1 files changed, 48 insertions, 3 deletions

diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py
index 02318ec2..97becac8 100644
--- a/service/pixelated/bitmask_libraries/provider.py
+++ b/service/pixelated/bitmask_libraries/provider.py
@@ -15,9 +15,12 @@
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 import json
 import os
+import fileinput
+import tempfile
+import requests
 
 from leap.common.certs import get_digest
-import requests
+from leap.common import ca_bundle
 from .certs import LeapCertificate
 from pixelated.config import leap_config
 from pixelated.support.tls_adapter import EnforceTLSv1Adapter
@@ -32,6 +35,10 @@ class LeapProvider(object):
         self.provider_json = self.fetch_provider_json()
 
     @property
+    def provider_api_cert(self):
+        return str(os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client', 'api.pem'))
+
+    @property
     def api_uri(self):
         return self.provider_json.get('api_uri')
 
@@ -140,14 +147,14 @@ class LeapProvider(object):
     def fetch_soledad_json(self):
         service_url = "%s/%s/config/soledad-service.json" % (
             self.api_uri, self.api_version)
-        response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT)
+        response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT)
         response.raise_for_status()
         return json.loads(response.content)
 
     def fetch_smtp_json(self):
         service_url = '%s/%s/config/smtp-service.json' % (
             self.api_uri, self.api_version)
-        response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT)
+        response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT)
         response.raise_for_status()
         return json.loads(response.content)
 
@@ -166,3 +173,41 @@ class LeapProvider(object):
 
     def _discover_nicknym_server(self):
         return 'https://nicknym.%s:6425/' % self.domain
+
+    def create_combined_bundle_file(self):
+        leap_ca_bundle = ca_bundle.where()
+
+        if self.provider_api_cert == leap_ca_bundle:
+            return self.provider_api_cert
+        elif not self.provider_api_cert:
+            return leap_ca_bundle
+
+        tmp_file = tempfile.NamedTemporaryFile(delete=False)
+
+        with open(tmp_file.name, 'w') as fout:
+            fin = fileinput.input(files=(leap_ca_bundle, self.provider_api_cert))
+            for line in fin:
+                fout.write(line)
+            fin.close()
+
+        self.combined_ca_bundle = tmp_file.name
+
+    def setup_ca_bundle(self):
+        path = os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client')
+        if not os.path.isdir(path):
+            os.makedirs(path, 0700)
+        self._download_cert(self.provider_api_cert)
+
+    def _download_cert(self, cert_file_name):
+        cert = self.fetch_valid_certificate()
+        with open(cert_file_name, 'w') as file:
+            file.write(cert)
+
+    def setup_ca(self):
+        self.download_certificate()
+        self.setup_ca_bundle()
+        self.create_combined_bundle_file()
+
+    def download_settings(self):
+        self.download_soledad_json()
+        self.download_smtp_json()