summaryrefslogtreecommitdiff
path: root/service/pixelated/bitmask_libraries
diff options
context:
space:
mode:
authorFolker Bernitt <fbernitt@thoughtworks.com>2015-03-31 13:50:43 +0200
committerFolker Bernitt <fbernitt@thoughtworks.com>2015-03-31 13:53:13 +0200
commita1fc37326a79b95cdb056a100b321586f1c1fb7b (patch)
tree91584a2bcbaae7f883d338a953ac94de77a7f035 /service/pixelated/bitmask_libraries
parentfaad044b8b576b6d84d88608fa5a57171e3d6169 (diff)
Added support for ssl fingerprint validation.
- Issue #333 - Needed to patch urrlib3 for older requests versions - Use --leap-cert-fingerprint <SHA1> to validate fingerprint
Diffstat (limited to 'service/pixelated/bitmask_libraries')
-rw-r--r--service/pixelated/bitmask_libraries/certs.py9
-rw-r--r--service/pixelated/bitmask_libraries/provider.py31
2 files changed, 23 insertions, 17 deletions
diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py
index 6b12bce4..ed09e4a3 100644
--- a/service/pixelated/bitmask_libraries/certs.py
+++ b/service/pixelated/bitmask_libraries/certs.py
@@ -22,16 +22,19 @@ from leap.common import ca_bundle
from .config import AUTO_DETECT_CA_BUNDLE
LEAP_CERT = None
+LEAP_FINGERPRINT = None
def which_bundle(provider):
- if LEAP_CERT:
- return LEAP_CERT
return str(LeapCertificate(provider).provider_ca_bundle())
+def which_bootstrap_fingerprint(provider):
+ return LEAP_FINGERPRINT
+
+
def which_bootstrap_bundle(provider):
- if LEAP_CERT:
+ if LEAP_CERT is not None:
return LEAP_CERT
return str(LeapCertificate(provider).auto_detect_bootstrap_ca_bundle())
diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py
index 5304e662..34e426d7 100644
--- a/service/pixelated/bitmask_libraries/provider.py
+++ b/service/pixelated/bitmask_libraries/provider.py
@@ -17,7 +17,8 @@ import json
from leap.common.certs import get_digest
import requests
-from .certs import which_bootstrap_bundle, which_bundle
+from .certs import which_bootstrap_bundle, which_bundle, which_bootstrap_fingerprint
+from pixelated.support.tls_adapter import EnforceTLSv1Adapter
class LeapProvider(object):
@@ -75,16 +76,10 @@ class LeapProvider(object):
return cert
def _fetch_certificate(self):
- session = requests.session()
- try:
- cert_url = '%s/ca.crt' % self._provider_base_url()
- response = session.get(cert_url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s)
- response.raise_for_status()
-
- cert_data = response.content
- return cert_data
- finally:
- session.close()
+ cert_url = '%s/ca.crt' % self._provider_base_url()
+ response = self._validated_get(cert_url)
+ cert_data = response.content
+ return cert_data
def validate_certificate(self, cert_data=None):
if cert_data is None:
@@ -99,11 +94,19 @@ class LeapProvider(object):
if fingerprint.strip() != digest:
raise Exception('Certificate fingerprints don\'t match')
+ def _validated_get(self, url):
+ session = requests.session()
+ try:
+ session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=which_bootstrap_fingerprint(self)))
+ response = session.get(url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s)
+ response.raise_for_status()
+ return response
+ finally:
+ session.close()
+
def fetch_provider_json(self):
url = '%s/provider.json' % self._provider_base_url()
- response = requests.get(url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s)
- response.raise_for_status()
-
+ response = self._validated_get(url)
json_data = json.loads(response.content)
return json_data