[#765] Move combined_ca_bundle to UA initialization

With this change we don't have to create the combined_ca_bundle
for every user at every login.

To support this change, we started migrating away from the
LeapCertificate class that was making the LeapProvider setup
more brittle

9 files changed, 70 insertions, 37 deletions

diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py
index e3466d05..9a76a01d 100644
--- a/service/pixelated/bitmask_libraries/certs.py
+++ b/service/pixelated/bitmask_libraries/certs.py
@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 import os
+
 from pixelated.config import leap_config
 
 
@@ -38,18 +39,3 @@ class LeapCertificate(object):
     @property
     def provider_web_cert(self):
         return self.LEAP_CERT
-
-    @property
-    def provider_api_cert(self):
-        return str(os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client', 'api.pem'))
-
-    def setup_ca_bundle(self):
-        path = os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client')
-        if not os.path.isdir(path):
-            os.makedirs(path, 0700)
-        self._download_cert(self.provider_api_cert)
-
-    def _download_cert(self, cert_file_name):
-        cert = self._provider.fetch_valid_certificate()
-        with open(cert_file_name, 'w') as file:
-            file.write(cert)
diff --git a/service/pixelated/bitmask_libraries/keymanager.py b/service/pixelated/bitmask_libraries/keymanager.py
index 78d6e935..46125a6c 100644
--- a/service/pixelated/bitmask_libraries/keymanager.py
+++ b/service/pixelated/bitmask_libraries/keymanager.py
@@ -28,9 +28,10 @@ class Keymanager(object):
         self._email = email_address
         self.keymanager = KeyManager(self._email, nicknym_url,
                                      soledad,
-                                     token=token, ca_cert_path=LeapCertificate(provider).provider_api_cert, api_uri=provider.api_uri,
+                                     token=token, ca_cert_path=provider.provider_api_cert, api_uri=provider.api_uri,
                                      api_version=provider.api_version,
-                                     uid=uuid, gpgbinary=leap_config.gpg_binary)
+                                     uid=uuid, gpgbinary=leap_config.gpg_binary,
+                                     combined_ca_bundle=provider.combined_ca_bundle)
 
     @defer.inlineCallbacks
     def generate_openpgp_key(self):
diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py
index 02318ec2..97becac8 100644
--- a/service/pixelated/bitmask_libraries/provider.py
+++ b/service/pixelated/bitmask_libraries/provider.py
@@ -15,9 +15,12 @@
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 import json
 import os
+import fileinput
+import tempfile
+import requests
 
 from leap.common.certs import get_digest
-import requests
+from leap.common import ca_bundle
 from .certs import LeapCertificate
 from pixelated.config import leap_config
 from pixelated.support.tls_adapter import EnforceTLSv1Adapter
@@ -32,6 +35,10 @@ class LeapProvider(object):
         self.provider_json = self.fetch_provider_json()
 
     @property
+    def provider_api_cert(self):
+        return str(os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client', 'api.pem'))
+
+    @property
     def api_uri(self):
         return self.provider_json.get('api_uri')
 
@@ -140,14 +147,14 @@ class LeapProvider(object):
     def fetch_soledad_json(self):
         service_url = "%s/%s/config/soledad-service.json" % (
             self.api_uri, self.api_version)
-        response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT)
+        response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT)
         response.raise_for_status()
         return json.loads(response.content)
 
     def fetch_smtp_json(self):
         service_url = '%s/%s/config/smtp-service.json' % (
             self.api_uri, self.api_version)
-        response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT)
+        response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT)
         response.raise_for_status()
         return json.loads(response.content)
 
@@ -166,3 +173,41 @@ class LeapProvider(object):
 
     def _discover_nicknym_server(self):
         return 'https://nicknym.%s:6425/' % self.domain
+
+    def create_combined_bundle_file(self):
+        leap_ca_bundle = ca_bundle.where()
+
+        if self.provider_api_cert == leap_ca_bundle:
+            return self.provider_api_cert
+        elif not self.provider_api_cert:
+            return leap_ca_bundle
+
+        tmp_file = tempfile.NamedTemporaryFile(delete=False)
+
+        with open(tmp_file.name, 'w') as fout:
+            fin = fileinput.input(files=(leap_ca_bundle, self.provider_api_cert))
+            for line in fin:
+                fout.write(line)
+            fin.close()
+
+        self.combined_ca_bundle = tmp_file.name
+
+    def setup_ca_bundle(self):
+        path = os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client')
+        if not os.path.isdir(path):
+            os.makedirs(path, 0700)
+        self._download_cert(self.provider_api_cert)
+
+    def _download_cert(self, cert_file_name):
+        cert = self.fetch_valid_certificate()
+        with open(cert_file_name, 'w') as file:
+            file.write(cert)
+
+    def setup_ca(self):
+        self.download_certificate()
+        self.setup_ca_bundle()
+        self.create_combined_bundle_file()
+
+    def download_settings(self):
+        self.download_soledad_json()
+        self.download_smtp_json()
diff --git a/service/pixelated/config/leap.py b/service/pixelated/config/leap.py
index 371c0dc8..42eb495d 100644
--- a/service/pixelated/config/leap.py
+++ b/service/pixelated/config/leap.py
@@ -19,10 +19,8 @@ def initialize_leap_provider(provider_hostname, provider_cert, provider_fingerpr
                                              provider_fingerprint)
     leap_config.set_leap_home(leap_home)
     provider = LeapProvider(provider_hostname)
-    provider.download_certificate()
-    LeapCertificate(provider).setup_ca_bundle()
-    provider.download_soledad_json()
-    provider.download_smtp_json()
+    provider.setup_ca()
+    provider.download_settings()
     return provider
 
 
diff --git a/service/pixelated/config/sessions.py b/service/pixelated/config/sessions.py
index ed492ea9..9ce0a212 100644
--- a/service/pixelated/config/sessions.py
+++ b/service/pixelated/config/sessions.py
@@ -43,7 +43,7 @@ class LeapSessionFactory(object):
 
         self._create_database_dir(auth.uuid)
 
-        api_cert = LeapCertificate(self._provider).provider_api_cert
+        api_cert = self._provider.provider_api_cert
 
         soledad = yield self.setup_soledad(auth.token, auth.uuid, password, api_cert)
 
@@ -283,7 +283,7 @@ class SmtpClientCertificate(object):
             cert_url,
             params=params,
             data=params,
-            verify=LeapCertificate(self._provider).provider_api_cert,
+            verify=self._provider.provider_api_cert,
             timeout=15,
             headers=headers)
         response.raise_for_status()
diff --git a/service/pixelated/register.py b/service/pixelated/register.py
index 93b55872..eaa80937 100644
--- a/service/pixelated/register.py
+++ b/service/pixelated/register.py
@@ -53,8 +53,8 @@ def register(
     LeapCertificate.set_cert_and_fingerprint(provider_cert, provider_cert_fingerprint)
     config = LeapConfig(leap_home=leap_home)
     provider = LeapProvider(server_name)
-    LeapCertificate(provider).setup_ca_bundle()
-    srp_auth = SRPAuth(provider.api_uri, LeapCertificate(provider).provider_api_cert)
+    provider.setup_ca_bundle()
+    srp_auth = SRPAuth(provider.api_uri, provider.provider_api_cert)
 
     if srp_auth.register(username, password):
         LeapSessionFactory(provider).create(username, password)
diff --git a/service/test/unit/bitmask_libraries/test_certs.py b/service/test/unit/bitmask_libraries/test_certs.py
index bd9b32d3..9885759e 100644
--- a/service/test/unit/bitmask_libraries/test_certs.py
+++ b/service/test/unit/bitmask_libraries/test_certs.py
@@ -35,8 +35,3 @@ class CertsTest(unittest.TestCase):
 
         self.assertIsNone(certs.LEAP_FINGERPRINT)
         self.assertEqual(True, certs.provider_web_cert)
-
-    def test_provider_api_cert(self):
-        certs = LeapCertificate(self.provider).provider_api_cert
-
-        self.assertEqual('/some/leap/home/providers/test.leap.net/keys/client/api.pem', certs)
diff --git a/service/test/unit/bitmask_libraries/test_keymanager.py b/service/test/unit/bitmask_libraries/test_keymanager.py
index 1a1038b8..2d20e971 100644
--- a/service/test/unit/bitmask_libraries/test_keymanager.py
+++ b/service/test/unit/bitmask_libraries/test_keymanager.py
@@ -26,8 +26,9 @@ from pixelated.config import leap_config
 class KeymanagerTest(AbstractLeapTest):
     @patch('pixelated.bitmask_libraries.keymanager.KeyManager')
     def test_that_keymanager_is_created(self, keymanager_mock):
-        LeapCertificate.provider_api_cert = '/some/path/to/provider_ca_cert'
         when(self.provider)._discover_nicknym_server().thenReturn('https://nicknym.some-server.test:6425/')
+        self.provider.combined_ca_bundle = 'combined_ca_bundle'
+        self.provider.provider_api_cert = '/some/path/to/provider_ca_cert'
         leap_config.gpg_binary = '/path/to/gpg'
 
         Keymanager(self.provider,
@@ -45,7 +46,8 @@ class KeymanagerTest(AbstractLeapTest):
             api_uri='https://api.some-server.test:4430',
             api_version='1',
             uid=self.auth.uuid,
-            gpgbinary='/path/to/gpg')
+            gpgbinary='/path/to/gpg',
+            combined_ca_bundle='combined_ca_bundle')
 
     @patch('pixelated.bitmask_libraries.keymanager.KeyManager')
     def test_gen_key(self, keymanager_mock):
diff --git a/service/test/unit/bitmask_libraries/test_provider.py b/service/test/unit/bitmask_libraries/test_provider.py
index 1284698f..4e7c565f 100644
--- a/service/test/unit/bitmask_libraries/test_provider.py
+++ b/service/test/unit/bitmask_libraries/test_provider.py
@@ -207,13 +207,12 @@ class LeapProviderTest(AbstractLeapTest):
 
     def test_that_provider_cert_is_used_to_fetch_soledad_json(self):
         get_func = MagicMock(wraps=requests.get)
-        LeapCertificate.provider_api_cert = PROVIDER_API_CERT
 
         with patch('pixelated.bitmask_libraries.provider.requests.get', new=get_func):
             with HTTMock(provider_json_mock, soledad_json_mock, not_found_mock):
                 provider = LeapProvider('some-provider.test')
                 provider.fetch_soledad_json()
-        get_func.assert_called_with('https://api.some-provider.test:4430/1/config/soledad-service.json', verify=PROVIDER_API_CERT, timeout=15)
+        get_func.assert_called_with('https://api.some-provider.test:4430/1/config/soledad-service.json', verify='/some/leap/home/providers/some-provider.test/keys/client/api.pem', timeout=15)
 
     def test_that_leap_fingerprint_is_validated(self):
         session = MagicMock(wraps=requests.session())
@@ -227,3 +226,10 @@ class LeapProviderTest(AbstractLeapTest):
 
         session.get.assert_any_call('https://some-provider.test/ca.crt', verify=False, timeout=15)
         session.mount.assert_called_with('https://', ANY)
+
+    def test_provider_api_cert(self):
+        with HTTMock(provider_json_mock):
+            provider = LeapProvider('some-provider.test')
+            certs = provider.provider_api_cert
+
+        self.assertEqual('/some/leap/home/providers/some-provider.test/keys/client/api.pem', certs)