diff options
| author | Folker Bernitt <fbernitt@thoughtworks.com> | 2015-03-27 11:14:14 +0100 |
|---|---|---|
| committer | Folker Bernitt <fbernitt@thoughtworks.com> | 2015-03-30 11:10:23 +0200 |
| commit | 2ec7bcfd32c2151e2e42ae7b19631dcc4018f93e (patch) | |
| tree | f0567d6381d18c24bc33ce8b3587c5c2db6017ef /service/pixelated | |
| parent | 9404478d8e29be008e2e2c72e0a51dc7649f4d31 (diff) | |
Splitting certificate validation into provider and bootstrap certificate.
- Issue #333
- Now a different certificate is used to communicate with the provider's
HTTPS website than for all other connections, e.g. to the api
Diffstat (limited to 'service/pixelated')
| -rw-r--r-- | service/pixelated/bitmask_libraries/certs.py | 45 | ||||
| -rw-r--r-- | service/pixelated/bitmask_libraries/config.py | 4 | ||||
| -rw-r--r-- | service/pixelated/bitmask_libraries/provider.py | 6 |
3 files changed, 39 insertions, 16 deletions
diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py index 4ee28a19..bafc809d 100644 --- a/service/pixelated/bitmask_libraries/certs.py +++ b/service/pixelated/bitmask_libraries/certs.py @@ -27,7 +27,13 @@ LEAP_CERT = None def which_bundle(provider): if LEAP_CERT: return LEAP_CERT - return str(LeapCertificate(provider).auto_detect_ca_bundle()) + return str(LeapCertificate(provider).provider_ca_bundle()) + + +def which_bootstrap_bundle(provider): + if LEAP_CERT: + return LEAP_CERT + return str(LeapCertificate(provider).auto_detect_bootstrap_ca_bundle()) class LeapCertificate(object): @@ -35,18 +41,37 @@ class LeapCertificate(object): self._config = provider.config self._server_name = provider.server_name self._certs_home = self._config.certs_home + self._provider = provider - def auto_detect_ca_bundle(self): - if self._config.ca_cert_bundle == AUTO_DETECT_CA_BUNDLE: - local_cert = self._local_server_cert() + def auto_detect_bootstrap_ca_bundle(self): + if self._config.bootstrap_ca_cert_bundle == AUTO_DETECT_CA_BUNDLE: + local_cert = self._local_bootstrap_server_cert() if local_cert: return local_cert else: return ca_bundle.where() else: - return self._config.ca_cert_bundle + return self._config.bootstrap_ca_cert_bundle + + def provider_ca_bundle(self): + if self._provider.config.ca_cert_bundle: + return self._provider.config.ca_cert_bundle + + certs_root = self._provider_certs_root_path() + cert_file = os.path.join(certs_root, 'provider.pem') + + if not os.path.isfile(cert_file): + self._download_server_cert(cert_file) + + return cert_file + + def _provider_certs_root_path(self): + path = os.path.join(self._provider.config.leap_home, 'providers', self._server_name, 'keys', 'client') + if not os.path.isdir(path): + os.makedirs(path, 0700) + return path - def _local_server_cert(self): + def _local_bootstrap_server_cert(self): cert_file = os.path.join(self._certs_home, '%s.ca.crt' % self._server_name) if not os.path.isfile(cert_file): self._download_server_cert(cert_file) @@ -54,11 +79,7 @@ class LeapCertificate(object): return cert_file def _download_server_cert(self, cert_file_name): - response = requests.get('https://%s/provider.json' % self._server_name) - provider_data = json.loads(response.content) - ca_cert_uri = str(provider_data['ca_cert_uri']) + cert = self._provider.fetch_valid_certificate() - response = requests.get(ca_cert_uri) with open(cert_file_name, 'w') as file: - file.write(response.content) - file.close + file.write(cert) diff --git a/service/pixelated/bitmask_libraries/config.py b/service/pixelated/bitmask_libraries/config.py index db0df762..56f28706 100644 --- a/service/pixelated/bitmask_libraries/config.py +++ b/service/pixelated/bitmask_libraries/config.py @@ -42,7 +42,8 @@ class LeapConfig(object): """ - def __init__(self, leap_home=DEFAULT_LEAP_HOME, ca_cert_bundle=AUTO_DETECT_CA_BUNDLE, verify_ssl=True, + def __init__(self, leap_home=DEFAULT_LEAP_HOME, bootstrap_ca_cert_bundle=AUTO_DETECT_CA_BUNDLE, + ca_cert_bundle=AUTO_DETECT_CA_BUNDLE, verify_ssl=True, fetch_interval_in_s=30, timeout_in_s=15, start_background_jobs=False, gpg_binary=discover_gpg_binary(), certs_home=None): """ @@ -75,6 +76,7 @@ class LeapConfig(object): """ self.leap_home = leap_home self.certs_home = certs_home + self.bootstrap_ca_cert_bundle = bootstrap_ca_cert_bundle self.ca_cert_bundle = ca_cert_bundle self.verify_ssl = verify_ssl self.timeout_in_s = timeout_in_s diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py index 4fe5f17d..5304e662 100644 --- a/service/pixelated/bitmask_libraries/provider.py +++ b/service/pixelated/bitmask_libraries/provider.py @@ -17,7 +17,7 @@ import json from leap.common.certs import get_digest import requests -from .certs import which_bundle +from .certs import which_bootstrap_bundle, which_bundle class LeapProvider(object): @@ -78,7 +78,7 @@ class LeapProvider(object): session = requests.session() try: cert_url = '%s/ca.crt' % self._provider_base_url() - response = session.get(cert_url, verify=which_bundle(self), timeout=self.config.timeout_in_s) + response = session.get(cert_url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s) response.raise_for_status() cert_data = response.content @@ -101,7 +101,7 @@ class LeapProvider(object): def fetch_provider_json(self): url = '%s/provider.json' % self._provider_base_url() - response = requests.get(url, verify=which_bundle(self), timeout=self.config.timeout_in_s) + response = requests.get(url, verify=which_bootstrap_bundle(self), timeout=self.config.timeout_in_s) response.raise_for_status() json_data = json.loads(response.content) |