diff options
| author | Tulio Casagrande <tcasagra@thoughtworks.com> | 2016-08-29 18:23:14 -0300 |
|---|---|---|
| committer | Tulio Casagrande <tcasagra@thoughtworks.com> | 2016-08-29 18:59:53 -0300 |
| commit | c1a35317fe4ebb82bf7d24dc5d8c171d29c9c501 (patch) | |
| tree | 74878eaccf9ddce91b33284cd8ed5c67910a219a /service/pixelated/bitmask_libraries | |
| parent | 840ade44e23add85fbe97b79ee249fc7c1e6adf2 (diff) | |
[#765] Move combined_ca_bundle to UA initialization
With this change we don't have to create the combined_ca_bundle
for every user at every login.
To support this change, we started migrating away from the
LeapCertificate class that was making the LeapProvider setup
more brittle
Diffstat (limited to 'service/pixelated/bitmask_libraries')
| -rw-r--r-- | service/pixelated/bitmask_libraries/certs.py | 16 | ||||
| -rw-r--r-- | service/pixelated/bitmask_libraries/keymanager.py | 5 | ||||
| -rw-r--r-- | service/pixelated/bitmask_libraries/provider.py | 51 |
3 files changed, 52 insertions, 20 deletions
diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py index e3466d05..9a76a01d 100644 --- a/service/pixelated/bitmask_libraries/certs.py +++ b/service/pixelated/bitmask_libraries/certs.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import os + from pixelated.config import leap_config @@ -38,18 +39,3 @@ class LeapCertificate(object): @property def provider_web_cert(self): return self.LEAP_CERT - - @property - def provider_api_cert(self): - return str(os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client', 'api.pem')) - - def setup_ca_bundle(self): - path = os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client') - if not os.path.isdir(path): - os.makedirs(path, 0700) - self._download_cert(self.provider_api_cert) - - def _download_cert(self, cert_file_name): - cert = self._provider.fetch_valid_certificate() - with open(cert_file_name, 'w') as file: - file.write(cert) diff --git a/service/pixelated/bitmask_libraries/keymanager.py b/service/pixelated/bitmask_libraries/keymanager.py index 78d6e935..46125a6c 100644 --- a/service/pixelated/bitmask_libraries/keymanager.py +++ b/service/pixelated/bitmask_libraries/keymanager.py @@ -28,9 +28,10 @@ class Keymanager(object): self._email = email_address self.keymanager = KeyManager(self._email, nicknym_url, soledad, - token=token, ca_cert_path=LeapCertificate(provider).provider_api_cert, api_uri=provider.api_uri, + token=token, ca_cert_path=provider.provider_api_cert, api_uri=provider.api_uri, api_version=provider.api_version, - uid=uuid, gpgbinary=leap_config.gpg_binary) + uid=uuid, gpgbinary=leap_config.gpg_binary, + combined_ca_bundle=provider.combined_ca_bundle) @defer.inlineCallbacks def generate_openpgp_key(self): diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py index 02318ec2..97becac8 100644 --- a/service/pixelated/bitmask_libraries/provider.py +++ b/service/pixelated/bitmask_libraries/provider.py @@ -15,9 +15,12 @@ # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import json import os +import fileinput +import tempfile +import requests from leap.common.certs import get_digest -import requests +from leap.common import ca_bundle from .certs import LeapCertificate from pixelated.config import leap_config from pixelated.support.tls_adapter import EnforceTLSv1Adapter @@ -32,6 +35,10 @@ class LeapProvider(object): self.provider_json = self.fetch_provider_json() @property + def provider_api_cert(self): + return str(os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client', 'api.pem')) + + @property def api_uri(self): return self.provider_json.get('api_uri') @@ -140,14 +147,14 @@ class LeapProvider(object): def fetch_soledad_json(self): service_url = "%s/%s/config/soledad-service.json" % ( self.api_uri, self.api_version) - response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT) + response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT) response.raise_for_status() return json.loads(response.content) def fetch_smtp_json(self): service_url = '%s/%s/config/smtp-service.json' % ( self.api_uri, self.api_version) - response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT) + response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT) response.raise_for_status() return json.loads(response.content) @@ -166,3 +173,41 @@ class LeapProvider(object): def _discover_nicknym_server(self): return 'https://nicknym.%s:6425/' % self.domain + + def create_combined_bundle_file(self): + leap_ca_bundle = ca_bundle.where() + + if self.provider_api_cert == leap_ca_bundle: + return self.provider_api_cert + elif not self.provider_api_cert: + return leap_ca_bundle + + tmp_file = tempfile.NamedTemporaryFile(delete=False) + + with open(tmp_file.name, 'w') as fout: + fin = fileinput.input(files=(leap_ca_bundle, self.provider_api_cert)) + for line in fin: + fout.write(line) + fin.close() + + self.combined_ca_bundle = tmp_file.name + + def setup_ca_bundle(self): + path = os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client') + if not os.path.isdir(path): + os.makedirs(path, 0700) + self._download_cert(self.provider_api_cert) + + def _download_cert(self, cert_file_name): + cert = self.fetch_valid_certificate() + with open(cert_file_name, 'w') as file: + file.write(cert) + + def setup_ca(self): + self.download_certificate() + self.setup_ca_bundle() + self.create_combined_bundle_file() + + def download_settings(self): + self.download_soledad_json() + self.download_smtp_json() |