diff options
author | Tulio Casagrande <tcasagra@thoughtworks.com> | 2016-08-29 18:23:14 -0300 |
---|---|---|
committer | Tulio Casagrande <tcasagra@thoughtworks.com> | 2016-08-29 18:59:53 -0300 |
commit | c1a35317fe4ebb82bf7d24dc5d8c171d29c9c501 (patch) | |
tree | 74878eaccf9ddce91b33284cd8ed5c67910a219a /service | |
parent | 840ade44e23add85fbe97b79ee249fc7c1e6adf2 (diff) |
[#765] Move combined_ca_bundle to UA initialization
With this change we don't have to create the combined_ca_bundle
for every user at every login.
To support this change, we started migrating away from the
LeapCertificate class that was making the LeapProvider setup
more brittle
Diffstat (limited to 'service')
-rw-r--r-- | service/pixelated/bitmask_libraries/certs.py | 16 | ||||
-rw-r--r-- | service/pixelated/bitmask_libraries/keymanager.py | 5 | ||||
-rw-r--r-- | service/pixelated/bitmask_libraries/provider.py | 51 | ||||
-rw-r--r-- | service/pixelated/config/leap.py | 6 | ||||
-rw-r--r-- | service/pixelated/config/sessions.py | 4 | ||||
-rw-r--r-- | service/pixelated/register.py | 4 | ||||
-rw-r--r-- | service/test/unit/bitmask_libraries/test_certs.py | 5 | ||||
-rw-r--r-- | service/test/unit/bitmask_libraries/test_keymanager.py | 6 | ||||
-rw-r--r-- | service/test/unit/bitmask_libraries/test_provider.py | 10 |
9 files changed, 70 insertions, 37 deletions
diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py index e3466d05..9a76a01d 100644 --- a/service/pixelated/bitmask_libraries/certs.py +++ b/service/pixelated/bitmask_libraries/certs.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import os + from pixelated.config import leap_config @@ -38,18 +39,3 @@ class LeapCertificate(object): @property def provider_web_cert(self): return self.LEAP_CERT - - @property - def provider_api_cert(self): - return str(os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client', 'api.pem')) - - def setup_ca_bundle(self): - path = os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client') - if not os.path.isdir(path): - os.makedirs(path, 0700) - self._download_cert(self.provider_api_cert) - - def _download_cert(self, cert_file_name): - cert = self._provider.fetch_valid_certificate() - with open(cert_file_name, 'w') as file: - file.write(cert) diff --git a/service/pixelated/bitmask_libraries/keymanager.py b/service/pixelated/bitmask_libraries/keymanager.py index 78d6e935..46125a6c 100644 --- a/service/pixelated/bitmask_libraries/keymanager.py +++ b/service/pixelated/bitmask_libraries/keymanager.py @@ -28,9 +28,10 @@ class Keymanager(object): self._email = email_address self.keymanager = KeyManager(self._email, nicknym_url, soledad, - token=token, ca_cert_path=LeapCertificate(provider).provider_api_cert, api_uri=provider.api_uri, + token=token, ca_cert_path=provider.provider_api_cert, api_uri=provider.api_uri, api_version=provider.api_version, - uid=uuid, gpgbinary=leap_config.gpg_binary) + uid=uuid, gpgbinary=leap_config.gpg_binary, + combined_ca_bundle=provider.combined_ca_bundle) @defer.inlineCallbacks def generate_openpgp_key(self): diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py index 02318ec2..97becac8 100644 --- a/service/pixelated/bitmask_libraries/provider.py +++ b/service/pixelated/bitmask_libraries/provider.py @@ -15,9 +15,12 @@ # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import json import os +import fileinput +import tempfile +import requests from leap.common.certs import get_digest -import requests +from leap.common import ca_bundle from .certs import LeapCertificate from pixelated.config import leap_config from pixelated.support.tls_adapter import EnforceTLSv1Adapter @@ -32,6 +35,10 @@ class LeapProvider(object): self.provider_json = self.fetch_provider_json() @property + def provider_api_cert(self): + return str(os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client', 'api.pem')) + + @property def api_uri(self): return self.provider_json.get('api_uri') @@ -140,14 +147,14 @@ class LeapProvider(object): def fetch_soledad_json(self): service_url = "%s/%s/config/soledad-service.json" % ( self.api_uri, self.api_version) - response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT) + response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT) response.raise_for_status() return json.loads(response.content) def fetch_smtp_json(self): service_url = '%s/%s/config/smtp-service.json' % ( self.api_uri, self.api_version) - response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT) + response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT) response.raise_for_status() return json.loads(response.content) @@ -166,3 +173,41 @@ class LeapProvider(object): def _discover_nicknym_server(self): return 'https://nicknym.%s:6425/' % self.domain + + def create_combined_bundle_file(self): + leap_ca_bundle = ca_bundle.where() + + if self.provider_api_cert == leap_ca_bundle: + return self.provider_api_cert + elif not self.provider_api_cert: + return leap_ca_bundle + + tmp_file = tempfile.NamedTemporaryFile(delete=False) + + with open(tmp_file.name, 'w') as fout: + fin = fileinput.input(files=(leap_ca_bundle, self.provider_api_cert)) + for line in fin: + fout.write(line) + fin.close() + + self.combined_ca_bundle = tmp_file.name + + def setup_ca_bundle(self): + path = os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client') + if not os.path.isdir(path): + os.makedirs(path, 0700) + self._download_cert(self.provider_api_cert) + + def _download_cert(self, cert_file_name): + cert = self.fetch_valid_certificate() + with open(cert_file_name, 'w') as file: + file.write(cert) + + def setup_ca(self): + self.download_certificate() + self.setup_ca_bundle() + self.create_combined_bundle_file() + + def download_settings(self): + self.download_soledad_json() + self.download_smtp_json() diff --git a/service/pixelated/config/leap.py b/service/pixelated/config/leap.py index 371c0dc8..42eb495d 100644 --- a/service/pixelated/config/leap.py +++ b/service/pixelated/config/leap.py @@ -19,10 +19,8 @@ def initialize_leap_provider(provider_hostname, provider_cert, provider_fingerpr provider_fingerprint) leap_config.set_leap_home(leap_home) provider = LeapProvider(provider_hostname) - provider.download_certificate() - LeapCertificate(provider).setup_ca_bundle() - provider.download_soledad_json() - provider.download_smtp_json() + provider.setup_ca() + provider.download_settings() return provider diff --git a/service/pixelated/config/sessions.py b/service/pixelated/config/sessions.py index ed492ea9..9ce0a212 100644 --- a/service/pixelated/config/sessions.py +++ b/service/pixelated/config/sessions.py @@ -43,7 +43,7 @@ class LeapSessionFactory(object): self._create_database_dir(auth.uuid) - api_cert = LeapCertificate(self._provider).provider_api_cert + api_cert = self._provider.provider_api_cert soledad = yield self.setup_soledad(auth.token, auth.uuid, password, api_cert) @@ -283,7 +283,7 @@ class SmtpClientCertificate(object): cert_url, params=params, data=params, - verify=LeapCertificate(self._provider).provider_api_cert, + verify=self._provider.provider_api_cert, timeout=15, headers=headers) response.raise_for_status() diff --git a/service/pixelated/register.py b/service/pixelated/register.py index 93b55872..eaa80937 100644 --- a/service/pixelated/register.py +++ b/service/pixelated/register.py @@ -53,8 +53,8 @@ def register( LeapCertificate.set_cert_and_fingerprint(provider_cert, provider_cert_fingerprint) config = LeapConfig(leap_home=leap_home) provider = LeapProvider(server_name) - LeapCertificate(provider).setup_ca_bundle() - srp_auth = SRPAuth(provider.api_uri, LeapCertificate(provider).provider_api_cert) + provider.setup_ca_bundle() + srp_auth = SRPAuth(provider.api_uri, provider.provider_api_cert) if srp_auth.register(username, password): LeapSessionFactory(provider).create(username, password) diff --git a/service/test/unit/bitmask_libraries/test_certs.py b/service/test/unit/bitmask_libraries/test_certs.py index bd9b32d3..9885759e 100644 --- a/service/test/unit/bitmask_libraries/test_certs.py +++ b/service/test/unit/bitmask_libraries/test_certs.py @@ -35,8 +35,3 @@ class CertsTest(unittest.TestCase): self.assertIsNone(certs.LEAP_FINGERPRINT) self.assertEqual(True, certs.provider_web_cert) - - def test_provider_api_cert(self): - certs = LeapCertificate(self.provider).provider_api_cert - - self.assertEqual('/some/leap/home/providers/test.leap.net/keys/client/api.pem', certs) diff --git a/service/test/unit/bitmask_libraries/test_keymanager.py b/service/test/unit/bitmask_libraries/test_keymanager.py index 1a1038b8..2d20e971 100644 --- a/service/test/unit/bitmask_libraries/test_keymanager.py +++ b/service/test/unit/bitmask_libraries/test_keymanager.py @@ -26,8 +26,9 @@ from pixelated.config import leap_config class KeymanagerTest(AbstractLeapTest): @patch('pixelated.bitmask_libraries.keymanager.KeyManager') def test_that_keymanager_is_created(self, keymanager_mock): - LeapCertificate.provider_api_cert = '/some/path/to/provider_ca_cert' when(self.provider)._discover_nicknym_server().thenReturn('https://nicknym.some-server.test:6425/') + self.provider.combined_ca_bundle = 'combined_ca_bundle' + self.provider.provider_api_cert = '/some/path/to/provider_ca_cert' leap_config.gpg_binary = '/path/to/gpg' Keymanager(self.provider, @@ -45,7 +46,8 @@ class KeymanagerTest(AbstractLeapTest): api_uri='https://api.some-server.test:4430', api_version='1', uid=self.auth.uuid, - gpgbinary='/path/to/gpg') + gpgbinary='/path/to/gpg', + combined_ca_bundle='combined_ca_bundle') @patch('pixelated.bitmask_libraries.keymanager.KeyManager') def test_gen_key(self, keymanager_mock): diff --git a/service/test/unit/bitmask_libraries/test_provider.py b/service/test/unit/bitmask_libraries/test_provider.py index 1284698f..4e7c565f 100644 --- a/service/test/unit/bitmask_libraries/test_provider.py +++ b/service/test/unit/bitmask_libraries/test_provider.py @@ -207,13 +207,12 @@ class LeapProviderTest(AbstractLeapTest): def test_that_provider_cert_is_used_to_fetch_soledad_json(self): get_func = MagicMock(wraps=requests.get) - LeapCertificate.provider_api_cert = PROVIDER_API_CERT with patch('pixelated.bitmask_libraries.provider.requests.get', new=get_func): with HTTMock(provider_json_mock, soledad_json_mock, not_found_mock): provider = LeapProvider('some-provider.test') provider.fetch_soledad_json() - get_func.assert_called_with('https://api.some-provider.test:4430/1/config/soledad-service.json', verify=PROVIDER_API_CERT, timeout=15) + get_func.assert_called_with('https://api.some-provider.test:4430/1/config/soledad-service.json', verify='/some/leap/home/providers/some-provider.test/keys/client/api.pem', timeout=15) def test_that_leap_fingerprint_is_validated(self): session = MagicMock(wraps=requests.session()) @@ -227,3 +226,10 @@ class LeapProviderTest(AbstractLeapTest): session.get.assert_any_call('https://some-provider.test/ca.crt', verify=False, timeout=15) session.mount.assert_called_with('https://', ANY) + + def test_provider_api_cert(self): + with HTTMock(provider_json_mock): + provider = LeapProvider('some-provider.test') + certs = provider.provider_api_cert + + self.assertEqual('/some/leap/home/providers/some-provider.test/keys/client/api.pem', certs) |