%s:%s" % api_dom

    def get_api_domain(self):
        """gets api domain"""
        return self.apidomain