Heavy rework on certs, removed most of it, simplified the logic

7 files changed, 17 insertions, 122 deletions

diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py
index 2535b747..ed6233c1 100644
--- a/service/pixelated/bitmask_libraries/certs.py
+++ b/service/pixelated/bitmask_libraries/certs.py
@@ -16,9 +16,6 @@
 import os
 import requests
 import json
-from leap.common import ca_bundle
-
-from .config import AUTO_DETECT_CA_BUNDLE
 
 
 class LeapCertificate(object):
@@ -40,70 +37,17 @@ class LeapCertificate(object):
             LeapCertificate.LEAP_FINGERPRINT = cert_fingerprint
             LeapCertificate.LEAP_CERT = False
 
-    def auto_detect_bootstrap_ca_bundle(self):
-        if self.LEAP_CERT is not None:
-            return self.LEAP_CERT
-
-        if self._config.bootstrap_ca_cert_bundle == AUTO_DETECT_CA_BUNDLE:
-            local_cert = self._local_bootstrap_server_cert()
-            if local_cert:
-                return local_cert
-            else:
-                return ca_bundle.where()
-        else:
-            return self._config.bootstrap_ca_cert_bundle
-
+    @property
     def api_ca_bundle(self):
-        if self._provider.config.ca_cert_bundle:
-            return self._provider.config.ca_cert_bundle
-
-        cert_file = self._api_cert_file()
+        return os.path.join(self._provider.config.leap_home, 'providers', self._server_name, 'keys', 'client', 'api.pem')
 
-        if not os.path.isfile(cert_file):
-            self._download_server_cert(cert_file)
-
-        return cert_file
-
-    def refresh_ca_bundle(self):
-        cert_file = self._api_cert_file()
-        self._download_server_cert(cert_file)
-
-    def _api_cert_file(self):
-        certs_root = self._api_certs_root_path()
-        return os.path.join(certs_root, 'api.pem')
-
-    def _api_certs_root_path(self):
+    def setup_ca_bundle(self):
         path = os.path.join(self._provider.config.leap_home, 'providers', self._server_name, 'keys', 'client')
         if not os.path.isdir(path):
             os.makedirs(path, 0700)
-        return path
-
-    def _local_bootstrap_server_cert(self):
-        cert_file = self._bootstrap_certs_cert_file()
-        if os.path.isfile(cert_file):
-            return cert_file
+        self._download_cert(self.api_ca_bundle)
 
-        response = requests.get('https://%s/provider.json' % self._server_name)
-        provider_data = json.loads(response.content)
-        ca_cert_uri = str(provider_data['ca_cert_uri'])
-
-        response = requests.get(ca_cert_uri)
-        with open(cert_file, 'w') as file:
-            file.write(response.content)
-
-        return cert_file
-
-    def _bootstrap_certs_cert_file(self):
-        path = os.path.join(self._provider.config.leap_home, 'providers', self._server_name)
-        if not os.path.isdir(path):
-            os.makedirs(path, 0700)
-
-        file_path = os.path.join(path, '%s.ca.crt' % self._server_name)
-
-        return file_path
-
-    def _download_server_cert(self, cert_file_name):
+    def _download_cert(self, cert_file_name):
         cert = self._provider.fetch_valid_certificate()
-
         with open(cert_file_name, 'w') as file:
             file.write(cert)
diff --git a/service/pixelated/bitmask_libraries/config.py b/service/pixelated/bitmask_libraries/config.py
index 8c862d0a..efb43411 100644
--- a/service/pixelated/bitmask_libraries/config.py
+++ b/service/pixelated/bitmask_libraries/config.py
@@ -13,10 +13,9 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
-from distutils.spawn import find_executable
 
 import os
-from os.path import expanduser
+from distutils.spawn import find_executable
 
 
 def discover_gpg_binary():
@@ -30,54 +29,19 @@ def discover_gpg_binary():
     return path
 
 
-DEFAULT_LEAP_HOME = os.path.join(expanduser("~"), '.leap')
-
 SYSTEM_CA_BUNDLE = True
-AUTO_DETECT_CA_BUNDLE = None
 
 
 class LeapConfig(object):
-    """
-    LEAP client configuration
 
-    """
-
-    def __init__(self, leap_home=DEFAULT_LEAP_HOME, bootstrap_ca_cert_bundle=AUTO_DETECT_CA_BUNDLE,
-                 ca_cert_bundle=AUTO_DETECT_CA_BUNDLE, verify_ssl=True,
+    def __init__(self,
+                 leap_home=None,
                  fetch_interval_in_s=30,
-                 timeout_in_s=15, start_background_jobs=False, gpg_binary=discover_gpg_binary()):
-        """
-        Constructor.
-
-        :param server_name: The LEAP server name, e.g. demo.leap.se
-        :type server_name: str
-
-        :param user_name: The LEAP account user name, normally the first part of your email, e.g. foobar for foobar@demo.leap.se
-        :type user_name: str
-
-        :param user_password: The LEAP account password
-        :type user_password: str
-
-        :param db_passphrase: The passphrase used to encrypt the local soledad database
-        :type db_passphrase: str
-
-        :param verify_ssl: Set to false to disable strict SSL certificate validation
-        :type verify_ssl: bool
-
-        :param fetch_interval_in_s: Polling interval for fetching incoming mail from LEAP server
-        :type fetch_interval_in_s: int
-
-        :param timeout_in_s: Timeout for network operations, e.g. HTTP calls
-        :type timeout_in_s: int
-
-        :param gpg_binary: Path to the GPG binary (must not be a symlink)
-        :type gpg_binary: str
+                 timeout_in_s=15,
+                 start_background_jobs=False,
+                 gpg_binary=discover_gpg_binary()):
 
-        """
         self.leap_home = leap_home
-        self.bootstrap_ca_cert_bundle = bootstrap_ca_cert_bundle
-        self.ca_cert_bundle = ca_cert_bundle
-        self.verify_ssl = verify_ssl
         self.timeout_in_s = timeout_in_s
         self.start_background_jobs = start_background_jobs
         self.gpg_binary = gpg_binary
diff --git a/service/pixelated/bitmask_libraries/nicknym.py b/service/pixelated/bitmask_libraries/nicknym.py
index d7c9c7af..8220d006 100644
--- a/service/pixelated/bitmask_libraries/nicknym.py
+++ b/service/pixelated/bitmask_libraries/nicknym.py
@@ -23,7 +23,7 @@ class NickNym(object):
         self._email = '%s@%s' % (username, provider.domain)
         self.keymanager = KeyManager('%s@%s' % (username, provider.domain), nicknym_url,
                                      soledad_session.soledad,
-                                     token, LeapCertificate(provider).api_ca_bundle(), provider.api_uri,
+                                     token, LeapCertificate(provider).api_ca_bundle, provider.api_uri,
                                      provider.api_version,
                                      uuid, config.gpg_binary)
 
diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py
index 38df504e..0129480c 100644
--- a/service/pixelated/bitmask_libraries/provider.py
+++ b/service/pixelated/bitmask_libraries/provider.py
@@ -100,7 +100,7 @@ class LeapProvider(object):
         session = requests.session()
         try:
             session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=LeapCertificate.LEAP_FINGERPRINT))
-            response = session.get(url, verify=LeapCertificate(self).auto_detect_bootstrap_ca_bundle(), timeout=self.config.timeout_in_s)
+            response = session.get(url, verify=LeapCertificate.LEAP_CERT, timeout=self.config.timeout_in_s)
             response.raise_for_status()
             return response
         finally:
@@ -115,14 +115,14 @@ class LeapProvider(object):
     def fetch_soledad_json(self):
         service_url = "%s/%s/config/soledad-service.json" % (
             self.api_uri, self.api_version)
-        response = requests.get(service_url, verify=LeapCertificate(self).api_ca_bundle(), timeout=self.config.timeout_in_s)
+        response = requests.get(service_url, verify=LeapCertificate(self).api_ca_bundle, timeout=self.config.timeout_in_s)
         response.raise_for_status()
         return json.loads(response.content)
 
     def fetch_smtp_json(self):
         service_url = '%s/%s/config/smtp-service.json' % (
             self.api_uri, self.api_version)
-        response = requests.get(service_url, verify=LeapCertificate(self).api_ca_bundle(), timeout=self.config.timeout_in_s)
+        response = requests.get(service_url, verify=LeapCertificate(self).api_ca_bundle, timeout=self.config.timeout_in_s)
         response.raise_for_status()
         return json.loads(response.content)
 
diff --git a/service/pixelated/bitmask_libraries/session.py b/service/pixelated/bitmask_libraries/session.py
index 09bf277d..ad01d495 100644
--- a/service/pixelated/bitmask_libraries/session.py
+++ b/service/pixelated/bitmask_libraries/session.py
@@ -22,29 +22,16 @@ from leap.mail.imap.fetch import LeapIncomingMail
 from leap.mail.imap.account import SoledadBackedAccount
 from leap.mail.imap.memorystore import MemoryStore
 from leap.mail.imap.soledadstore import SoledadStore
-from pixelated.bitmask_libraries.config import LeapConfig
-from pixelated.bitmask_libraries.provider import LeapProvider
-from pixelated.bitmask_libraries.certs import LeapCertificate
 from twisted.internet import reactor
 from .nicknym import NickNym
 from leap.auth import SRPAuth
 from .soledad import SoledadSessionFactory
 from .smtp import LeapSmtp
-from .config import DEFAULT_LEAP_HOME
 
 
 SESSIONS = {}
 
 
-def open_leap_session(username, password, server_name, leap_home=DEFAULT_LEAP_HOME):
-    config = LeapConfig(leap_home=leap_home)
-    provider = LeapProvider(server_name, config)
-    LeapCertificate(provider).refresh_ca_bundle()
-    session = LeapSessionFactory(provider).create(username, password)
-
-    return session
-
-
 class LeapSession(object):
     """
     A LEAP session.
diff --git a/service/pixelated/bitmask_libraries/smtp.py b/service/pixelated/bitmask_libraries/smtp.py
index 4b6ec719..745d88ef 100644
--- a/service/pixelated/bitmask_libraries/smtp.py
+++ b/service/pixelated/bitmask_libraries/smtp.py
@@ -61,7 +61,7 @@ class LeapSmtp(object):
 
         response = requests.get(
             cert_url,
-            verify=LeapCertificate(self._provider).api_ca_bundle(),
+            verify=LeapCertificate(self._provider).api_ca_bundle,
             cookies=cookies,
             timeout=self._provider.config.timeout_in_s)
         response.raise_for_status()
diff --git a/service/pixelated/bitmask_libraries/soledad.py b/service/pixelated/bitmask_libraries/soledad.py
index 207b3e73..2e0219da 100644
--- a/service/pixelated/bitmask_libraries/soledad.py
+++ b/service/pixelated/bitmask_libraries/soledad.py
@@ -67,7 +67,7 @@ class SoledadSession(object):
             local_db = self._local_db_path()
 
             return Soledad(self.user_uuid, unicode(encryption_passphrase), secrets,
-                           local_db, server_url, LeapCertificate(self.provider).api_ca_bundle(), self.user_token, defer_encryption=False)
+                           local_db, server_url, LeapCertificate(self.provider).api_ca_bundle, self.user_token, defer_encryption=False)
 
         except (WrongMac, UnknownMacMethod), e:
             raise SoledadWrongPassphraseException(e)