summaryrefslogtreecommitdiff
path: root/src/pixelated/bitmask_libraries/provider.py
blob: a42b7be97307f0f33038be2851ce6ec158bb1b7f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#
# Copyright (c) 2014 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json
import os

from leap.common.certs import get_digest
import requests
from .certs import LeapCertificate
from pixelated.support.tls_adapter import EnforceTLSv1Adapter
from pixelated.bitmask_libraries.soledad import SoledadDiscoverException


class LeapProvider(object):

    def __init__(self, server_name, config):
        self.server_name = server_name
        self.config = config
        self.local_ca_crt = '%s/ca.crt' % self.config.leap_home
        self.provider_json = self.fetch_provider_json()

    @property
    def api_uri(self):
        return self.provider_json.get('api_uri')

    @property
    def ca_cert_fingerprint(self):
        return self.provider_json.get('ca_cert_fingerprint')

    @property
    def ca_cert_uri(self):
        return self.provider_json.get('ca_cert_uri')

    @property
    def api_version(self):
        return self.provider_json.get('api_version')

    @property
    def domain(self):
        return self.provider_json.get('domain')

    @property
    def services(self):
        return self.provider_json.get('services')

    def __hash__(self):
        return hash(self.server_name)

    def __eq__(self, other):
        return self.server_name == other.server_name

    def ensure_supports_mx(self):
        if 'mx' not in self.services:
            raise Exception

    def download_certificate(self, filename=None):
        """
        Downloads the server certificate, validates it against the provided fingerprint and stores it to file
        """
        path = filename or self.local_ca_crt

        directory = self._extract_directory(path)
        if not os.path.exists(directory):
            os.makedirs(directory)

        cert = self.fetch_valid_certificate()
        with open(path, 'w') as out:
            out.write(cert)

    def _extract_directory(self, path):
        splited = path.split('/')
        splited.pop(-1)
        directory = '/'.join(splited)
        return directory

    def fetch_valid_certificate(self):
        cert = self._fetch_certificate()
        self.validate_certificate(cert)
        return cert

    def _fetch_certificate(self):
        cert_url = '%s/ca.crt' % self._provider_base_url()
        response = self._validated_get(cert_url)
        cert_data = response.content
        return cert_data

    def validate_certificate(self, cert_data=None):
        if cert_data is None:
            cert_data = self._fetch_certificate()

        parts = str(self.ca_cert_fingerprint).split(':')
        method = parts[0].strip()
        fingerprint = parts[1].strip()

        digest = get_digest(cert_data, method)

        if fingerprint.strip() != digest:
            raise Exception('Certificate fingerprints don\'t match! Expected [%s] but got [%s]' % (
                fingerprint.strip(), digest))

    def smtp_info(self):
        json_data = self.fetch_smtp_json()
        hosts = json_data['hosts']
        hostname = hosts.keys()[0]
        host = hosts[hostname]
        return host['hostname'], host['port']

    def _validated_get(self, url):
        session = requests.session()
        try:
            session.mount(
                'https://', EnforceTLSv1Adapter(assert_fingerprint=LeapCertificate.LEAP_FINGERPRINT))
            response = session.get(url, verify=LeapCertificate(
                self).provider_web_cert, timeout=self.config.timeout_in_s)
            response.raise_for_status()
            return response
        finally:
            session.close()

    def fetch_provider_json(self):
        url = '%s/provider.json' % self._provider_base_url()
        response = self._validated_get(url)
        json_data = json.loads(response.content)
        return json_data

    def fetch_soledad_json(self):
        service_url = "%s/%s/config/soledad-service.json" % (
            self.api_uri, self.api_version)
        response = requests.get(service_url, verify=LeapCertificate(
            self).provider_api_cert, timeout=self.config.timeout_in_s)
        response.raise_for_status()
        return json.loads(response.content)

    def fetch_smtp_json(self):
        service_url = '%s/%s/config/smtp-service.json' % (
            self.api_uri, self.api_version)
        response = requests.get(service_url, verify=LeapCertificate(
            self).provider_api_cert, timeout=self.config.timeout_in_s)
        response.raise_for_status()
        return json.loads(response.content)

    def _provider_base_url(self):
        return 'https://%s' % self.server_name

    def address_for(self, username):
        return '%s@%s' % (username, self.domain)

    def discover_soledad_server(self, user_uuid):
        try:
            json_data = self.fetch_soledad_json()

            hosts = json_data['hosts']
            host = hosts.keys()[0]
            server_url = 'https://%s:%d/user-%s' % \
                         (hosts[host]['hostname'], hosts[host]['port'],
                          user_uuid)
            return server_url
        except Exception, e:
            raise SoledadDiscoverException(e)