diff options
author | Folker Bernitt <fbernitt@thoughtworks.com> | 2015-03-31 13:50:43 +0200 |
---|---|---|
committer | Folker Bernitt <fbernitt@thoughtworks.com> | 2015-03-31 13:53:13 +0200 |
commit | a1fc37326a79b95cdb056a100b321586f1c1fb7b (patch) | |
tree | 91584a2bcbaae7f883d338a953ac94de77a7f035 /service/pixelated/bitmask_libraries | |
parent | faad044b8b576b6d84d88608fa5a57171e3d6169 (diff) |
Added support for ssl fingerprint validation.
- Issue #333
- Needed to patch urrlib3 for older requests versions
- Use --leap-cert-fingerprint <SHA1> to validate fingerprint
Diffstat (limited to 'service/pixelated/bitmask_libraries')
-rw-r--r-- | service/pixelated/bitmask_libraries/certs.py | 9 | ||||
-rw-r--r-- | service/pixelated/bitmask_libraries/provider.py | 31 |
2 files changed, 23 insertions, 17 deletions
diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py index 6b12bce4..ed09e4a3 100644 --- a/service/pixelated/bitmask_libraries/certs.py +++ b/service/pixelated/bitmask_libraries/certs.py @@ -22,16 +22,19 @@ from leap.common import ca_bundle from .config import AUTO_DETECT_CA_BUNDLE LEAP_CERT = None +LEAP_FINGERPRINT = None def which_bundle(provider): - if LEAP_CERT: - return LEAP_CERT return str(LeapCertificate(provider).provider_ca_bundle()) +def which_bootstrap_fingerprint(provider): + return LEAP_FINGERPRINT + + def which_bootstrap_bundle(provider): - if LEAP_CERT: + if LEAP_CERT is not None: return LEAP_CERT return str(LeapCertificate(provider).auto_detect_bootstrap_ca_bundle()) diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py index 5304e662..34e426d7 100644 --- a/service/pixelated/bitmask_libraries/provider.py +++ b/service/pixelated/bitmask_libraries/provider.py @@ -17,7 +17,8 @@ import json from leap.common.certs import get_digest import requests -from .certs import which_bootstrap_bundle, which_bundle +from .certs import which_bootstrap_bundle, which_bundle, which_bootstrap_fingerprint +from pixelated.support.tls_adapter import EnforceTLSv1Adapter class LeapProvider(object): @@ -75,16 +76,10 @@ class LeapProvider(object): return cert def _fetch_certificate(self): - session = requests.session() - try: - cert_url = '%s/ca.crt' % self._provider_base_url() - response = session.get(cert_url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s) - response.raise_for_status() - - cert_data = response.content - return cert_data - finally: - session.close() + cert_url = '%s/ca.crt' % self._provider_base_url() + response = self._validated_get(cert_url) + cert_data = response.content + return cert_data def validate_certificate(self, cert_data=None): if cert_data is None: @@ -99,11 +94,19 @@ class LeapProvider(object): if fingerprint.strip() != digest: raise Exception('Certificate fingerprints don\'t match') + def _validated_get(self, url): + session = requests.session() + try: + session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=which_bootstrap_fingerprint(self))) + response = session.get(url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s) + response.raise_for_status() + return response + finally: + session.close() + def fetch_provider_json(self): url = '%s/provider.json' % self._provider_base_url() - response = requests.get(url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s) - response.raise_for_status() - + response = self._validated_get(url) json_data = json.loads(response.content) return json_data |