1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
#
# Copyright (c) 2014 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json
import os
from leap.common.certs import get_digest
import requests
from .certs import LeapCertificate
from pixelated.support.tls_adapter import EnforceTLSv1Adapter
from pixelated.bitmask_libraries.soledad import SoledadDiscoverException
class LeapProvider(object):
def __init__(self, server_name, config):
self.server_name = server_name
self.config = config
self.local_ca_crt = '%s/ca.crt' % self.config.leap_home
self.provider_json = self.fetch_provider_json()
@property
def api_uri(self):
return self.provider_json.get('api_uri')
@property
def ca_cert_fingerprint(self):
return self.provider_json.get('ca_cert_fingerprint')
@property
def ca_cert_uri(self):
return self.provider_json.get('ca_cert_uri')
@property
def api_version(self):
return self.provider_json.get('api_version')
@property
def domain(self):
return self.provider_json.get('domain')
@property
def services(self):
return self.provider_json.get('services')
def __hash__(self):
return hash(self.server_name)
def __eq__(self, other):
return self.server_name == other.server_name
def ensure_supports_mx(self):
if 'mx' not in self.services:
raise Exception
def download_certificate(self, filename=None):
"""
Downloads the server certificate, validates it against the provided fingerprint and stores it to file
"""
path = filename or self.local_ca_crt
directory = self._extract_directory(path)
if not os.path.exists(directory):
os.makedirs(directory)
cert = self.fetch_valid_certificate()
with open(path, 'w') as out:
out.write(cert)
def _extract_directory(self, path):
splited = path.split('/')
splited.pop(-1)
directory = '/'.join(splited)
return directory
def fetch_valid_certificate(self):
cert = self._fetch_certificate()
self.validate_certificate(cert)
return cert
def _fetch_certificate(self):
cert_url = '%s/ca.crt' % self._provider_base_url()
response = self._validated_get(cert_url)
cert_data = response.content
return cert_data
def validate_certificate(self, cert_data=None):
if cert_data is None:
cert_data = self._fetch_certificate()
parts = str(self.ca_cert_fingerprint).split(':')
method = parts[0].strip()
fingerprint = parts[1].strip()
digest = get_digest(cert_data, method)
if fingerprint.strip() != digest:
raise Exception('Certificate fingerprints don\'t match! Expected [%s] but got [%s]' % (
fingerprint.strip(), digest))
def smtp_info(self):
json_data = self.fetch_smtp_json()
hosts = json_data['hosts']
hostname = hosts.keys()[0]
host = hosts[hostname]
return host['hostname'], host['port']
def _validated_get(self, url):
session = requests.session()
try:
session.mount(
'https://', EnforceTLSv1Adapter(assert_fingerprint=LeapCertificate.LEAP_FINGERPRINT))
response = session.get(url, verify=LeapCertificate(
self).provider_web_cert, timeout=self.config.timeout_in_s)
response.raise_for_status()
return response
finally:
session.close()
def fetch_provider_json(self):
url = '%s/provider.json' % self._provider_base_url()
response = self._validated_get(url)
json_data = json.loads(response.content)
return json_data
def fetch_soledad_json(self):
service_url = "%s/%s/config/soledad-service.json" % (
self.api_uri, self.api_version)
response = requests.get(service_url, verify=LeapCertificate(
self).provider_api_cert, timeout=self.config.timeout_in_s)
response.raise_for_status()
return json.loads(response.content)
def fetch_smtp_json(self):
service_url = '%s/%s/config/smtp-service.json' % (
self.api_uri, self.api_version)
response = requests.get(service_url, verify=LeapCertificate(
self).provider_api_cert, timeout=self.config.timeout_in_s)
response.raise_for_status()
return json.loads(response.content)
def _provider_base_url(self):
return 'https://%s' % self.server_name
def address_for(self, username):
return '%s@%s' % (username, self.domain)
def discover_soledad_server(self, user_uuid):
try:
json_data = self.fetch_soledad_json()
hosts = json_data['hosts']
host = hosts.keys()[0]
server_url = 'https://%s:%d/user-%s' % \
(hosts[host]['hostname'], hosts[host]['port'],
user_uuid)
return server_url
except Exception, e:
raise SoledadDiscoverException(e)
|